RCE in VMware vCenter Server vSphere Client VSAN Health Check Plug-in

This repository provides a proof-of-concept (PoC) exploit for CVE-2021-21985, a remote code execution vulnerability in VMware vCenter Server's VSAN Health Check plugin. The repository contains two files: a README.md with usage instructions and vulnerability details, and a Bash script ('cve-2021-21985_PoC') that implements the exploit logic. The script sends a crafted POST request to the vulnerable vCenter endpoint over HTTPS, targeting the '/ui/h5-vsan/rest/proxy/service/com.vmware.vsan.client.services.capability.VsanCapabilityProvider/<Class/Method>' path. The script can list available methods or attempt to exploit a specific method. The exploit requires network access to the target's port 443 and is effective against unpatched vCenter Server and Cloud Foundation versions as specified. The code is a straightforward PoC and does not include advanced payload customization or post-exploitation features.

This repository contains a working exploit for CVE-2021-21985, a critical remote code execution vulnerability in VMware vCenter Server's vSphere UI. The main exploit script, 'cve-2021-21985.py', is a Python program that automates the exploitation process by sending a series of crafted POST requests to the vulnerable REST API endpoint '/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService' on the target vCenter Server. The exploit leverages a JNDI injection vulnerability to trigger a remote lookup via javax.naming.InitialContext.doLookup, causing the target to connect to an attacker-controlled RMI server (e.g., 'rmi://8.8.8.8:1099/Exploit'). This can result in arbitrary code execution, such as spawning a reverse shell. The repository also includes a README with detailed exploitation steps, references, and usage instructions. The only code file is the exploit script; the rest are IDE configuration files. The exploit is operational and requires the attacker to set up an RMI server and a listener for the reverse shell.

This repository provides a Proof-of-Concept (PoC) exploit and detection script for CVE-2021-21985, a critical remote code execution vulnerability in VMware vCenter Server (versions 6.5 to 7.0). The main code file, 'CVE-2021-21985.nse', is an Nmap Scripting Engine (NSE) script that checks if a target vCenter instance is vulnerable by sending a crafted POST request to the vSAN Health Check REST API endpoint and analyzing the response. The README.md details both the vulnerability and a manual exploitation chain, showing how an attacker can leverage a series of POST requests to specific REST endpoints to achieve remote code execution via JNDI (RMI) payloads. The repository also documents relevant log file paths for monitoring exploitation attempts. The exploit is network-based, targeting the HTTPS interface of vCenter, and does not require authentication if the vulnerable plug-in is enabled. The code is a PoC and does not include a weaponized payload, but the manual steps demonstrate how to achieve code execution. The repository is structured with a single code file (Lua/NSE), a README with detailed exploitation steps, and a license file.

This repository, 'VcenterKiller', is a comprehensive exploitation toolkit written in Go, targeting multiple critical vulnerabilities in VMware vCenter Server and Workspace ONE Access. It supports exploitation of CVE-2021-21972, CVE-2021-21985, CVE-2021-22005, CVE-2021-44228 (Log4Shell), CVE-2022-22954, CVE-2022-22972, and CVE-2022-31656. The tool provides modules for remote code execution, webshell upload, SSH key injection, authentication bypass, and Log4j JNDI injection (with built-in LDAP/RMI servers for payload delivery). The main entry point is 'main.go', which dispatches to specific modules under 'src/'. Each module implements the exploit logic for a specific CVE, with endpoints and payloads tailored to the vulnerability. The tool is operational and can be used for post-exploitation, red teaming, or authorized penetration testing of VMware environments. The codebase is modular, with clear separation of exploit logic per CVE, and includes support for proxies and various attack modes. The README provides detailed usage instructions and legal disclaimers.

This repository contains a working exploit for CVE-2021-21985, a critical remote code execution vulnerability in VMware vCenter Server's vSAN plugin. The repository includes two main Python proof-of-concept scripts (PoC_1.py and PoC_3.py), a C source file (JNI_Rce.c) and its header (JNI_Rce.h) for a JNI shared library payload, and a README with compilation instructions. - PoC_1.py crafts a multi-stage attack: it writes a malicious class file and a command (such as a reverse shell) to the target's /tmp directory via the vSAN plugin's REST API, then loads a JNI shared library to execute the command. The exploit abuses several endpoints under /ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService/. - PoC_3.py provides an interactive shell-like interface, using a Spring beans XML payload zipped and base64-encoded, which is then loaded via the vSAN plugin to execute arbitrary commands. Output is exfiltrated by reading a system property set by the payload. - JNI_Rce.c is the C code for the JNI shared library, which reads a command from /tmp/.cfg1487.class and executes it via Java's Runtime.exec(). The exploit is operational and provides full remote code execution on unpatched vCenter Servers. The main attack vector is network-based, targeting the vSAN plugin's REST API endpoints. The repository is well-structured, with clear separation between payload, exploit logic, and documentation.