-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auxiliary/gather/vmware_vcenter_vmdir_ldap exploit broken by internal LDAP changes #16498
Comments
What version is that vcenter? |
The error was observed against VCenter 6.7.0 (build 8217866) for which the exploit worked prior to the noted commit. I have not tested against other versions of VCenter. |
6.5 is supposed to be vuln out the gate, 6.7 only if updated from 6.0+ 6.5 is downable here: https://customerconnect.vmware.com/downloads/get-download?downloadGroup=VC650 this is for my own notes |
Hi! This issue has been left open with no activity for a while now. We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request. |
Possibly related to the same issue @gwillcox-r7 noticed where that commit switched to using Rex::Socket and the |
@jtylerorr would you be able to test it again using the patch from my fix/ldap-reads branch? Specifically this commit here, you can optionally apply it as a patch. |
@zeroSteiner Confirmed your patch appears to fix the issue I was facing a few days back. |
Steps to reproduce
How'd you do it?
msfconsole
use auxiliary/gather/vmware_vcenter_vmdir_ldap
set RHOSTS <target_ip>
set RPORT <target_port>
set SSL false
run
The issue is observed by targeting an intentionally vulnerable VMware VCenter instance for which the exploit previously worked.
Were you following a specific guide/tutorial or reading documentation?
No.
Expected behavior
The exploit should dump credentials from the target.
Current behavior
The module currently displays an error message and fails to dump credentials, as shown below:
Collapse
Metasploit version
The issue appears to be caused by changes introdcued in commit
db8f4ffa6f
and exists through the recent releases (6.1.38).Additional Information
Module/Datastore
The following global/module datastore, and database setup was configured before the issue occurred:
Collapse
Database Configuration
The database contains the following information:
Collapse
History
The following commands were ran during the session and before this issue occurred:
Collapse
Framework Errors
The following framework errors occurred before the issue occurred:
Collapse
Web Service Errors
The following web service errors occurred before the issue occurred:
Collapse
Framework Logs
The following framework logs were recorded before the issue occurred:
Collapse
Web Service Logs
The following web service logs were recorded before the issue occurred:
Collapse
Version/Install
The versions and install method of your Metasploit setup:
Collapse
The text was updated successfully, but these errors were encountered: