search

straightblast / My-PoC-Exploits

PoC exploits I wrote. They're as is and I will not offer support
273 stars 62 forks source link

Problem #4

Closed taladrovs1 closed 3 years ago

taladrovs1 commented 3 years ago

Hi Straighblast, great work! I made a lab to test this exploit.

I have an ESXi 6.7 (just donwloaded from official website): [root@localhost:~] vmware -vl VMware ESXi 6.7.0 build-14320388 VMware ESXi 6.7.0 Update 3 [root@localhost:~]

Validate slpd is running: [root@localhost:~] /etc/init.d/slpd status slpd is running [root@localhost:~]

All the settings on ESXi are by default (only enabled SSH).

I test your script but I got this:

┌──(root💀kali)-[/] └─# python3 Ransomware.py 192.168.0.104 1

/ \ \ / / || ) _ ) || ) / __ | | |
| ( \ V /| |/ / () / /| |_/ /| _, / / /| |
_| _/ |__| /__/_|| /||// // || 

                   PoC Exploit                          

  vuln discovered by: Lucas Leong (@_wmliang_)          
       poc by: Johnny Yu (@straight_blast)              

       currently support the following:                 
     [1] VMware ESXi 6.7.0 build-14320388               
     [2] VMware ESXi 6.7.0 build-16316930

[SLP Client-1] connect [SLP Client-1] directory agent advertisement [SLP Client-2] connect [SLP Client-3] connect [SLP Client-4] connect [SLP Client-5] connect [SLP Client-2] service request [SLP Client-3] service request [SLP Client-4] service request [SLP Client-5] service request [SLP Client-6] connect [SLP Client-6] service request [SLP Client-7] connect [SLP Client-8] connect [SLP Client-9] connect [SLP Client-9] directory agent advertisement [SLP Client-8] service request [SLP Client-1] recv: b'' [SLP Client-3] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-2] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-6] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-6] close [SLP Client-8] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-4] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-5] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-9] recv: b'' [SLP Client-7] service registration [SLP Client-7] recv: b'' [SLP Client-8] service request [SLP Client-8] recv: b'' [SLP Client-10] connect Exception in thread Thread-10: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-11] connect Exception in thread Thread-11: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-12] connect Exception in thread Thread-12: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-13] connect Exception in thread Thread-13: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-14] connect Exception in thread Thread-14: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-15] connect Exception in thread Thread-15: Traceback (most recent call last):

After that the SLPd crashed: [root@localhost:~] /etc/init.d/slpd status slpd is not running [root@localhost:~]

So I have to restart the SLP deamon to test again the exploit but I got the same error.

Where I can get some logs to find the error? I'm new doing this kind of test and maybe there is an dummie error I've been made. Thanks for your time.

straightblast commented 3 years ago

Hi,

It looks like the threading is running out of sync. I am not sure why, but this could be because the time your slpd responds back to the client is a bit late. Try increasing the sleeping time to see if you get better results.

On Thu, Aug 12, 2021 at 9:49 AM taladrovs1 @.***> wrote:

Hi Straighblast, great work! I made a lab to test this exploit.

I have an ESXi 6.7 (just donwloaded from official website): @.:] vmware -vl VMware ESXi 6.7.0 build-14320388 VMware ESXi 6.7.0 Update 3 @.:]

Validate slpd is running: @.:] /etc/init.d/slpd status slpd is running @.:]

All the settings on ESXi are by default (only enabled SSH).

I test your script but I got this:

┌──(root💀kali)-[/] └─# python3 Ransomware.py 192.168.0.104 1

/ \ \ / / || ) ) || ) / _ | | | | (_ \ V /| *|/ / () / /| |/ /| , / / /| | | / || //*|| /||// // ||

               PoC Exploit

vuln discovered by: Lucas Leong (@wmliang)

   poc by: Johnny Yu ***@***.***_blast)

   currently support the following:

 [1] VMware ESXi 6.7.0 build-14320388

 [2] VMware ESXi 6.7.0 build-16316930

[SLP Client-1] connect [SLP Client-1] directory agent advertisement [SLP Client-2] connect [SLP Client-3] connect [SLP Client-4] connect [SLP Client-5] connect [SLP Client-2] service request [SLP Client-3] service request [SLP Client-4] service request [SLP Client-5] service request [SLP Client-6] connect [SLP Client-6] service request [SLP Client-7] connect [SLP Client-8] connect [SLP Client-9] connect [SLP Client-9] directory agent advertisement [SLP Client-8] service request [SLP Client-1] recv: b'' [SLP Client-3] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-2] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-6] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-6] close [SLP Client-8] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-4] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-5] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-9] recv: b'' [SLP Client-7] service registration [SLP Client-7] recv: b'' [SLP Client-8] service request [SLP Client-8] recv: b'' [SLP Client-10] connect Exception in thread Thread-10: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-11] connect Exception in thread Thread-11: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-12] connect Exception in thread Thread-12: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-13] connect Exception in thread Thread-13: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-14] connect Exception in thread Thread-14: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-15] connect Exception in thread Thread-15: Traceback (most recent call last):

After that the SLPd crashed: @.:] /etc/init.d/slpd status slpd is not running @.:]

So I have to restart the SLP deamon to test again the exploit but I got the same error.

Where I can get some logs to find the error? I'm new doing this kind of test and maybe there is an dummie error I've been made. Thanks for your time.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/straightblast/My-PoC-Exploits/issues/4, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGBX6EAW5OB53GGEOUGNRQLT4P3P5ANCNFSM5CBVCPRQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .

taladrovs1 commented 3 years ago

Hi Straightblast, I put 2 seconds on T as @tijldeneut said and worked fine. I was able to get it to work 5 out of 10 tries. Again thanks for the post and the exploit.