关联漏洞
标题:
VMware ESXi和VMware Horizon DaaS OpenSLP 缓冲区错误漏洞
(CVE-2019-5544)
描述:VMware ESXi和VMware Horizon DaaS都是美国威睿(VMware)公司的产品。VMware ESXi是一套可直接安装在物理服务器上的服务器虚拟化平台。VMware Horizon DaaS是一套专为以云计算服务形式交付桌面和应用而构建的虚拟桌面平台。该平台提供多桌面模式和多数据中心管理等功能。OpenSLP是其中的一个IETF服务位置协议的开源实现。 VMware ESXi和VMware Horizon DaaS中的OpenSLP存在安全漏洞。攻击者可利用该漏洞执行代码。以下产品及
描述
Python / scapy module implementing SRVLOC/SLP protocol and scans for enabled OpenSLP services.
介绍
# Scanner for SLP services (CVE-2019-5544 CVE-2020-3992)
Python script that implements SRVLOC/SLP protocol to scan for enabled OpenSLP services.
You may find it handy while searching for systems impacted by CVE-2019-5544, CVE-2020-3992 or CVE-2021-21974 ...
More info on the VMware vulnerability you may find for instance here: https://blog.rapid7.com/2020/11/11/vmware-esxi-openslp-remote-code-execution-vulnerability-cve-2020-3992-and-cve-2019-5544-what-you-need-to-know/
The script does not detect, whether the service is vulnerable or not, but it reports the remote VMWare version and build
## Requirements
You will require python3 and scapy library installed, i.e. `pip3 install scapy`
## Usage
```
./check_slp.py <file_with_targets>
```
where argument is a file with ip address or networks in CIDR notation.
## Output
```
2020-12-01 15:03:15,654 - INFO - [ip_removed] Sending packet via Unicast UDP
2020-12-01 15:03:15,778 - INFO - [ip_removed] SLP Service detected
2020-12-01 15:03:16,032 - INFO - [ip_removed] ATTR service:VMwareInfrastructure://[fqdn_removed] (product="VMware ESXi 6.5.0 build-17097218"),(hardwareUuid="30313436-3631-584D-5133-343230505032")
2020-12-01 15:03:16,292 - INFO - [ip_removed] ATTR service:wbem:https://[fqdn_removed]:5989 (MultipleOperationsSupported=false),(AuthenticationMechanismsSupported=Basic),(Namespace=root/interop,interop,root/hpq,root/cimv2,root/config,vmware/esxv2),(Namespace=root/cimv2,root/interop,root/config,vmware/esxv2),(Classinfo=0,0,0,0),(ProtocolVersion=1.0),(RegisteredProfilesSupported=DMTF:Sensors,DMTF:Base Server,DMTF:Power State Management,DMTF:CPU,DMTF:Software Inventory,DMTF:Record Log,DMTF:System Memory,DMTF:Physical Asset,DMTF:Fan,DMTF:Power Supply,DMTF:Profile Registration,DMTF:Battery,)
```
文件快照
[4.0K] /data/pocs/d31271d6d56e47085fc41753e6e8052158542be1
├── [ 19K] check_slp.py
├── [1.0K] LICENSE
└── [1.7K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。