Foro de elhacker.NET

Fuente:
https://github.com/alt3kx/CVE-2021-21972
Código
description = [[
VMware vCenter Server CVE-2021-21972 Remote Code Execution Vulnerability
 
This script looks the existence of CVE-2021-21972 based on the following PATH
"/ui/vropspluginui/rest/services/uploadova" trough a POST request and looking in 
response body (500) the words "uploadFile",that means the vCenter is avaiable 
to accept files via POST without any restrictions
 
Manual inspection: 
# curl -i -s -k -X $'GET' 
-H $'Host: <target>' 
-H $'User-Agent: alex666'
$'https://<target>/ui/vropspluginui/rest/services/getstatus'
 
# curl -i -s -k -X $'GET' 
-H $'Host: <target>' 
-H $'User-Agent: alex666'$'https://<target>/ui/vropspluginui/rest/services/uploadova'
 
# curl -i -s -k -X $'POST' 
-H $'Host: <target>' 
-H $'User-Agent: alex666' 
-H $'Content-Type: application/x-www-form-urlencoded' 
-H $'Content-Length: 0' $'https://<target>/ui/vropspluginui/rest/services/uploadova'
 
References: 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21972'
https://www.vmware.com/security/advisories/VMSA-2021-0002.html
]]
 
---
-- @usage
-- nmap -p443 --script CVE-2021-21972.nse <target>
-- @output
-- PORT    STATE SERVICE
-- 443/tcp open  https
-- | CVE-2021-21972: 
-- |   VULNERABLE:
-- |   vCenter 6.5-7.0 RCE
-- |     State: VULNERABLE (Exploitable)
-- |     IDs:  CVE:CVE-2021-21972
-- |       The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. 
-- |       A malicious actor with network access to port 443 may exploit this issue to execute commands with 
-- |       unrestricted privileges on the underlying operating system that hosts vCenter Server.
-- |     Disclosure date: 2021-02-23
-- |     References:
-- |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21972
 
 
author = "Alex Hernandez aka alt3kx <alt3kx@protonmail.com>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"vuln", "exploit"}
 
local shortport = require "shortport"
local http = require "http"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"
 
portrule = shortport.http
 
action = function(host, port)
 
    local vuln = {
        title = "vCenter 6.5-7.0 RCE",
        state = vulns.STATE.NOT_VULN,
        IDS = { CVE = 'CVE-2021-21972' },
		description = [[
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. 
A malicious actor with network access to port 443 may exploit this issue to execute commands with 
unrestricted privileges on the underlying operating system that hosts vCenter Server.]], 
 
		references = {
           'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21972'
       },
       dates = {
           disclosure = {year = '2021', month = '02', day = '23'},
       },
 
    }   
 
    local report = vulns.Report:new(SCRIPT_NAME, host, port)
 
    local uri = "/ui/vropspluginui/rest/services/uploadova"
 
    local options = {header={}}
    options['header']['User-Agent'] = "Mozilla/5.0 (compatible; vCenter)"
 
    local response = http.post(host, port, uri)
 
    if ( response.status == 500 ) then
 
    local title = string.match(response.body, "uploadFile")
 
        if (title == "uploadFile") then
        	vuln.state = vulns.STATE.EXPLOIT
        else 
      		vuln.state = vulns.STATE.NOT_VULN
      	end 
 
    end
 
    return report:make_output (vuln)
end