https://github.com/guardicore/vmware_guest_auth_bypass
Proof of concept of VMSA-2017-0012
https://github.com/guardicore/vmware_guest_auth_bypass
exploit vix vmware vmware-esxi vulnerability
Last synced: 9 days ago
JSON representation
Proof of concept of VMSA-2017-0012
- Host: GitHub
- URL: https://github.com/guardicore/vmware_guest_auth_bypass
- Owner: guardicore
- License: apache-2.0
- Created: 2017-06-13T15:17:54.000Z (almost 8 years ago)
- Default Branch: master
- Last Pushed: 2017-07-27T21:03:49.000Z (almost 8 years ago)
- Last Synced: 2024-07-30T18:19:19.985Z (9 months ago)
- Topics: exploit, vix, vmware, vmware-esxi, vulnerability
- Language: Python
- Homepage: https://www.guardicore.com/2017/07/escalating-insider-threats-using-vmwares-api/
- Size: 27.3 KB
- Stars: 43
- Watchers: 15
- Forks: 14
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE.md
Awesome Lists containing this project
README
This repository contains two scripts related to the VIX authentication bypass presented in Black Hat.
* vix.py - An attack script using the vulnerability.
* role_discovery.py - A risk assessment tool for vSphere environments.
For more details on the vulnerability, check out our presentation in [BlackHat 2017](https://www.blackhat.com/us-17/briefings/schedule/index.html#escalating-insider-threats-using-vmwares-api-7300) or the [blog post](https://www.guardicore.com/2017/07/escalating-insider-threats-using-vmwares-api/).
# vix.py
This is a demonstration script for the bypass. The script checks if a given user can run arbitrary commands on a given virtual machine.
The script relies on the existence of the VIX plugin DLLs (or SO files), which can be easily downloaded from [VMWare](https://code.vmware.com/web/sdk/60/vix).
After downloading and installing the plugin, extract the DLL files and place them in the same path as the python file.
## Usage
Example execution
```vix.py -s 10.15.0.25 -u root -p vmware -c notepad.exe windows_server_3.vmx```
Command line flags:
* `-s`, `--host`: Remote vSphere or ESXi host
* `-u`, `--user`: User name to use when connecting to host
* `-p`, `--password`: Password to use when connecting to host, can omit and enter from stdin
* `-c`, `--command`: Command to run on victim. Default exists for linux creates a file under /tmp
As a final argument, pass in the target vm name.
## Authors (of most of the code)
* [Itamar Tal](https://github.com/itamartal)
* [Oran Nadler](https://github.com/orannadler)
# role_discovery.py
This is a risk assessment tool to check which virtual machines in a vSphere environment are vulnerable to this attack.
The tool checks for each VM if it's running on a vulnerable host or running vulnerable versions of VMWare tools.
In addition, the script reports if there are non administrator users with the appropriate privileges to execute the attack, given a vulnerable machine.
## Usage
Example usage
```role_discovery.py -c 192.168.13.37 -u [email protected] -p Password1!```
Command line flags:
* `-c`, `--host`: Remote vSphere or ESXi host
* `-u`, `--user`: User name to use when connecting to host
* `-p`, `--password`: Password to use when connecting to host, can omit and enter from stdin