Proof of Concept Exploit for vCenter CVE-2021-21972

Related tags

Security related resourcesCVE-2021-21972
Overview

CVE-2021-21972

Proof of Concept Exploit for vCenter CVE-2021-21972

Research credit to: https://swarm.ptsecurity.com/unauth-rce-vmware/, http://noahblog.360.cn/vcenter-6-5-7-0-rce-lou-dong-fen-xi/

Tested on both Windows and Unix vCenter VCSA targets.

Usage

To benignly check if the target is vulnerable just supply the --target argument.

To exploit provide the --file, --path, and --operating-system flags. Write the file supplied in the --file argument to the location specified in the --path argument.

Windows Targets:

Tested by uploading the webshell cmdjsp.jsp to the /statsreport endpoint as indicated by PtSwarm. The webshell executes commands in the context of NT AUTHORITY/SYSTEM.

WindowsExec

WindowsProof

Unix Targets:

The file will be written in the context of the vsphere-ui user. If the target is vulnerable, but the exploit fails, it is likely that the vsphere-ui user does not have permissions to write to the specified path.

If writing the vsphere-ui user's SSH authorized_keys, when SSH'ing with the keys it was observed in some cases that the vsphere-ui user's password had expired and forced you to update it (which you cannot because no password is set).

UnixProof

Owner
Horizon 3 AI Inc
AI-powered Pen Tests. See your enterprise through the eyes of an attacker & fix what matters.
Horizon 3 AI Inc
GitHub Repository
Learning to compose soft prompts for compositional zero-shot learning.

Compositional Soft Prompting (CSP) Compositional soft prompting (CSP), a parameter-efficient learning technique to improve the zero-shot compositional

Bats Research 32 Jan 02, 2023
TightVNC Vulnerability.

CVE-2022-23967 In TightVNC 1.3.10, there is an integer signedness error and resultant heap-based buffer overflow in InitialiseRFBConnection in rfbprot

MaherAzzouzi 15 Jul 11, 2022
A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF.

TProxer A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF. How • Install • Todo • Join Discord How it works

Krypt0mux 162 Nov 25, 2022
The self-hostable proxy tunnel

TTUN Server The self-hostable proxy tunnel. Running Running: docker run -e TUNNEL_DOMAIN=Your tunnel domain -e SECURE=True if using SSL ghcr.io/to

Tom van der Lee 2 Jan 11, 2022
EMBArk - The firmware security scanning environment

Embark is being developed to provide the firmware security analyzer emba as a containerized service and to ease accessibility to emba regardless of system and operating system.

emba 175 Dec 14, 2022
ORector - A Fast Python tool designed to detect open redirects vulnerabilities on websites

ORector is a Fast Python tool designed to detect open redirects vulnerabilities

11 Apr 02, 2022
Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries. Using xrefs to commonly injected and format string'd files, it will scan binaries faster than F

Christopher Roberts 3 Nov 16, 2021
CVE-2022-23046 - SQL Injection Vulnerability on PhpIPAM v1.4.4

CVE-2022-23046 PhpIPAM v1.4.4 allows an authenticated admin user to inject SQL s

2 Feb 15, 2022
Shell hunter for AF

AF-ShellHunter AF-ShellHunter: Auto shell lookup AF-ShellHunter its a script designed to automate the search of WebShell's in AF Team How to pip3 ins

Eduardo 34 May 13, 2022
JavaScript Raider is a coverage-guided JavaScript fuzzing framework designed for the v8 JavaScript engine

JavaScript Raider is a coverage-guided JavaScript fuzzing framework designed for the v8 JavaScript engine

105 Dec 05, 2022
Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3

Execution After Redirect (EAR) / Long Response Redirection Vulnerability Scanner written in python3, It Fuzzes All URLs of target website & then scan them for EAR

Pushpender Singh 9 Dec 12, 2022
Python Password Generator

This is a console-based version of a password generator written with Python. The program generates a password based on numbers of letters, numbers, and symbols specified by the user. This is a simple

p.katekomol 1 Jan 24, 2022
A simple way to store your passwords without requiring third party applications

SimplePasswordManager A simple way to store your passwords without requiring third party applications Simple To Use. Store Your Passwords For Each Web

Leone Odinga 1 Dec 23, 2021
Yara Based Detection Engine for web browsers

Yobi Yara Based Detection for web browsers System Requirements Yobi requires python3 and and right now supports only firefox and other Gecko-based bro

imp0rtp3 44 Nov 20, 2022
PwdGen is a Python Tkinter tool for generating secure 16 digit passwords.

PwdGen ( Password Generator ) is a Python Tkinter tool for generating secure 16 digit passwords. Installation Simply install requirements pip install

zJairO 7 Jul 14, 2022
Proof-of-concept obfuscation toolkit for C# post-exploitation tools

InvisibilityCloak Proof-of-concept obfuscation toolkit for C# post-exploitation tools. This will perform the below actions for a C# visual studio proj

259 Dec 19, 2022
A signature parser for hikari's command handler tanjun.

tanchi A signature parser for hikari's command handler tanjun. Finally be able to define your commands without those bloody decorator chains! Example

sadru 11 Nov 17, 2022
IP Denial of Service Vulnerability ")A proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability ")

CVE-2021-24086 This is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patc

Carry 1 Nov 25, 2021
log4j2 dos exploit,CVE-2021-45105 exploit,Denial of Service poc

说明 about author: 我超怕的 blog: https://www.cnblogs.com/iAmSoScArEd/ github: https://github.com/iAmSOScArEd/ date: 2021-12-20 log4j2 dos exploit log4j2 do

3 Aug 13, 2022
Ingest GreyNoise.io malicious feed for CVE-2021-44228 and apply null routes

log4j-nullroute Quick script to ingest IP feed from greynoise.io for log4j (CVE-2021-44228) and null route bad addresses. Works w/Cisco IOS-XE and Ari

Ryan 5 Sep 12, 2022