Exploit for Deserialization of Untrusted Data in Xstream Project Xstream CVE-2021-39144

Name: Exploit for Deserialization of Untrusted Data in Xstream Project Xstream CVE-2021-39144
Rating: 5 (472 reviews)

2022-10-31 | CVSS 6.0

## https://sploitus.com/exploit?id=EAE84183-EEEC-5C93-AB4F-725AD31987F9
# CVE-2021-39144-XSTREAM-RCE
[![Hits](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https%3A%2F%2Fgithub.com%2Fb3wT%2FCVE-2021-39144-XSTREAM-RCE&count_bg=%2379C83D&title_bg=%23555555&icon=&icon_color=%23E7E7E7&title=vm-xstream&edge_flat=false)](https://hits.seeyoufarm.com)
</p>
{VMware Cloud Foundation} remote code execution vulnerability via XStream (CVE-2021-39144)


# Description

- VMware Cloud Foundation contains an unauthenticated remote code execution vulnerability via XStream open source library. 
- VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8

# usage:

```
 _______    _______  __   __  ___  _________
|   _  "\  /" __   )|"  |/  \|  "|("       "\
(. |_)  :)(__/ _) ./|'  /    \:  | \___/   :/
|:     \/     /  // |: /'        |    /   //
(|  _  \  __ \_ \  \//  /'    |  __\  ./
|: |_)  :)(: \__) :\ /   /  \   | (:  \_/ \
(_______/  \_______)|___/    \___|  \_______)

coded by b3w7

usage: vm-xstream.py [-h] [-u URL] [-f FILE] [-c CMD]

options:
  -h, --help            show this help message and exit
  -u URL, --url URL     Target URL; Example:http://ip:port
  -f FILE, --file FILE  Url File; Example:url.txt
  -c CMD, --cmd CMD     Commands to be executed(whoami as default)
```

# disclaimer:
the author don have any responsibility from misusing the tool
</p>
made for educational purpose only

# links:
- [official advisory](https://www.vmware.com/security/advisories/VMSA-2022-0027.html)
- [blog post(credits goes here)](https://srcincite.io/blog/2022/10/25/eat-what-you-kill-pre-authenticated-rce-in-vmware-nsx-manager.html)

# someone said coffee?
- [here you can buy me one/more](https://www.buymeacoffee.com/b3wt)