Unauthenticated arbitrary file upload leading to RCE in VMware vCenter Server Analytics service

This repository is a multi-module Python offensive framework centered on exploiting HiSilicon DVR/NVR/IP camera devices via CVE-2020-25078, then managing compromised hosts through a Flask/SocketIO web panel. It is not a simple single-file PoC: it includes a control server (server.py), persistence and post-exploitation tooling, credential attacks, recon modules, web vulnerability scanners, network service checks, pivoting, reverse shell support, and a SQLite-backed datastore. Core exploit logic is in exploit.py and scanner.py. exploit.py probes numerous traversal/disclosure paths such as /../../.../mnt/mtd/Config/Account1 and related config/system files, parses returned content with multiple regex patterns to recover credentials, fingerprints device families, and falls back to known default credentials when disclosure succeeds but parsing does not. scanner.py operationalizes this by scanning IPs/CIDRs and common ports, checking liveness, fingerprinting likely cameras, invoking the CVE-2020-25078 checks, and storing recovered credentials in cameras.db. Post-exploitation capability is substantial. telnet_client.py provides raw Telnet login and command execution. botnet.py fans out commands across stored hosts. persistence.py installs SSH authorized_keys, cron, rc.local, init.d, systemd, inittab telnetd, and bind-shell style persistence. reverse_shell.py generates many Linux/IoT reverse shell one-liners and runs listeners. pivot_chain.py and socks_pivot.py support chained execution and local SOCKS5 pivoting through compromised hosts. Additional modules broaden scope beyond the HiSilicon exploit: brute.py and cred_spray.py perform credential attacks across Telnet, SSH, FTP, HTTP, SMB, databases, VNC, LDAP, WinRM, and more; network_exploit.py checks for exposed/misconfigured services and some well-known vulnerabilities such as MS17-010 and BlueKeep; web_exploit.py, web_cves.py, web_bugs.py, and web_brute.py scan websites for exposed files, CMS fingerprints, generic bug classes, and multiple CVE signatures. Recon/intel support includes ASN, DNS, GeoIP, JARM, WAF detection, proxy/Tor rotation, screenshot grabbing from camera snapshot endpoints, and Telegram/Discord/AbuseIPDB integrations. The repository structure is coherent and functional, with many CLI-capable modules and a central web UI in templates/index.html. Overall, this is an operational exploit-and-post-exploitation toolkit focused on HiSilicon IoT devices but expanded into a broader C2-style offensive platform.

This repository contains a working exploit for CVE-2021-22005, a critical unauthenticated remote code execution vulnerability in VMware vCenter Server's analytics service. The main exploit script (exp.py) is written in Python and automates the process of uploading a JSP webshell (cmd.jsp or a user-supplied file) to a vulnerable vCenter Server instance. The exploit works by abusing the analytics API endpoints to create a malicious agent and upload a crafted manifest that writes the webshell to the server's web root directory. Once the webshell is uploaded, the attacker can access it via a constructed URL and execute arbitrary system commands on the target server. The repository also includes a simple JSP webshell (cmd.jsp) and a minimal hello.jsp for testing. The exploit is confirmed to work against specific Linux versions of vCenter Server as detailed in the readme. The attack vector is network-based, requiring only HTTPS access to the target. The endpoints targeted are specific analytics and idm API paths on the vCenter server, and the payload is a JSP webshell enabling remote command execution.

This repository contains a Python exploit for CVE-2021-22005, a critical arbitrary file upload vulnerability in VMware vCenter Server. The exploit script (cve-2021-22005.py) allows an attacker to upload a JSP webshell to a vulnerable vCenter instance by abusing the analytics API endpoints. The script generates random agent and log parameter names, crafts a malicious manifest, and uploads it to the server, resulting in a webshell being written to the vCenter web root directory. The default payload is a Behinder-compatible JSP webshell with password 'Tas9er', but users can supply a custom JSP shell. The README provides usage instructions and legal disclaimers. The exploit is operational and provides remote code execution on unpatched vCenter servers. The main attack vector is network-based, targeting the vCenter analytics API, and the main fingerprintable endpoints are the API paths and the webshell file location.

This repository, 'VcenterKiller', is a comprehensive exploitation toolkit written in Go, targeting multiple critical vulnerabilities in VMware vCenter Server and Workspace ONE Access. It supports exploitation of CVE-2021-21972, CVE-2021-21985, CVE-2021-22005, CVE-2021-44228 (Log4Shell), CVE-2022-22954, CVE-2022-22972, and CVE-2022-31656. The tool provides modules for remote code execution, webshell upload, SSH key injection, authentication bypass, and Log4j JNDI injection (with built-in LDAP/RMI servers for payload delivery). The main entry point is 'main.go', which dispatches to specific modules under 'src/'. Each module implements the exploit logic for a specific CVE, with endpoints and payloads tailored to the vulnerability. The tool is operational and can be used for post-exploitation, red teaming, or authorized penetration testing of VMware environments. The codebase is modular, with clear separation of exploit logic per CVE, and includes support for proxies and various attack modes. The README provides detailed usage instructions and legal disclaimers.

This repository provides two Metasploit-compatible Python modules targeting CVE-2021-22005, a critical arbitrary file upload vulnerability in VMware vCenter Server's Analytics service. The first script (POC) uploads a harmless JSP file to verify the vulnerability, while the second script (EXP) uploads a functional JSP webshell, enabling remote command execution on the target server. Both scripts are designed to be used as custom modules within the Metasploit framework and require the 'requests' Python library. The exploit works by abusing the Analytics service endpoints to upload files to the server's web root, then accessing the uploaded JSP via a crafted URL. The repository is structured with a README providing usage instructions, and two Python scripts implementing the POC and full exploit. The main attack vector is network-based, requiring access to the vCenter server's HTTPS interface. The exploit targets VMware vCenter Server (Linux platform) affected by CVE-2021-22005.

This repository contains a single Python script (CVE-2021-22005.py) that exploits the VMware vCenter Server CVE-2021-22005 vulnerability. The exploit works by abusing a file upload vulnerability in the vCenter analytics service, allowing an attacker to upload a JSP webshell to the server. The script generates random names for the webshell and required parameters, crafts a malicious manifest, and uploads it via the vulnerable endpoint. Once the webshell is in place, the script provides an interactive shell for the attacker to execute arbitrary commands on the compromised server via HTTP requests to the webshell endpoint. The script is operational and provides a working exploit chain, including payload delivery and post-exploitation command execution. The main attack vector is network-based, targeting the vCenter analytics service. Key endpoints include the analytics agent creation and collection endpoints, the file path where the webshell is written, and the HTTP endpoint used to interact with the webshell.