欢迎访问本站!

首页科技正文

【技术原创】VMware VCenter Server漏洞调试环境搭建

admin2021-10-1442新闻

皇冠管理端登3手机www.9cx.net)实时更新发布最新最快最有效的皇冠管理端登3手机网址,包括新2登3手机网址,新2登3备用网址,皇冠登3最新网址,新2足球登3网址,新2网址大全。

0x00 前言

本文记录从零开始搭建VMware VCenter Server漏洞调试环境的细节。

0x01 简介

本文将要介绍以下内容:

◼下载vCenter上的文件

◼vCenter服务器开启调试模式

◼本地使用IDEA进行远程调试

0x02 下载vCenter上的文件

为了能够从vCenter上下载文件,这里选择通过SSH连接的方式实现文件下载。

1.开启SSH

通常可选择以下两种方法:

(1)通过浏览器配置

访问https://<  url >:5480

在Access页面下进行开启,如下图:


(2)通过虚拟机配置

访问虚拟机登录页面,按F2进入配置页面,在Troubleshooting Mode Options下进行开启,如下图:


2.切换到Bash shell

使用SSH登录至vCenter时,默认为Appliance Shell,需要输入shell命令才能进入Bash shell。如下图:


这就导致了无法直接使用scp等命令进行文件上传和下载。

这里需要将默认的Appliance Shell切换到Bash shell,方法如下:

(1)使用SSH登录至vCente

(2)输入shell命令进入Bash shell

(3)输入以下命令设置默认环境:

chsh -s /bin/bash root

如果返回结果如下:

You are required to change your password immediately (password expired)
chsh: PAM: Authentication token is no longer valid; new one required

表示root密码已过期。

可以使用passwd命令更改root密码,命令如下:

passwd root

注:

设置默认为Appliance Shell的命令如下:

chsh -s /bin/appliancesh root

至此,可以通过SSH连接的方式实现文件上传和下载。

0x03 vCenter服务器开启调试模式

首先需要确定待调试的进程,不同漏洞对应的进程不同,例如

CVE-2021-21985对应的进程为vsphere-ui.launcher,CVE-2021-22005对应的进程为vmware- *** ytics.launcher。

下面介绍两种开启调试的方法。

(1)调试vsphere-ui.launcher

修改文件/etc/vmware/vmware-vmon/svcCfgfiles/vsphere-ui.json

将以下内容的注释取消:

        //"-Xdebug",
        //"-Xnoagent",
        //"-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8002",

如下图:


重新启动vsphere-ui服务:

service-control --restart vsphere-ui

打开防火墙:

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

验证vsphere-ui启动参数是否修改成功,执行命令:

,

美国银行开户www.accbuy.vip)俄罗斯币安认证账号+俄罗斯带网银银行账户 = 2000 USDT,不议价。

美国银行开户 【技术原创】VMware VCenter Server漏洞调试环境搭建 新闻 第1张

,
ps -aux | grep vsphere-ui.launcher

得到内容:

/usr/java/jre-vmware/bin/vsphere-ui.launcher -Xmx854m -XX:CompressedClassSpaceSize=256m -Xss320k -XX:ParallelGCThreads=1 -Djava.io.tmpdir=/usr/lib/vmware-vsphere-ui/server/work/tmp -Dorg.eclipse.virgo.kernel.home=/usr/lib/vmware-vsphere-ui/server -DPS_BASEDIR=/storage/vsphere-ui/ -Declipse.ignoreApp=true -Dcatalina.base=/usr/lib/vmware-vsphere-ui/server -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/vmware/vsphere-ui/ -XX:ErrorFile=/var/log/vmware/vsphere-ui/java_error%p.log -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintReferenceGC -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=1024K -XX:-OmitStackTraceInFastThrow -Xloggc:/var/log/vmware/vsphere-ui/vsphere-ui-gc.log -Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8002 -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9876 -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dosgi.service.lookup.retry.count=1 -Djava.security.properties=/etc/vmware/java/vmware-override-java.security -Djava.ext.dirs=/usr/java/jre-vmware/lib/ext:/usr/java/packages/lib/ext:/opt/vmware/jre_ext/ -Dorg.osgi.framework.system.packages.extra=sun.misc -Dsun.zip.disableMemoryMapping=true -Dui.component.name=vsphere-ui -Dvlsi.client.vecs.certstore=false -DisFling=false -Dorg.apache.tomcat.websocket.DISABLE_BUILTIN_EXTENSIONS=true -Dlogback.configurationFile=/usr/lib/vmware-vsphere-ui/server/conf/serviceability.xml -Dlogs.dir=/var/log/vmware/vsphere-ui/logs/ -Dhttps.port=5443 -Dhttp.port=5090 -Dshutdown.port=-1 -classpath /usr/lib/vmware-vsphere-ui/server/bootstrap/server-launcher.jar:/usr/lib/vmware-vsphere-ui/server/bin/bootstrap.jar:/usr/lib/vmware-vsphere-ui/server/bin/tomcat-juli.jar com.vmware.vise.launcher.tomcat.TomcatLauncher start

证实vsphere-ui的启动参数修改成功。

(2)调试vmware- *** ytics.launcher

定位vmware- *** ytics.launcher,执行命令:

ps -aux | grep vmware- *** ytics.launcher

得到默认的启动参数:

root      2434 12.9  2.5 2730380 420720 ?      Sl   07:41   1:07 /usr/java/jre-vmware/bin/vmware- *** ytics.launcher -Xmx139m -XX:CompressedClassSpaceSize=64m -Xss256k -XX:ParallelGCThreads=1 -Dorg.apache.catalina.startup.EXIT_ON_INIT_FAILURE=TRUE -D *** ytics.logDir=/var/log/vmware/ *** ytics -D *** ytics.dataDir=/storage/ *** ytics -D *** ytics.deploymentNodeTypeFile=/etc/vmware/deployment.node.type -D *** ytics.buildInfoFile=/etc/vmware/.buildInfo -D *** ytics.agentsDir=/etc/vmware- *** ytics/agents -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/vmware/ *** ytics -XX:ErrorFile=/var/log/vmware/ *** ytics/java_error%p.log -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintReferenceGC -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=1024K -Xloggc:/var/log/vmware/ *** ytics/vmware- *** ytics-gc.log -Djava.security.properties=/etc/vmware/java/vmware-override-java.security -Djava.ext.dirs=/usr/java/jre-vmware/lib/ext:/usr/java/packages/lib/ext:/opt/vmware/jre_ext/ -classpath /etc/vmware- *** ytics:/usr/lib/vmware- *** ytics/lib/*:/usr/lib/vmware- *** ytics/lib:/usr/lib/vmware/common-jars/tomcat-embed-core-8.5.37.jar:/usr/lib/vmware/common-jars/tomcat-annotations-api-8.5.37.jar:/usr/lib/vmware/common-jars/antlr-2.7.7.jar:/usr/lib/vmware/common-jars/antlr-runtime.jar:/usr/lib/vmware/common-jars/aspectjrt.jar:/usr/lib/vmware/common-jars/bcprov-jdk16-145.jar:/usr/lib/vmware/common-jars/commons-codec-1.6.jar:/usr/lib/vmware/common-jars/commons-collections-3.2.2.jar:/usr/lib/vmware/common-jars/commons-collections4-4.1.jar:/usr/lib/vmware/common-jars/commons-compress-1.8.jar:/usr/lib/vmware/common-jars/commons-io-2.1.jar:/usr/lib/vmware/common-jars/commons-lang-2.6.jar:/usr/lib/vmware/common-jars/commons-lang3-3.4.jar:/usr/lib/vmware/common-jars/commons-logging-1.1.3.jar:/usr/lib/vmware/common-jars/commons-pool-1.6.jar:/usr/lib/vmware/common-jars/custom-rolling-file-appender-1.0.jar:/usr/lib/vmware/common-jars/featureStateSwitch-1.0.0.jar:/usr/lib/vmware/common-jars/guava-18.0.jar:/usr/lib/vmware/common-jars/httpasyncclient-4.1.3.jar:/usr/lib/vmware/common-jars/httpclient-4.5.3.jar:/usr/lib/vmware/common-jars/httpcore-4.4.6.jar:/usr/lib/vmware/common-jars/httpcore-nio-4.4.6.jar:/usr/lib/vmware/common-jars/httpmime-4.5.3.jar:/usr/lib/vmware/common-jars/jackson-annotations-2.9.5.jar:/usr/lib/vmware/common-jars/jackson-core-2.9.5.jar:/usr/lib/vmware/common-jars/jackson-databind-2.9.5.jar:/usr/lib/vmware/common-jars/jna.jar:/usr/lib/vmware/common-jars/log4j-1.2.16.jar:/usr/lib/vmware/common-jars/log4j-core-2.8.2.jar:/usr/lib/vmware/common-jars/log4j-api-2.8.2.jar:/usr/lib/vmware/common-jars/platform.jar:/usr/lib/vmware/common-jars/slf4j-api-1.7.2.jar:/usr/lib/vmware/common-jars/slf4j-log4j12-1.7.2.jar:/usr/lib/vmware/common-jars/spring-aop-4.3.20.RELEASE.jar:/usr/lib/vmware/common-jars/spring-beans-4.3.20.RELEASE.jar:/usr/lib/vmware/common-jars/spring-context-4.3.20.RELEASE.jar:/usr/lib/vmware/common-jars/spring-core-4.3.20.RELEASE.jar:/usr/lib/vmware/common-jars/spring-expression-4.3.20.RELEASE.jar:/usr/lib/vmware/common-jars/spring-web-4.3.20.RELEASE.jar:/usr/lib/vmware/common-jars/spring-webmvc-4.3.20.RELEASE.jar:/usr/lib/vmware/common-jars/velocity-1.7.jar com.vmware.ph.phservice.service.Main ph-properties-loader.xml ph-featurestate.xml phservice.xml ph-web.xml

修改启动参数,加入调试参数:

-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8003

在末尾使用&,将进程放置到后台运行。

在重新启动前,先需要停止服务vmware- *** ytics:

service-control --stop vmware- *** ytics

使用新的参数启动vmware- *** ytics.launcher:

/usr/java/jre-vmware/bin/vmware- *** ytics.launcher -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8003 -Xmx139m -XX:CompressedClassSpaceSize=64m -Xss256k -XX:ParallelGCThreads=1 -Dorg.apache.catalina.startup.EXIT_ON_INIT_FAILURE=TRUE -D *** ytics.logDir=/var/log/vmware/ *** ytics -D *** ytics.dataDir=/storage/ *** ytics -D *** ytics.deploymentNodeTypeFile=/etc/vmware/deployment.node.type -D *** ytics.buildInfoFile=/etc/vmware/.buildInfo -D *** ytics.agentsDir=/etc/vmware- *** ytics/agents -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/vmware/ *** ytics -XX:ErrorFile=/var/log/vmware/ *** ytics/java_error%p.log -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintReferenceGC -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=1024K -Xloggc:/var/log/vmware/ *** ytics/vmware- *** ytics-gc.log -Djava.security.properties=/etc/vmware/java/vmware-override-java.security -Djava.ext.dirs=/usr/java/jre-vmware/lib/ext:/usr/java/packages/lib/ext:/opt/vmware/jre_ext/ -classpath /etc/vmware- *** ytics:/usr/lib/vmware- *** ytics/lib/*:/usr/lib/vmware- *** ytics/lib:/usr/lib/vmware/common-jars/tomcat-embed-core-8.5.37.jar:/usr/lib/vmware/common-jars/tomcat-annotations-api-8.5.37.jar:/usr/lib/vmware/common-jars/antlr-2.7.7.jar:/usr/lib/vmware/common-jars/antlr-runtime.jar:/usr/lib/vmware/common-jars/aspectjrt.jar:/usr/lib/vmware/common-jars/bcprov-jdk16-145.jar:/usr/lib/vmware/common-jars/commons-codec-1.6.jar:/usr/lib/vmware/common-jars/commons-collections-3.2.2.jar:/usr/lib/vmware/common-jars/commons-collections4-4.1.jar:/usr/lib/vmware/common-jars/commons-compress-1.8.jar:/usr/lib/vmware/common-jars/commons-io-2.1.jar:/usr/lib/vmware/common-jars/commons-lang-2.6.jar:/usr/lib/vmware/common-jars/commons-lang3-3.4.jar:/usr/lib/vmware/common-jars/commons-logging-1.1.3.jar:/usr/lib/vmware/common-jars/commons-pool-1.6.jar:/usr/lib/vmware/common-jars/custom-rolling-file-appender-1.0.jar:/usr/lib/vmware/common-jars/featureStateSwitch-1.0.0.jar:/usr/lib/vmware/common-jars/guava-18.0.jar:/usr/lib/vmware/common-jars/httpasyncclient-4.1.3.jar:/usr/lib/vmware/common-jars/httpclient-4.5.3.jar:/usr/lib/vmware/common-jars/httpcore-4.4.6.jar:/usr/lib/vmware/common-jars/httpcore-nio-4.4.6.jar:/usr/lib/vmware/common-jars/httpmime-4.5.3.jar:/usr/lib/vmware/common-jars/jackson-annotations-2.9.5.jar:/usr/lib/vmware/common-jars/jackson-core-2.9.5.jar:/usr/lib/vmware/common-jars/jackson-databind-2.9.5.jar:/usr/lib/vmware/common-jars/jna.jar:/usr/lib/vmware/common-jars/log4j-1.2.16.jar:/usr/lib/vmware/common-jars/log4j-core-2.8.2.jar:/usr/lib/vmware/common-jars/log4j-api-2.8.2.jar:/usr/lib/vmware/common-jars/platform.jar:/usr/lib/vmware/common-jars/slf4j-api-1.7.2.jar:/usr/lib/vmware/common-jars/slf4j-log4j12-1.7.2.jar:/usr/lib/vmware/common-jars/spring-aop-4.3.20.RELEASE.jar:/usr/lib/vmware/common-jars/spring-beans-4.3.20.RELEASE.jar:/usr/lib/vmware/common-jars/spring-context-4.3.20.RELEASE.jar:/usr/lib/vmware/common-jars/spring-core-4.3.20.RELEASE.jar:/usr/lib/vmware/common-jars/spring-expression-4.3.20.RELEASE.jar:/usr/lib/vmware/common-jars/spring-web-4.3.20.RELEASE.jar:/usr/lib/vmware/common-jars/spring-webmvc-4.3.20.RELEASE.jar:/usr/lib/vmware/common-jars/velocity-1.7.jar com.vmware.ph.phservice.service.Main ph-properties-loader.xml ph-featurestate.xml phservice.xml ph-web.xml &

注:

如果想重新调试,需要做以下操作:

停止服务:

vmware- *** ytics:service-control --stop vmware- *** ytics

结束进程:

kill -KILL pid

以新的参数启动vmware- *** ytics.launcher。如果想要以正常的参数启动,只需要重新启动服务vmware- *** ytics:

service-control --start vmware- *** ytics

0x04 本地使用IDEA进行远程调试

1.下载jar文件

本地使用IDEA进行远程调试时,本地和远程的代码需要保持一致,也就是说,我们需要拿到vCenter服务器上待调试进程加载的jar文件

vCenter服务器的相关jar文件位于以下两个路径:

◼/etc

◼/usr/lib

可以通过以下命令将所有vCenter服务器相关的jar文件复制到同一路径下,再统一进行下载:

mkdir /tmp/jar
find /etc/ -name "*.jar" |xargs -n1 -i cp {} /tmp/jar
find /usr/lib/ -name "*.jar" |xargs -n1 -i cp {} /tmp/jar

注:

如果想要查找所有jar文件中的内容,可以通过以下命令将所有vCenter服务器相关的jar文件解压至同一路径:

find /etc -name "*.jar" | xargs -n 1 unzip -d /tmp/data/
find /usr/lib/ -name "*.jar" | xargs -n 1 unzip -d /tmp/data/

将所有vCenter服务器相关的jar文件统一下载后,保存文件夹为c:\testjar\

2.批量导入jar文件

新建java工程,依次选择File->Project Structure...,在Libraries下选择New Project Library->Java,设置为c:\testjar\,配置后的结果如下图:


3.添加断点

在External Libraries->testjar下面打开.class文件,在合适的位置添加断点,示例如下图


4.设置远程调试参数

顶部菜单栏选择Add Configuration...,在弹出的页面中选择Remote JVM Debug,填入远程调试参数,需要修改以下参数:

◼Host

◼Port

使用的JDK选择JDK 5-8

示例如下图:


5.开启Debug模式

回到IDEA主页面,选择刚才的配置文件,点击Debug图标(快捷键Shift+F9)。

如果远程调试执行成功,断点图标会发生变化,增加一个对号,示例如下图:


此时,Console页面显示如下:

Connected to the target VM, address: '< host >:< port >', transport: 'socket'

0x05 小结

在我们搭建好VMware VCenter Server漏洞调试环境后,接下来就可以着手对漏洞进行研究学习。

,

皇冠正网www.huangguan.us)是一个开放皇冠正网即时比分、皇冠正网注册的平台。皇冠正网平台(www.huangguan.us)提供最新皇冠登录,皇冠APP下载包含新皇冠体育代理、会员APP。

网友评论