VMware ESXi OpenSLP Heap Overflow RCE

This repository provides a proof-of-concept (PoC) exploit for CVE-2021-21974, a remote code execution vulnerability in the OpenSLP service of VMware ESXi (7.x and earlier). The main exploit script, '2021-21974-POC.py', is a Python 3 program that connects to the target ESXi host on TCP port 427 (the default OpenSLP port) and sends crafted SLP packets to trigger the vulnerability. Upon successful exploitation, it executes a shell command on the target that creates a named pipe and attempts to establish a reverse shell connection back to the attacker's machine at 192.168.0.194:80 using netcat. The repository also includes a README.md with detailed usage instructions, requirements, and mitigation advice, and a requirements.txt listing Python dependencies. The exploit is intended for educational and research purposes only and is not weaponized; the payload IP address must be changed by the user to receive the reverse shell. The attack vector is network-based, requiring only network access to the vulnerable ESXi host.

This repository contains a proof-of-concept (PoC) exploit for CVE-2021-21974, a remote code execution vulnerability in VMware ESXi 6.7.0 (builds 14320388 and 16316930). The main file, '2021-21974-POC.py', is a Python script that targets the Service Location Protocol (SLP) service on port 427 of a vulnerable ESXi host. The exploit crafts and sends a series of SLP protocol messages to trigger the vulnerability, ultimately allowing the attacker to execute arbitrary shell commands on the target system. By default, the payload establishes a reverse shell from the ESXi host to the attacker's machine at 192.168.0.194:80 using a named pipe at /tmp/backpipe. The script is operational and requires the attacker to specify the target's IP address as a command-line argument. The repository also includes a brief README.md describing the exploit's purpose. No detection scripts or framework integration are present; the code is a standalone exploit PoC.