CVE-2021-21972
Proof of Concept Exploit for vCenter CVE-2021-21972
Research credit to: https://swarm.ptsecurity.com/unauth-rce-vmware/, http://noahblog.360.cn/vcenter-6-5-7-0-rce-lou-dong-fen-xi/
Tested on both Windows and Unix vCenter VCSA targets.
Usage
To benignly check if the target is vulnerable just supply the --target argument.
To exploit provide the --file, --path, and --operating-system flags. Write the file supplied in the --file argument to the location specified in the --path argument.
Windows Targets:
Tested by uploading the webshell cmdjsp.jsp to the /statsreport endpoint as indicated by PtSwarm. The webshell executes commands in the context of NT AUTHORITY/SYSTEM.
Unix Targets:
The file will be written in the context of the vsphere-ui user. If the target is vulnerable, but the exploit fails, it is likely that the vsphere-ui user does not have permissions to write to the specified path.
If writing the vsphere-ui user's SSH authorized_keys, when SSH'ing with the keys it was observed in some cases that the vsphere-ui user's password had expired and forced you to update it (which you cannot because no password is set).
34 Nov 21, 2022
15 Jul 24, 2022
5 Aug 09, 2022
43 Dec 03, 2022
108 Jan 07, 2023
4 Feb 22, 2022
4 Jan 27, 2022
10 Jul 28, 2022
31 Oct 21, 2022
48 Nov 20, 2022
675 Jan 03, 2023
1 Jan 31, 2022
3.8k Jan 06, 2023
6 Jan 22, 2022
2 Jan 22, 2022
20 Nov 30, 2022
32 Nov 05, 2022
4 Jun 08, 2022
8 Jan 03, 2023
6 May 17, 2022