264 - Checkpoint Firewall

💡 学习提示: 本文档介绍 264 - 264 Check Point Firewall 1 的渗透测试方法，适合信息安全初学者和从业人员参考。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

# 264/tcp - 渗透测试 Check Point 防火墙

It’s possible to interact with CheckPoint 防火墙-1 firewalls to discover valuable information such as the firewall’s name and the management station’s name. This can be done by sending a query to the port 264/TCP.

Obtaining 防火墙 and Management Station Names

Using a pre-authentication request, you can execute a module that targets the CheckPoint 防火墙-1. The necessary commands for this operation are outlined below:

use auxiliary/gather/checkpoint_hostname
set RHOST 10.10.10.10

Upon execution, the module attempts to contact the firewall’s SecuRemote Topology service. If successful, it confirms the presence of a CheckPoint 防火墙 and retrieves the names of both the firewall and the SmartCenter management host. Here’s an example of what the output might look like:

[*] Attempting to contact Checkpoint FW1 SecuRemote Topology service...
[+] Appears to be a CheckPoint Firewall...
[+] Firewall Host: FIREFIGHTER-SEC
[+] SmartCenter Host: FIREFIGHTER-MGMT.example.com
[*] Auxiliary module execution completed

Alternative Method for Hostname and ICA Name Discovery

Another technique involves a direct command that sends a specific query to the firewall and parses the response to extract the firewall’s hostname and ICA name. The command and its structure are as follows:

printf '\x51\x00\x00\x00\x00\x00\x00\x21\x00\x00\x00\x0bsecuremote\x00' | nc -q 1 10.10.10.10 264 | grep -a CN | cut -c 2-

The output from this command provides detailed information regarding the firewall’s certificate name (CN) and organization (O), as demonstrated below:

CN=Panama,O=MGMTT.srv.rxfrmi

HTTP 安全服务器 Format String Bug (CAN-2004-0039)

Affected builds: NG FCS, NG FP1, NG FP2, NG FP3 HF2, and NG with Application Intelligence R54/R55.
Requirement: The HTTP 安全服务器 or AI HTTP proxy must be enabled and transparently inspecting the targeted port; if HTTP inspection is disabled the vulnerable code path is never reached.

Triggering the error handler

The proxy rejects malformed HTTP messages and builds its own error page with sprintf(errbuf, attacker_string);, letting attacker-controlled bytes act as the format string. Send an invalid request through the firewall and look for a proxy-generated error that reflects your payload:

printf 'BOGUS%%08x%%08x%%08x%%n HTTP/1.0\r\nHost: internal.local\r\n\r\n' | nc -nv [FIREWALL_IP] 80

If HTTP inspection is active, the firewall (not the backend server) answers immediately, proving the middlebox parsed and replayed the request line.

漏洞利用

Format string primitive

Force the parser into the error routine (invalid method, URI, or headers).
Place attacker-controlled dwords up front so %x, %s, and %n directives treat them as stack arguments.
Use %x/%s to leak pointers, then %n/%hn to write the formatted byte count into chosen addresses, overwriting return pointers, vtables, or heap metadata before hijacking execution with injected shellcode or ROP.

Heap overflow primitive

The same unsafe sprintf() writes into a fixed-size heap buffer. Mix a long request body with oversized directives (e.g., %99999x) so the formatted output overruns the allocation and corrupts adjacent heap structures, letting you forge freelist pointers or function tables that are later dereferenced.

Impact

Compromise of the proxy grants code execution inside the firewall process (SYSTEM on Windows appliances, root on UNIX), enabling rule manipulation, traffic interception, and pivoting deeper into the management network.

搜索引擎语法

FOFA

# FOFA 搜索语法
port="264"

Shodan

# Shodan 搜索语法
port:264

ZoomEye

# ZoomEye 搜索语法
port:264

📖 参考资料

HackTricks - 264-checkpoint-firewall