From 6e77ae7e3e70a626fc71dbcc997fb904b88e0a3f Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Wed, 12 Dec 2018 15:36:32 -0600
Subject: [PATCH] Update my SSH scanner modules

Especially with proper error handling for Net::SSH::CommandStream.
---
 .../auxiliary/scanner/ssh/fortinet_backdoor.rb   | 16 +++++++++++++---
 .../auxiliary/scanner/ssh/libssh_auth_bypass.rb  |  4 +++-
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
index 9de0acb9c4..2a939dbed7 100644
--- a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
+++ b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
@@ -4,6 +4,7 @@
 ##
 
 class MetasploitModule < Msf::Auxiliary
+
   include Msf::Exploit::Remote::SSH
   include Msf::Auxiliary::Scanner
   include Msf::Auxiliary::CommandShell
@@ -81,15 +82,23 @@ class MetasploitModule < Msf::Auxiliary
 
     shell = Net::SSH::CommandStream.new(ssh)
 
-    return unless shell
+    # XXX: Wait for CommandStream to log a channel request failure
+    sleep 0.1
 
-    info = "Fortinet SSH Backdoor (#{version})"
+    if (e = shell.error)
+      print_error("#{ip}:#{rport} - #{e.class}: #{e.message}")
+      return
+    end
+
+    info = "#{self.name} (#{version})"
 
     ds_merge = {
       'USERNAME' => 'Fortimanager_Access'
     }
 
-    start_session(self, info, ds_merge, false, shell.lsock) if datastore['CreateSession']
+    if datastore['CreateSession']
+      start_session(self, info, ds_merge, false, shell.lsock)
+    end
 
     # XXX: Ruby segfaults if we don't remove the SSH socket
     remove_socket(ssh.transport.socket)
@@ -98,4 +107,5 @@ class MetasploitModule < Msf::Auxiliary
   def rport
     datastore['RPORT']
   end
+
 end
diff --git a/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb b/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb
index 01c6781004..102cedbdaf 100644
--- a/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb
+++ b/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb
@@ -137,7 +137,9 @@ class MetasploitModule < Msf::Auxiliary
 
     case action.name
     when 'Shell'
-      start_session(self, "#{self.name} (#{version})", {}, false, shell.lsock)
+      if datastore['CreateSession']
+        start_session(self, "#{self.name} (#{version})", {}, false, shell.lsock)
+      end
     when 'Execute'
       output = shell.channel && (shell.channel[:data] || '').chomp