{"id":27627481,"url":"https://github.com/guardicore/vmware_guest_auth_bypass","last_synced_at":"2025-07-25T22:11:33.000Z","repository":{"id":65220464,"uuid":"94227107","full_name":"guardicore/vmware_guest_auth_bypass","owner":"guardicore","description":"Proof of concept of VMSA-2017-0012","archived":false,"fork":false,"pushed_at":"2017-07-27T21:03:49.000Z","size":28,"stargazers_count":43,"open_issues_count":0,"forks_count":14,"subscribers_count":15,"default_branch":"master","last_synced_at":"2024-07-30T18:19:19.985Z","etag":null,"topics":["exploit","vix","vmware","vmware-esxi","vulnerability"],"latest_commit_sha":null,"homepage":"https://www.guardicore.com/2017/07/escalating-insider-threats-using-vmwares-api/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/guardicore.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-06-13T15:17:54.000Z","updated_at":"2023-09-28T10:42:09.000Z","dependencies_parsed_at":"2023-01-16T14:52:33.101Z","dependency_job_id":null,"html_url":"https://github.com/guardicore/vmware_guest_auth_bypass","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/guardicore%2Fvmware_guest_auth_bypass","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/guardicore%2Fvmware_guest_auth_bypass/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/guardicore%2Fvmware_guest_auth_bypass/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/guardicore%2Fvmware_guest_auth_bypass/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/guardicore","download_url":"https://codeload.github.com/guardicore/vmware_guest_auth_bypass/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250444527,"owners_count":21431665,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploit","vix","vmware","vmware-esxi","vulnerability"],"created_at":"2025-04-23T13:54:47.274Z","updated_at":"2025-04-23T13:54:47.986Z","avatar_url":"https://github.com/guardicore.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"This repository contains two scripts related to the VIX authentication bypass presented in Black Hat.\r\n* vix.py - An attack script using the vulnerability.\r\n* role_discovery.py - A risk assessment tool for vSphere environments.\r\n\r\nFor more details on the vulnerability, check out our presentation in [BlackHat 2017](https://www.blackhat.com/us-17/briefings/schedule/index.html#escalating-insider-threats-using-vmwares-api-7300) or the [blog post](https://www.guardicore.com/2017/07/escalating-insider-threats-using-vmwares-api/).\r\n\r\n# vix.py\r\n\r\nThis is a demonstration script for the bypass. The script checks if a given user can run arbitrary commands on a given virtual machine.\r\n\r\nThe script relies on the existence of the VIX plugin DLLs (or SO files), which can be easily downloaded from [VMWare](https://code.vmware.com/web/sdk/60/vix). \r\nAfter downloading and installing the plugin, extract the DLL files and place them in the same path as the python file.\r\n\r\n## Usage\r\nExample execution\r\n\r\n```vix.py -s 10.15.0.25 -u root -p vmware -c notepad.exe windows_server_3.vmx```\r\n\r\nCommand line flags:\r\n* `-s`, `--host`: Remote vSphere or ESXi host\r\n* `-u`, `--user`: User name to use when connecting to host\r\n* `-p`, `--password`: Password to use when connecting to host, can omit and enter from stdin\r\n* `-c`, `--command`: Command to run on victim. Default exists for linux creates a file under /tmp\r\n\r\nAs a final argument, pass in the target vm name.\r\n\r\n## Authors (of most of the code)\r\n* [Itamar Tal](https://github.com/itamartal)\r\n* [Oran Nadler](https://github.com/orannadler)\r\n\r\n\r\n# role_discovery.py\r\n\r\nThis is a risk assessment tool to check which virtual machines in a vSphere environment are vulnerable to this attack.\r\nThe tool checks for each VM if it's running on a vulnerable host or running vulnerable versions of VMWare tools.\r\n\r\nIn addition, the script reports if there are non administrator users with the appropriate privileges to execute the attack, given a vulnerable machine.\r\n\r\n\r\n## Usage\r\nExample usage\r\n\r\n```role_discovery.py -c 192.168.13.37 -u administrator@vsphere.local -p Password1!```\r\n\r\nCommand line flags:\r\n* `-c`, `--host`: Remote vSphere or ESXi host\r\n* `-u`, `--user`: User name to use when connecting to host\r\n* `-p`, `--password`: Password to use when connecting to host, can omit and enter from stdin\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fguardicore%2Fvmware_guest_auth_bypass","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fguardicore%2Fvmware_guest_auth_bypass","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fguardicore%2Fvmware_guest_auth_bypass/lists"}