Share
## https://sploitus.com/exploit?id=1B7195B7-985B-564D-9528-5081EFBD2058
# ScaryByte R&D PoC for CVE-2024-55591

A comprehensive **all-in-one** Python-based Proof of Concept script to discover and exploit a critical authentication bypass vulnerability (CVE-2024-55591) in certain Fortinet devices. This script:

1. **Installs Missing Dependencies** automatically
2. **Optionally Scans** a target host for **open ports** using `nmap`  
3. **Performs Pre-flight Checks** to ensure the service is a Fortinet device and is vulnerable
4. **Exploits the WebSocket** interface to hijack a Telnet-like CLI session
5. **Runs an Initial or Multiple Commands** post-exploit
6. **Checks the Device Version** against known vulnerable ranges from [Fortinet PSIRT FG-IR-24-535](https://fortiguard.fortinet.com/psirt/FG-IR-24-535)

---

## Table of Contents

- [Vulnerability Summary](#vulnerability-summary)
- [Affected Versions](#affected-versions)
- [Pre-Requisites](#pre-requisites)
- [Usage](#usage)
  - [1. Clone & Install](#1-clone--install)
  - [2. Run the Script](#2-run-the-script)
  - [3. Follow the Wizard](#3-follow-the-wizard)
- [Features](#features)
  - [Automatic Dependency Installation](#automatic-dependency-installation)
  - [Optional Nmap SYN Scanning](#optional-nmap-syn-scanning)
  - [Multi-Port Testing](#multi-port-testing)
  - [Post-Exploitation Commands](#post-exploitation-commands)
  - [Version Parsing and Vulnerability Check](#version-parsing-and-vulnerability-check)
- [Example Walkthrough](#example-walkthrough)
  - [1. Initial Wizard Prompts](#1-initial-wizard-prompts)
  - [2. Nmap Results & Port Selection](#2-nmap-results--port-selection)
  - [3. Exploitation Flow](#3-exploitation-flow)
  - [4. Post-Exploitation Flow](#4-post-exploitation-flow)
- [Disclaimer](#disclaimer)

---

## Vulnerability Summary

CVE-2024-55591 is a critical authentication bypass in certain Fortinet products (FortiOS & FortiProxy). By exploiting a flaw in the WebSocket/Telnet management interface, an attacker can gain privileged CLI access without valid credentials.

## Affected Versions

According to the [Fortinet PSIRT Advisory (FG-IR-24-535)](https://fortiguard.fortinet.com/psirt/FG-IR-24-535), the following versions are known to be affected:

- **FortiOS**: 7.0.0 to 7.0.16
- **FortiProxy**: 7.0.0 to 7.0.19, 7.2.0 to 7.2.12

## Pre-Requisites

- Python 3.x
- (Optional) [Nmap](https://nmap.org/) for automatic port scanning
- Network access to the target device
- Sufficient privileges on your local machine to install missing Python packages (if needed)

## Usage

### 1. Clone & Install

```bash
git clone https://github.com/exfil0/CVE-2024-55591-POC.git
cd CVE-2024-55591-POC
```

### 2. Run the Script

```bash
python3 attack.py
```

When executed, the script **automatically** checks for missing Python dependencies (`requests`, `urllib3`) and attempts to install them.

### 3. Follow the Wizard

You will be prompted for:
1. **Target IP/Hostname**
2. Whether to **run Nmap** to find open ports
3. If multiple open ports are found, whether to test **ALL** or just **one**
4. Whether to use **SSL**
5. A **Command** to run initially (you can select from a pre-defined list or supply your own)
6. (Optional) Whether to run **post-exploitation** commands

Once you confirm, the script tests connectivity, checks vulnerability, upgrades the connection to WebSocket, and attempts the auth bypass.

---

## Features

### Automatic Dependency Installation

At startup, this script checks for `requests` and `urllib3`. If missing, it attempts to install them via `pip`.

### Optional Nmap SYN Scanning

If you choose, the script runs `nmap -sS -p- --min-rate 500 <host>` to discover open TCP ports, then either:
- Tries all the discovered ports
- Lets you pick one

### Multi-Port Testing

If multiple ports are discovered open, you can instruct the script to **test them all**. This is useful if Fortinet services are listening on non-standard ports.

### Post-Exploitation Commands

If the exploit succeeds, you can optionally run additional commands in the same Telnet session, such as:
- `diag sys top`
- `diag debug crashlog read`
- `execute shell`

You can modify these post-exploitation commands in the script to gather more advanced data.

### Version Parsing and Vulnerability Check

The script attempts to parse the device version from the output of `get system status` or `get system info`. If it matches a known vulnerable range, it notifies you.

---

## Example Walkthrough

### 1. Initial Wizard Prompts

1. **Target IP**: e.g., `192.168.1.50`
2. **Nmap scan?**: `y` (Yes) to discover open ports
3. **SSL?**: Typically `y` if connecting via HTTPS/443
4. **Initial Command**: e.g., `get system status`
5. **Post-exploit commands**: `y` or `n`

### 2. Nmap Results & Port Selection

If Nmap finds multiple open ports, you can choose to test **all** ports automatically or pick a specific one.

### 3. Exploitation Flow

- The script checks if `/login?redir=/ng` returns Fortinet’s management interface
- The script checks if `service-worker.js?local_access_token=ScaryBYte` contains the substring `api/v2/static`
- If both checks pass, it attempts the WebSocket upgrade and sends a fake Telnet login context
- Once you have a Telnet-like CLI, you can run commands like `get system status`

### 4. Post-Exploitation Flow

If **post-exploit** mode is enabled, the script sends additional debug or system commands. The output is collected and displayed in your console.

---

## Disclaimer

This Proof of Concept script is provided for **educational and testing** purposes **only**. Unauthorized exploitation of systems without explicit permission is illegal. Always ensure you have the appropriate approvals before scanning or testing any systems, and refer to [Fortinet’s Advisory (FG-IR-24-535)](https://fortiguard.fortinet.com/psirt/FG-IR-24-535) for patch information.