check-cve-2024-21762.py

import socket
import ssl
import sys
import logging

context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.check_hostname=False
context.verify_mode=ssl.CERT_NONE

# should be fine for most hosts, increase this if you're getting errors.
TIMEOUT=5

# Define the filename to save vulnerable IPs
VULN_IP_FILE = 'vuln_ips.txt'

# Configure logging
logging.basicConfig(filename='scan_log.txt', level=logging.INFO, format='%(asctime)s %(levelname)s: %(message)s')

def send_req(host, req):
    try:
        s=socket.create_connection(host, timeout=5)
    except Exception as e:
        logging.error(f"Error connecting to {host}: {e}")
        return -1
    ss=context.wrap_socket(s)
    ss.send(req)
    try:
        return ss.read(2048)
    except socket.timeout:
        logging.error(f"Timeout while reading from {host}")
        return 0
    except Exception as e:
        logging.error(f"Error reading from {host}: {e}")
        return -1

control_req="""POST /remote/VULNCHECK HTTP/1.1\r
Host: {}\r
Transfer-Encoding: chunked\r
\r
0\r
\r
\r
"""

check_req="""POST /remote/VULNCHECK HTTP/1.1\r
Host: {}\r
Transfer-Encoding: chunked\r
\r
0000000000000000FF\r
\r
"""

def check(host):
    baseurl="https://{}:{}".format(*host)
    r1=send_req(host, control_req.format(baseurl).encode())
    if r1==-1:
        return "Connection Failed"
    if r1==0:
        return "Control request failed"
    if b"HTTP/1.1 403 Forbidden" not in r1:
        logging.warning(f"Server at {baseurl} does not look like a Fortinet SSL VPN interface")
    r2=send_req(host, check_req.format(baseurl).encode())
    if r2==0:
        # Save vulnerable IP to file
        with open(VULN_IP_FILE, 'a') as f:
            f.write(f"{host[0]}:{host[1]}\n")
        return "\033[1;31mVulnerable\033[0m"  # Red color for Vulnerable
    else:
        return "\033[1;32mPatched\033[0m"     # Green color for Patched

if __name__=="__main__":
    if len(sys.argv) == 3:
        host = (sys.argv[1], int(sys.argv[2]))
        print(check(host))
    elif len(sys.argv) == 2:
        input_file = sys.argv[1]

        with open(input_file, 'r') as file:
            host_urls = file.readlines()

        for idx, url in enumerate(host_urls, start=1):
            url = url.strip()
            if not url:
                continue

            parts = url.split(':')
            host = (parts[0], int(parts[1]))

            print(f"Scanning {url} ({idx}/{len(host_urls)})...", end=' ')
            try:
                result = check(host)
                print(result)

                if result == "Connection Failed":
                    logging.error(f"Connection failed for {url}")
                elif result == "Control request failed":
                    logging.error(f"Control request failed for {url}")
            except Exception as e:
                logging.error(f"Error scanning {url}: {e}")
                continue  # Skip to the next IP if there's an error
    else:
        print("Usage:")
        print("For single check: python3 script.py <host> <port>")
        print("For mass scanning: python3 script.py <host_URL.txt>")
        print("added a constant VULN_IP_FILE to specify the filename to save vulnerable IPs (vuln_ips.txt)")
        print("added a try-except block around the check(host) function call inside the loop for mass scanning")