Fortinet FortiOS/FortiProxy SSL VPN Out-of-Bounds Write RCE

Repository contains a single Python exploit script (exploit.py) plus a minimal README with example usage. Key structure/purpose: - README.md: shows how to run the tool against a single target with a callback IP/port. - exploit.py: a network-based exploitation tool that connects via raw TCP sockets to a specified IP:PORT and sends an HTTP POST request to /remote/hostcheck_validate. The request includes Fortinet-like headers (FortiSSLVPNClient/6.4.0 User-Agent and SVPNCOOKIE) and a form-encoded body. Exploit capabilities: - Single-target mode (--target IP:PORT): sends one exploit attempt and prints a monitoring hint. - Batch mode (--input file, --output file): iterates over multiple IP:PORT entries, attempts exploitation, and writes per-target results. - Payload delivery: injects a bash reverse shell command into a form field (host=...) and repeats it to increase likelihood of triggering parsing/overflow conditions (though no actual memory corruption/ROP is implemented in the active code). - Evidence collection: captures and writes the HTTP response to last_response.txt. Notable code notes: - There are commented-out sections suggesting an earlier/alternate approach involving a Node.js one-liner HTTP callback (require('http').get(...)) and a second chunked request intended to overflow a stack return pointer ("ROP_SIMULATION"), but these are not executed in the current version. - The active exploit is best characterized as an RCE command-injection attempt over HTTP with a reverse-shell payload, rather than a complete ROP exploit.

Repository contains a single Python proof-of-concept exploit (poc.py) plus README/license/gitignore. It targets CVE-2024-21762 (Fortinet FortiOS/FortiProxy SSL-VPN) and performs an unauthenticated network attack against the SSL-VPN web service. Key behavior in poc.py: - Establishes a raw TCP socket to TARGET on port 443 and sends handcrafted HTTP requests (no TLS handling in code; it assumes the service accepts the raw bytes as sent). - Stage 1: Sends a large form-encoded POST to /remote/hostcheck_validate. The form value embeds a ROP chain and multiple hardcoded gadget/function pointers (e.g., pivots, call_execl, ssl_do_handshake_ptr, getcwd_ptr). The ROP chain is designed to pivot the stack and invoke execl. - Payload: Uses execl to run /bin/node with -e and a JavaScript snippet that calls child_process.execSync("nslookup xxxxxxxxxxx.oastify.com"). This provides an out-of-band DNS signal indicating code execution. - Stage 2: After a short sleep, sends a second POST / request with Transfer-Encoding: chunked and a malformed chunk body ("0"*4137 + NUL + "A" + CRLFCRLF) intended to trigger the underlying out-of-bounds write in chunk parsing/handling described in the README. Overall purpose: a functional RCE PoC demonstrating exploitation flow (two-request sequence) and a basic verification payload (DNS callback). The exploit is not a scanner/detector; it attempts to achieve code execution. Hardcoded addresses/gadgets imply it is build/version dependent and may require adjustment for specific FortiOS/FortiProxy versions.

Repository contains a single Python tool (EXPLOIT.py) plus README and MIT LICENSE. The script implements both detection and attempted exploitation of CVE-2024-21762 (Fortinet FortiOS/FortiGate SSL-VPN sslvpnd out-of-bounds write) over the network via a raw TLS socket. Core behavior: (1) establishes a TLS connection to the target (default port 443, configurable) with certificate verification disabled; (2) sends a crafted HTTP POST to /remote/logincheck using 'Transfer-Encoding: chunked' with a malformed chunk intended to trigger the vulnerable parser; (3) determines likely vulnerability by observing abnormal server behavior (e.g., empty reply/abrupt close, timeouts, TLS alerts, connection reset). The tool also includes an exploitation path that embeds a bash reverse-shell command into the chunked body and supports an '--auto' mode that runs detection then exploitation if the target appears vulnerable, prompting for LHOST/LPORT if not provided. README documents affected FortiOS version ranges, usage flags, and listener commands (nc/ncat).

This repository provides a proof-of-concept (PoC) exploit and scanner for CVE-2024-21762, a critical vulnerability in Fortinet FortiOS SSL VPN's /remote/hostcheck_validate endpoint. The repository contains three main Python scripts: 1. poc_rce.py: The primary exploit script, which sends a crafted POST request to the vulnerable endpoint with a bash reverse shell payload injected into the 'host' parameter. It supports both single-target and batch modes, allowing for automated exploitation attempts against multiple FortiGate SSL VPN instances. The script saves the HTTP response from the target to 'last_response.txt' for analysis. 2. poc_check.py: A vulnerability checker that scans multiple IPs and ports to determine if they are likely vulnerable to CVE-2024-21762. It uses custom POST requests to the /remote/VULNCHECK endpoint and analyzes the responses to distinguish between vulnerable and patched systems. 3. http_c2_server.py: A simple HTTP-based command-and-control (C2) server that can be used to receive reverse shell connections or command output from exploited targets. It listens for incoming connections and can send commands to compromised systems. The exploit is operational, delivering a functional reverse shell payload if the target is vulnerable. The repository is well-structured, with clear separation between exploitation, detection, and C2 components. The README provides detailed usage instructions, requirements, and legal disclaimers. The main attack vector is network-based, targeting exposed FortiGate SSL VPN interfaces over HTTPS.

This repository contains a Python proof-of-concept exploit for CVE-2024-21762, a remote code execution vulnerability in Fortinet FortiGate firewalls. The main file, PoC.py, crafts and sends two custom HTTP POST requests to the target device, specifically targeting the /remote/hostcheck_validate endpoint. The exploit constructs a complex payload using a custom ROP chain and form values designed to trigger code execution on the target. The script uses raw sockets to connect to the target on port 80 and sends the malicious requests. The README.md provides context about the vulnerability, usage instructions, and a disclaimer. No hardcoded credentials or external network addresses are present, but the script requires the user to specify the target IP address. The exploit demonstrates remote code execution capabilities but does not include a weaponized or easily customizable payload beyond the provided ROP chain and placeholders.

This repository contains a working exploit for CVE-2024-21762, a critical out-of-bounds write vulnerability in Fortinet FortiOS (FortiGate) SSL VPN. The exploit is implemented in a single Python script (poc.py) and is accompanied by a detailed README.md that explains the vulnerability, exploitation process, and technical background. The exploit works by sending two specially crafted HTTP POST requests to the target FortiGate device's SSL VPN endpoints. The first request targets '/remote/hostcheck_validate' with a large, precisely constructed payload that leverages ROP chains and memory manipulation to achieve code execution. The second request abuses chunked transfer encoding to trigger the vulnerability. The payload executed on the target can be a system command (e.g., nslookup to an attacker-controlled domain for OOB verification) or a reverse shell using Node.js, demonstrating the exploit's flexibility. The repository is structured as follows: - README.md: Provides a comprehensive technical write-up, including vulnerability analysis, binary diffing, and exploitation details. - poc.py: The main exploit script, which is self-contained and requires the user to specify the target IP and (optionally) the attacker-controlled domain or reverse shell parameters. The exploit targets FortiOS versions prior to the patch for CVE-2024-21762 and requires the SSL VPN service to be accessible. The attack vector is network-based, and the exploit demonstrates both command execution and reverse shell capabilities. Several fingerprintable endpoints and example IPs/domains are present in the code and documentation.