FortiOS/FortiProxy SSL-VPN Heap-Based Buffer Overflow RCE

Repository contains a Python exploit for CVE-2022-42475 (Fortinet FortiGate/FortiOS SSL-VPN pre-auth RCE) plus helper code and assembly shellcode. The main entry point is CVE-2022-42475.py, which builds a malicious HTTP request leveraging a Content-Length integer overflow (default set to 2^32+1) to trigger memory corruption in the SSL-VPN daemon (sslvpnd). It supports: (1) validate-only mode that attempts to crash/restart the service and heuristically reports vulnerability; (2) a simple callback mode that executes minimal shellcode which connects back and sends a marker string; and (3) a full exploit mode that uses a ROP chain to call functions like mprotect/calloc and AES routines, then runs shellcode that stages an AES-encrypted operator-supplied binary, writes it to /tmp/x, and execve()s it. The exploit can optionally route traffic through a local Burp proxy (127.0.0.1:8080) using an HTTP CONNECT tunnel. TLS is auto-enabled for common HTTPS ports (443/8443/10443) unless overridden. The ROP construction logic is encapsulated in foxrop.py (class ROP), which imports gadget/function addresses from an external JSON file (referenced in README as exploit_data.json). This repository is explicitly a redacted release: without the proprietary gadget/address data, full RCE is not directly usable across targets, though the structure clearly implements a real exploitation chain. Included shellcode sources: shellcode.s implements the full connect-back stager (socket/connect, hello byte exchange, receive size + encrypted payload, AES-CBC decrypt using imported function pointers, write to /tmp/x, then execve). shellcode_callback.s is a minimal proof-of-execution payload that connects back and writes a model/marker string (e.g., 'PWNED'). requirements.txt pins pycryptodome for AES operations used by the Python-side payload encryption and coordination.

This repository contains a proof-of-concept exploit for CVE-2022-42475, a heap overflow vulnerability in Fortinet's SSLVPN daemon. The main file, cve-2022-42475.py, is a Python script that constructs a ROP chain to exploit the vulnerability and achieve remote code execution. The exploit works by sending a specially crafted HTTP POST request to the /remote/error endpoint of the target Fortinet device over SSL. The payload triggers the heap overflow and executes a reverse shell, connecting back to the attacker's machine on port 31337. The attacker can specify arbitrary commands to be executed on the target. The repository is structured simply, with a README providing usage instructions and a single exploit script. The exploit requires the attacker to set up a listener to receive the reverse shell. No detection or scanning functionality is present; this is a direct exploit script.

This repository contains a proof-of-concept (POC) exploit for CVE-2022-42475, a heap overflow vulnerability in Fortinet's SSLVPN daemon (FortiOS). The main file, 'cve-2022-42475.py', is a Python script that constructs a ROP chain to execute a reverse shell payload on the target system. The exploit connects to the target's SSLVPN service over SSL, sends a specially crafted HTTP POST request to the '/remote/error' endpoint with a large payload designed to trigger the heap overflow, and attempts to execute a reverse shell back to the attacker's machine on port 31337. The payload uses /bin/python to create a socket and spawn /bin/sh, passing attacker-supplied arguments. The exploit is version dependent, with hardcoded offsets and addresses that may require adjustment for different target systems. The repository also includes a README.md that describes the exploit's limitations and version dependency. No detection scripts or fake code are present; this is a real exploit POC targeting a specific vulnerability in Fortinet FortiOS.

This repository contains a working exploit for CVE-2022-42475, a pre-authentication remote code execution vulnerability in Fortinet FortiOS SSL VPN. The main exploit script (CVE-2022-42475.py) is a Python3 tool that can operate in several modes: vulnerability validation (crash detection), benign connect-back shellcode execution, and full payload delivery (implant deployment). The exploit leverages a buffer overflow in the SSL VPN webserver, using a custom ROP chain (constructed via foxrop.py and a required gadgets JSON file) to execute custom shellcode (provided in shellcode.s). The shellcode connects back to the attacker's machine, receives an encrypted payload (such as a Sliver implant), writes it to /tmp/x, and executes it. The exploit is operational but requires the operator to supply valid ROP gadget addresses for the target FortiOS version and hardware model. The README provides detailed usage instructions, requirements, and example output. The exploit targets FortiOS 6.0.4 on 100D hardware for full functionality, but the validation mode works across more versions. The main attack vector is network-based, targeting the SSL VPN web interface via a crafted HTTP POST request to /remote/logincheck. The repository includes Python code, an assembly shellcode file, and a requirements.txt for dependencies.

This repository contains a proof-of-concept exploit for CVE-2022-42475, a heap buffer overflow vulnerability in Fortinet's FortiOS SSL-VPN daemon. The main exploit script, 'cve-2022-42475.py', is a Python script that constructs a ROP chain to execute a reverse shell payload. The exploit targets the '/remote/error' endpoint of the SSLVPN service over SSL, sending a specially crafted POST request with a large payload to trigger the vulnerability. The payload includes hardcoded memory offsets and gadgets, making it highly version dependent and likely requiring adjustment for different target systems. Upon successful exploitation, the script establishes a reverse shell from the target to the attacker's machine on port 31337, executing a user-supplied command. The repository also includes a README with usage instructions and a disclaimer. No detection scripts or fake code are present; this is a functional exploit with operational-level maturity.