#!/usr/bin/env python3
import socket
import re
import sys
import argparse

def main():
    parser = argparse.ArgumentParser(description="Script to test a URL vulnerable to CVE-2000-0649")
    parser.add_argument("url", help="URL to be tested", type=str)
    parser.add_argument("--path", "-p", help="Path to be tested", type=str)
    parser.add_argument("--verbose", "-v", help="Show HTTP header sent and HTTP Response", action="store_true")
    args = parser.parse_args()

    if  args.url:
        target = args.url
        target = target.replace("http://","")
        if "https://" in target:
            print ("\nHTTPS is not vulnerable to CVE-2000-0649\nTry HTTP instead")
    if not args.path:
        path = "/"
    else :
        if args.path.startswith("/"):
            path = args.path
        else:
            path = "/" + args.path

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    
    try:
        s.connect((target, 80))
        request = "GET " + str(path) + " HTTP/1.0\r\n\r\n"
        s.send(request.encode())
    except socket.error as exc:
        print ("\nNo response received from host %s" % exc + "\nThe path must be included with --path argument...\n")
        sys.exit()

    while True:
        raw_response = s.recv(4096)
        if raw_response is None:
            print ("\nNo response received from host, connection closed...\nThe path must be included with --path argument...\n")
            s.close()
            break
        else:
            response = raw_response.decode()
            location = (re.search(r'Location.*',response)).group()
            ip_add = re.search(r'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})',location)
            ser_ver = re.search(r'Server.*',response)
            if ip_add != None:
                ip_address = ip_add.group()
                ser_version = ser_ver.group()
                print ("\nTarget: http://" + target + path)
                print ("Vulnerable to CVE-2000-0649 (http-internal-ip-disclosure)")
                print ("Internal IP address exposed on response header")
                print ("Reference: https://securitytracker.com/id/1002188")
                print ("\nServer's local IP address: " + ip_address)
                print ("Web " + ser_version + "\n")
                if args.verbose:
                    print ("HTTP Header sent: \n" + request)
                    print(response)
                sys.exit()
                    
            else:
                print ("\nTarget: http://" + target + path)
                print ("May not be vulnerable to CVE-2000-0649 (http-internal-ip-disclosure)")
                print ("Path /images is likely to be vulnerable, search for it and test again.\n")
                sys.exit()


if __name__ == '__main__':
    main()