-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vCenter Sudo LPE (CVE-2024-37081) #19402
base: master
Are you sure you want to change the base?
Conversation
if ['infraprofile', 'vpxd', 'sts', 'pod'].contains? user || | ||
['operator', 'admin'] & group |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The second part of this will always evaluate to true because empty arrays are truthy in Ruby. I think what you want is something like this instead:
if ['infraprofile', 'vpxd', 'sts', 'pod'].contains? user || | |
['operator', 'admin'] & group | |
if ['infraprofile', 'vpxd', 'sts', 'pod'].contains?(user) || (['operator', 'admin'] & group).any? |
user = cmd_exec('whoami').chomp | ||
groups = cmd_exec('groups').split(' ').chomp |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about storing these as instance variable so the commands only need to be executed once? The values are highly unlikely to change during the course of exploitation.
'Matei "Mal" Badanoiu', # discovery | ||
], | ||
'Platform' => [ 'linux' ], | ||
'Arch' => [ ARCH_X86, ARCH_X64 ], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like for a couple of targets at least that the host is expecting to import a Python module, so if this doesn't work because you're dropping an ELF binary and not a shared object then you may want to change these to ARCH_PYTHON.
haven't forgotten about this, my ESXi server which should be vulnerable has a failing drive, so I'm waiting for the replacements to come in before attempting any more than absolutely necessary disk writes. |
Draft module of CVE-2024-37081. Untested, pseudo coded based on PoC, just haven't had time to get back around to it yet.