Unauthenticated RCE in VMware vCenter Server vSphere Client plugin

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

This repository contains an operational exploit for CVE-2021-21972, a critical unauthenticated file upload vulnerability in VMware vCenter Server. The main exploit file, 'vmware_vcenter_server_unauthenticated_file_upload_exploit.py', is a Metasploit-compatible module that enables remote attackers to upload arbitrary files (such as a JSP webshell or SSH public key) to a vulnerable vCenter instance. The exploit works by targeting the '/ui/vropspluginui/rest/services/uploadova' endpoint, which is vulnerable to unauthenticated file uploads. The module can fingerprint the vCenter version via the '/sdk' SOAP endpoint and adjusts its payload placement accordingly. The included 'shell1.jsp' is a simple webshell that allows arbitrary command execution via the 'cmd' GET parameter. The exploit supports both Linux and Windows vCenter deployments. The repository is structured with a README providing usage instructions, the main Python exploit module, a sample JSP webshell payload, and a license file. The exploit is operational and can provide remote code execution or SSH access on unpatched vCenter servers.

This repository provides a working exploit for CVE-2021-21972, a critical unauthenticated file upload vulnerability in VMware vCenter Server (both VCSA and Windows versions). The main exploit script, CVE-2021-21972.py, is a Python tool that automates the exploitation process: - It checks if the target is vulnerable by probing the /ui/vropspluginui/rest/services/uploadova endpoint. - It fingerprints the vCenter version via the /sdk endpoint. - Depending on the version and platform, it uploads a malicious tar archive containing a JSP webshell (Behinder/Ice Scorpion) to a writable directory on the vCenter server. - The webshell is then accessible at a predictable URL (e.g., /ui/resources/shell.jsp for Linux, /statsreport/shell.jsp for Windows), protected by a default password ('rebeyond'). - The payloads are provided in the payload/ directory as pre-built tar files for both Linux and Windows targets, and as a raw shell.jsp file. The repository includes a README with usage instructions, affected versions, and caveats (e.g., the exploit does not work on vCenter 6.7 U2+ due to architectural changes). The exploit is operational and provides remote code execution via a webshell if successful.

This repository contains a Python exploit for CVE-2021-21972, a critical remote code execution vulnerability in VMware vCenter Server and VMware Cloud Foundation. The exploit targets the /ui/vropspluginui/rest/services/uploadova endpoint, which is vulnerable to unauthenticated file upload. The main script, CVE-2021-21972.py, can operate in two modes: vulnerability checking and exploitation. In exploitation mode, it generates an SSH key pair, creates a tar archive containing the attacker's public key, and uploads it to the target, resulting in the key being placed in the vsphere-ui user's authorized_keys file. This grants the attacker SSH access as vsphere-ui. The script supports multi-threaded operation and can process multiple targets from a file. The README provides usage instructions and affected product/version details. The exploit is operational and provides a working payload for post-exploitation access.

This repository, 'VcenterKiller', is a comprehensive exploitation toolkit written in Go, targeting multiple critical vulnerabilities in VMware vCenter Server and Workspace ONE Access. It supports exploitation of CVE-2021-21972, CVE-2021-21985, CVE-2021-22005, CVE-2021-44228 (Log4Shell), CVE-2022-22954, CVE-2022-22972, and CVE-2022-31656. The tool provides modules for remote code execution, webshell upload, SSH key injection, authentication bypass, and Log4j JNDI injection (with built-in LDAP/RMI servers for payload delivery). The main entry point is 'main.go', which dispatches to specific modules under 'src/'. Each module implements the exploit logic for a specific CVE, with endpoints and payloads tailored to the vulnerability. The tool is operational and can be used for post-exploitation, red teaming, or authorized penetration testing of VMware environments. The codebase is modular, with clear separation of exploit logic per CVE, and includes support for proxies and various attack modes. The README provides detailed usage instructions and legal disclaimers.

This repository provides a proof-of-concept exploit for CVE-2021-21972, a critical unauthenticated file upload vulnerability in VMware vCenter Server Appliance (VCSA) via the vROps plugin endpoint. The main exploit script (CVE-2021-21972.py) allows an attacker to check if a target is vulnerable and, if so, to upload an arbitrary file (such as the included cmdjsp.jsp webshell) to a specified path on the target system. The exploit works against both Windows and Unix-based VCSA targets. On Windows, the uploaded webshell can execute commands as NT AUTHORITY/SYSTEM; on Unix, as the vsphere-ui user. The repository includes the Python exploit script, a JSP webshell payload, a README with usage instructions and context, and a license file. The attack vector is network-based, targeting the /ui/vropspluginui/rest/services/uploadova endpoint over HTTPS. The exploit is operational, providing a working file upload and webshell deployment mechanism, but requires the attacker to supply the payload and target path.

This repository contains an operational exploit for CVE-2021-21972, a remote code execution vulnerability in VMware vCenter Server's vSphere Client (HTML5). The exploit consists of a Bash script (vSphereyeeter.sh) that automates the attack, and a Python script (evilarc.py) used to create a malicious archive for directory traversal. The attack works by generating an SSH keypair, crafting a tar archive that places the attacker's public key into the vsphere-ui user's authorized_keys file, and uploading this archive to the vulnerable vropspluginui endpoint on the target vCenter server. If successful, the attacker gains SSH access as the vsphere-ui user. The exploit targets vCenter Server and Cloud Foundation versions prior to their respective patched releases. The repository is well-structured, with clear separation between the exploit logic (Bash) and the archive creation utility (Python).

This repository is an exploit for VMware vCenter Server (versions 6.5 to 7.0) targeting CVE-2021-21972, a remote code execution vulnerability. The main exploit script is 'vcenter_rce.py', a Python script that automates the exploitation process. It checks if the target is vulnerable by probing the '/ui/vropspluginui/rest/services/uploadova' endpoint, then uploads a platform-specific (Linux or Windows) tar archive containing a JSP webshell (Behinder/Ice Scorpion 3) to the server. The webshell is placed in a location accessible via '/ui/resources/shell.jsp', allowing the attacker to execute arbitrary commands remotely. The webshell uses a known AES key and password ('rebeyond'). The repository includes two payload archives ('exp/Linux.tar' and 'exp/Windows.tar') for the respective platforms. The exploit is operational and provides a working webshell if the target is vulnerable and accessible.