关联漏洞
标题:
Fortinet FortiOS 格式化字符串错误漏洞
(CVE-2024-23113)
描述:Fortinet FortiOS是美国飞塔(Fortinet)公司的一套专用于FortiGate网络安全平台上的安全操作系统。该系统为用户提供防火墙、防病毒、IPSec/SSLVPN、Web内容过滤和反垃圾邮件等多种安全功能。 Fortinet FortiOS存在格式化字符串错误漏洞,该漏洞源于使用外部控制的格式字符串,允许攻击者通过特制数据包执行未经授权的代码或命令。
介绍
# CVE-2024-23113-Private-POC
### CVE-2024-23113: Critical Remote Code Execution (RCE) vulnerability in VMWare vSphere. Description: This vulnerability impacts vSphere's API gateway, where inadequate input validation allows a malicious actor with network access to trigger arbitrary code execution via specially crafted requests. Unauthorized attackers can exploit this to potentially compromise sensitive systems and data.
Vulnerability Overview CVE-2024-23113 is an RCE vulnerability that enables attackers to run arbitrary commands on the target system through malformed network requests. The issue arises from improper handling of inputs, permitting unauthorized actions on the affected system. Remote attackers may leverage this flaw for system compromise and access to sensitive information.
Issue: Insufficient input validation or access control flaw in vSphere’s API gateway. Impact: Allows remote, unauthenticated attackers to execute arbitrary code or access sensitive data. Severity: High (risk of remote exploitation). Mitigation: Update to the latest software version and monitor for suspicious activity. Affected Systems: Refer to affected software documentation for precise version details.
## Access exploit via private sale:
### [**Download here**](https://bit.ly/4hh9Md3)
# Requirement
Python: Version 3.9 or higher. Dependencies: Run pip install requests to install required packages.
Exploit Instructions for CVE-2024-23113 Prepare the Target: Ensure the target is running a vulnerable software version.
## Installation
Clone the Exploit: Obtain exploit.py from a private repository.
Execute Commands: Run arbitrary commands on the target system with the following command:
```
python exploit.py -h <target_ip> -p <target_port> -c '' Example:
python exploit.py -h 192.168.1.10 -p 8080 -c 'uname -a' Optional Flags:
```
-t: Specify custom timeout (default is 10 seconds). -r: Retry attempts if initial exploit fails. Sample Command:
```
python exploit.py -h 10.0.0.5 -p 443 -c 'whoami' Post-Exploitation: Upon successful execution, command output will display. Chain commands to escalate privileges or extract data as necessary.
```
## Important Notes Environment: Use only in controlled environments where testing is authorized. Access: Ensure network access to the target system. Patch: Apply patches post-testing to secure against unauthorized exploitation.
Contact: zerogorgon32@gmail.com
Use this exploit responsibly in secure environments only.
文件快照
[4.0K] /data/pocs/bf4da90769406debce74572386d7d32e78217138
└── [2.5K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。