Project

General

Profile

Download (1.37 KB)

Bug #6886 » cve-2024-21762-check-modified.py

modified CVE checker script that fires a plain HTTP POST request with an invalid chunk length - Tony Robinson, 03/22/2024 02:21 PM

 
import socket
import ssl
import sys
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.check_hostname=False
context.verify_mode=ssl.CERT_NONE

# should be fine for most hosts, increase this if you're getting errors.
TIMEOUT=5

def send_req(host, req):
try:
s=socket.create_connection(host, timeout=5)
except: return -1
#ss=context.wrap_socket(s)
s.send(req)
try:
return s.recv(2048)
except socket.timeout:
return 0

control_req="""POST /remote/VULNCHECK HTTP/1.1\r
Host: {}\r
Transfer-Encoding: chunked\r
\r
0\r
\r
\r
"""

check_req="""POST /remote/VULNCHECK HTTP/1.1\r
Host: {}\r
Transfer-Encoding: chunked\r
\r
0000000000000000FF\r
\r
"""
def check(host):
baseurl="http://{}:{}".format(*host)
r1=send_req(host, control_req.format(baseurl).encode())
if r1==-1:
return "Connection Failed"
if r1==0:
return "Control request failed"
return
if b"HTTP/1.1 403 Forbidden" not in r1:
print("[warning] Server does not look like a Fortinet SSL VPN interface")
r2=send_req(host, check_req.format(baseurl).encode())
if r2==0: return "Vulnerable"
else: return "Patched"

if __name__=="__main__":
try:
host=sys.argv[1]
port=int(sys.argv[2])
except:
print("Usage: check-cve-2024-21762.py <host> <port>")
exit()
HOST=(host,port)
print(check(HOST))

(1-1/5)