New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exploit for VMware VDP with known ssh private key (CVE-2016-7456) #7808
Conversation
Hi @phroxvs, is it just me? Are you getting a |
Hi @wchen-r7, thanks for your feedback. Currently I have no OS X with me, but I'll test it within the next days. |
Thanks. I'll try to set up Kali too. |
Thanks for testing. The uninitialized error can be fixed by adding this line at the top of your file: require 'net/ssh/command_stream' And then add this in the class scope: include Msf::Auxiliary::CommandShell And that should do it. After that error is fixed, please let me know if your session causes msfconsole to freeze. Thanks. |
Ok, I added the dependency and the class scope. Now the exploit works also on my OS X. |
Thanks. I'll try to find the appliance and test it. |
BTW @phroxvs, when you wrote this module, exactly what version of VMware vSphere Data Protection appliance did you test this on? Please let me know. Thanks! |
I've tested the module against vSphere Data Protection version 6.1.2. |
Cool, thanks! I'm in the process of obtaining the virtual appliance for testing. |
I just obtained the appliance. I will be testing this tomorrow. |
Hi @phroxvs, I am trying to test this PR, but I am having a hard time with it because I'm unable to set up the virtual appliance. For some reason, when I try to import the ova file, I get this: I've tried both VMWare Fusion and Virtual Box. I was wondering if you ran into something similar? If you did, let me know? Thanks! |
Hi @wchen-r7, yes I had the same problems. I got it working by unzipping the vmdk from the .ova file and manually creating a virtual machine. If you need to login on the appliance the default should be root:changeme |
good thing to capture in the docs :) |
Hm, for me (with VMware Workstation 12 Pro on Windows 10, 64-bit) also the vSphereDataProtection-6.1 worked just fine. I had only to manually configure the network interface. The appliance MD5 hash was 9cd6055b45428ecc9f9e279ca5756a35. I successfully tested the exploit, too. |
I poked at the private key without the appliance - seemed OK. Gonna call that good enough, since setting up the actual appliance is a pain. Thanks @phroxvs |
Release NotesAn exploit that targets VMware vSphere Data Protection appliances (5.5.x-6.1.x) has been added to the framework. These appliances contain a known SSH private key for the local user admin, and this exploit includes the private key and gets a shell if the SSH port of the appliance is reachable. |
VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin. This exploit includes the private key and gets you a shell if the ssh port of the appliance is reachable.
Reference: https://www.vmware.com/security/advisories/VMSA-2016-0024.html
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/linux/ssh/vmware_vdp_known_privkey
set rhost <ip>
exploit
Screenshot