{"id":41190,"date":"2021-06-03T15:57:55","date_gmt":"2021-06-03T15:57:55","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/32346\/Check-Out-This-Great-RCE-PoC-Walkthrough-For-The-VMware-ESXi-OpenSLP-Heap-Overflow-Vulnerability.html"},"modified":"2021-06-03T15:57:55","modified_gmt":"2021-06-03T15:57:55","slug":"check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\/","title":{"rendered":"Check Out This Great RCE PoC Walkthrough For The VMware ESXi OpenSLP Heap Overflow Vulnerability"},"content":{"rendered":"
\n
\n
\n
\n
\"Johnny<\/a><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

During a recent engagement, I discovered a machine that is running VMware ESXi 6.7.0. Upon inspecting<\/span><\/span> any known vulnerabilities associated with this version of the software, I identified it may be vulnerable to ESXi OpenSLP heap-overflow (CVE-2021\u201321974). Through googling, I found a blog post<\/a> by Lucas Leong (@_wmliang_<\/a>) of Trend Micro\u2019s Zero Day Initiative, who is the security researcher that found this bug. Lucas wrote a brief overview on how to exploit the vulnerability but share no reference to a PoC. Since I couldn\u2019t find any existing PoC on the internet, I thought it would be neat to develop an exploit based on Lucas\u2019 approach. Before proceeding, I highly encourage fellow readers to review Lucas\u2019 blog to get an overview of the bug and exploitation strategy from the founder\u2019s perspective.<\/p>\n

To setup a test environment, I need a vulnerable copy of VMware ESXi for testing and debugging. VMware offers trial version<\/a> of ESXi for download. Setup is straight forward by deploying the image through VMware Fusion or similar tool. Once installation is completed, I used the web interface to enable SSH. To debug the \u2018slpd\u2019 binary on the server, I used gdbserver that comes with the image. To talk to the gdbserver, I used SSH local port forwarding:<\/p>\n

ssh -L 1337:localhost:1337 root@<esxi-ip-address> 22<\/span><\/pre>\n
On the ESXi server, I attached gdbserver to \u2018slpd\u2019 as follow:<\/p>\n
\/etc\/init.d\/slpd restart ; sleep 1 ; gdbserver \u2014 attach localhost:1337 `ps | grep slpd | awk \u2018{print $1}\u2019`<\/span><\/pre>\n
Lastly, on my local gdb client, I connected to the gdbserver with the following command:<\/p>\n
target remote localhost:1337<\/span><\/pre>\n
The Service Location Protocol is a service discovery protocol that allows connecting devices to identify services that are available within the local area network by querying a directory server. This is similar to a person walking into a shopping center and looking at the directory listing to see what stores is in the mall. To keep this brief, a device can query about a service and its location by making a \u2018service request<\/strong>\u2019 and specifying the type of service it wants to look up with an URL.<\/p>\n
For example, to look up the VMInfrastructure service from the directory server, the device will make a request with \u2018service:VMwareInfrastructure\u2019 as the URL. The server will respond back with something like \u2018service:VMwareInfrastructure:\/\/localhost.localdomain\u2019.<\/p>\n
A device can also collect additional attributes and meta-data about a service by making an \u2018attribute request<\/strong>\u2019 supplying the same URL. Devices that want to be added to the directory can submit a \u2018service registration<\/strong>\u2019. This request will include information such as the IP of the device that is making the announcement, the type of service, and any meta-data that it wants to share. There are more functions the SLP can do, but the last message type I am interested in is the \u2018directory agent advertisement<\/strong>\u2019 because this is where the vulnerability is at. The \u2018directory agent advertisement\u2019 is a broadcast message sent by the server to let devices on the network know who to reach out if they wanted to query about a service and its location. To learn more about SLP, please see this<\/a> and that<\/a>.<\/p>\n
While the layout of the SLP structure will be slightly different between different SLP message types, they generally follow a header + body format.<\/p>\n
A \u2018service request\u2019 packet looks like this:<\/p>\n
<\/figure>\n
An \u2018attribute request\u2019 packet looks like this:<\/p>\n
<\/figure>\n
A \u2018service registration\u2019 packet looks like this:<\/p>\n
<\/figure>\n
Lastly, a \u2018directory agent advertisement\u2019 packet looks like this:<\/p>\n
<\/figure>\n
As noted in Lucas\u2019 blog, the bug is in the \u2018SLPParseSrvURL\u2019 function, which gets called when a \u2018directory agent advertisement\u2019 message is being process.<\/p>\n
<\/figure>\n
On line 18, the length of the URL is added with the number 0x1d to form the final size to \u2018calloc\u2019 from memory. On line 22, the \u2018strstr\u2019 function is called to seek the position of the substring \u201c:\/\u201d within the URL. On line 28, the content of the URL before the substring \u201c:\/\u201d will be copied into the newly \u2018calloced\u2019 memory from line 18.<\/p>\n
Another thing to note is that the \u2018strstr\u2019 function will return 0 if the substring \u201c:\/\u201d does not exists or if the function hits a null character.<\/p>\n
I speculated VMware test case only tried \u2018scopes\u2019 with a length size below 256. If we look at the following \u2018directory agent advertisement\u2019 layout snippet, we see sample 1\u2019s length of \u2018scopes\u2019 includes a null byte. This null byte accidentally acted as the string terminator for \u2018URL\u2019 since it sits right after it. If the length of \u2018scopes\u2019 is above 256, the hex representation of the length will not have a null byte (as in sample 2), and therefore the \u2018strstr\u2019 function will read passed the \u2018URL\u2019 and continue seeking the substring \u201c:\/\u201d in \u2018scopes\u2019.<\/p>\n
<\/figure>\n
Therefore, the \u2018memcpy\u2019 call will lead to a heap overflow because the source contains content from\u2018URL\u2019 + part of \u2018scopes\u2019 while the destination only have spaces to fit \u2018URL\u2019.<\/p>\n
Here I will go over the relevant SLP components as they serve as the building blocks for exploitation.<\/p>\n
_SLPDSocket<\/h2>\n
All client that connects to the \u2018slpd\u2019 daemon will create a \u2018slpd-socket\u2019 object on the heap. This object contains information on the current state of the connection, such as whether it is in a reading state or writing state. Other important information stored in this object includes the client\u2019s IP address, the socket file descriptor in-use for the connection, pointers to \u2018recv-buffer\u2019 and \u2018send-buffer\u2019 for this specific connection, and pointers to \u2018slpd-socket\u2019 object created from prior and future established connections. The size of this object is fixed at 0xd0, and cannot be changed.<\/p>\n
_SLPDSocket structure from OpenSLP source code<\/figcaption><\/figure>\n
memory layout for a _SLPDSocket object<\/figcaption><\/figure>\n
_SLPBuffer<\/h2>\n
All SLP message types received from the server will create at least two SLPBuffer objects. One is called \u2018recv-buffer\u2019, which stores the data received by the server from the client. Since I can control the size of the data I send from the client, I can control the size of the \u2018recv-buffer\u2019. The other SLPBuffer object is called \u2018send-buffer\u2019. This buffer stores the data that will be send from the server to client. The \u2018send-buffer\u2019 have a fixed size of 0x598 and I cannot control its size. Furthermore, the SLPBuffer have meta-data properties that points to the starting, current, and ending position of said data.<\/p>\n
_SLPBuffer from OpenSLP source code<\/figcaption><\/figure>\n
memory layout for a _SLPBuffer object<\/figcaption><\/figure>\n
SLP Socket State<\/h2>\n
The SLP Socket State defines the status for a particular connection. The state value is set in the _SLPSocket object. A connection will either be calling \u2018recv\u2019 or \u2018send\u2019 depending on the state of the socket.<\/p>\n
Socket states constants defined in OpenSLP source code<\/figcaption><\/figure>\n
It is important to understand the properties of _SLPSocket, _SLPBuffer and Socket States because the exploitation process requires modifying those values.<\/p>\n
This section goes over objectives required to land a successful exploitation.<\/p>\n
Objective 1<\/h2>\n
Achieve remote code execution by leveraging the heap overflow to overwrite the \u2018__free_hook\u2019 to point to shellcode or ROP chain.<\/p>\n
Expectation 1<\/h2>\n
If I can overwrite the \u2018position\u2019 pointers in a _SLPBuffer \u2018recv-buffer\u2019 object, I can force incoming data to the server to be written to arbitrary memory location.<\/p>\n
Objective 2<\/h2>\n
In order to know the address of \u2018__free_hook\u2019, I have to leak an address referencing the libc library.<\/p>\n
Expectation 2<\/h2>\n
If I can overwrite the \u2018position\u2019 pointers in a _SLPBuffer \u2018send-buffer\u2019 object, I can force outgoing data from the server to read from arbitrary memory location.<\/p>\n
Now that I defined goals and objectives, I have to identify any limitations with the heap overflow vector and memory allocation in general.<\/p>\n
Limitations<\/h2>\n
    \n
  1. \u2018URL\u2019 data stored in the \u201cDirectory Agent Advertisement\u2019s URL\u201d object cannot contain null bytes (due to the \u2018strstr\u2019 function). This limitation prevents me from directly overwriting meta-data within an adjacent \u2018_SLPDSocket\u2019 or \u2018_SLPBuffer\u2019 object because I would have to supply an invalid size value for the objects\u2019 heap header before reaching those properties.<\/li>\n
  2. The \u2018slpd\u2019 binary allocates \u2018_SLPDSocket\u2019 and \u2018_SLPBuffer\u2019 objects with \u2018calloc\u2019. The \u2018calloc\u2019 call will zero out the allocated memory slot. This limitation removes all past data of a memory slot which could contain interesting pointers or stack addresses. This looks like a show stopper because if I was to overwrite a \u2018position\u2019 pointer in a _SLPBuffer, I would need to know a valid address value. Since I don\u2019t know such value, the next best thing I can do is partially overwrite a \u2018position\u2019 pointer to at least get me in a valid address range that could be meaningful. With \u2018calloc\u2019 zeroing everything out, I lose that opportunity.<\/li>\n<\/ol>\n
    Fortunately, not all is lost. As shared in Lucas\u2019 blog post, I can still get around the limitations.<\/p>\n
    Limitations Bypass<\/h2>\n
      \n
    1. Use the heap overflow to partially overwrite the adjacent free memory chunk\u2019s size to extend it. By extending the free chunk, I can have it position to overlap with its neighbor \u2018_SLPDSocket\u2019 or \u2018_SLPBuffer\u2019 object. When I allocate memory that occupies the extended free space, I can overwrite the object\u2019s properties.<\/li>\n
    2. The \u2018calloc\u2019 call will retain past data of a memory slot if it was previously marked as \u2018IS_MAPPED<\/a>\u2019 when it was still freed. The key thing is the \u2018calloc\u2019 call must request a chunk size that is an exact size<\/strong> as the freed slot with \u2018IS_MAPPED\u2019 flag enabled to preserve its old data. If a \u2018IS_MAPPED\u2019 freed chunk is splitted up by a \u2018calloc\u2019 request, the \u2018calloc\u2019 will service a chunk without the \u2018IS_MAPPED\u2019 flag and zero out the slot\u2019s content.<\/li>\n<\/ol>\n
      There is still one more catch. Even if I can mark arbitrary position to store or read data for the _SLPBuffer, the \u2018slpd\u2019 binary will not comply unless associated socket state is set to the proper status. Therefore, the heap overflow will also have to overwrite the associated _SLPDSocket object\u2019s meta-data in order to get arbitrary read and write primitive to work.<\/p>\n
      This sections goes over the heap grooming strategy to achieve the following:<\/p>\n
      <\/figure>\n
      The Building Blocks<\/h2>\n
      Before I go over the heap grooming design, I want to say a few words about the purpose of the SLP messages mentioned earlier in fitting into the exploitation process.<\/p>\n
      service request<\/strong> \u2014 primarily use for creating a consecutive heap layout and holes.<\/p>\n
      directory agent advertisement<\/strong> \u2014 use to trigger the heap overflow vector to overwrite into the next neighbor memory block.<\/p>\n
      service registration<\/strong> \u2014 store user controlled data into the memory database which will be retrieved through the \u2018attribute request\u2019 message. This message is solely to set up \u2018attribute request\u2019 and is not used for the purpose of heap grooming.<\/p>\n
      attribute request <\/strong>\u2014 pull user controlled data from the memory database. Its purpose is to create a \u2018marker\u2019 that can be used to identify current position during the information leak stage. Also, the dynamic memory use to store the user controlled data can be a good stack pivot spot with complete user controllable content.<\/p>\n
      Overwrite _SLPBuffer \u2018send-buffer\u2019 object (Arbitrary Read Primitive)<\/h2>\n
      READ MORE HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
      READ MORE HERE…<\/p>\n","protected":false},"author":2,"featured_media":41191,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[277],"tags":[256],"class_list":["post-41190","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-blogs","tag-headlinehackerflaw"],"yoast_head":"\nCheck Out This Great RCE PoC Walkthrough For The VMware ESXi OpenSLP Heap Overflow Vulnerability 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Check Out This Great RCE PoC Walkthrough For The VMware ESXi OpenSLP Heap Overflow Vulnerability 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-06-03T15:57:55+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/06\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"56\" \/>\n\t<meta property=\"og:image:height\" content=\"55\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Check Out This Great RCE PoC Walkthrough For The VMware ESXi OpenSLP Heap Overflow Vulnerability\",\"datePublished\":\"2021-06-03T15:57:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\\\/\"},\"wordCount\":1797,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/06\\\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability.jpg\",\"keywords\":[\"headline,hacker,flaw\"],\"articleSection\":[\"CyberSecurity Blogs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\\\/\",\"name\":\"Check Out This Great RCE PoC Walkthrough For The VMware ESXi OpenSLP Heap Overflow Vulnerability 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/06\\\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability.jpg\",\"datePublished\":\"2021-06-03T15:57:55+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/06\\\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/06\\\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability.jpg\",\"width\":56,\"height\":55},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,flaw\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackerflaw\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Check Out This Great RCE PoC Walkthrough For The VMware ESXi OpenSLP Heap Overflow Vulnerability\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Check Out This Great RCE PoC Walkthrough For The VMware ESXi OpenSLP Heap Overflow Vulnerability 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\/","og_locale":"en_US","og_type":"article","og_title":"Check Out This Great RCE PoC Walkthrough For The VMware ESXi OpenSLP Heap Overflow Vulnerability 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-06-03T15:57:55+00:00","og_image":[{"width":56,"height":55,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/06\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Check Out This Great RCE PoC Walkthrough For The VMware ESXi OpenSLP Heap Overflow Vulnerability","datePublished":"2021-06-03T15:57:55+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\/"},"wordCount":1797,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/06\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability.jpg","keywords":["headline,hacker,flaw"],"articleSection":["CyberSecurity Blogs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\/","url":"https:\/\/www.threatshub.org\/blog\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\/","name":"Check Out This Great RCE PoC Walkthrough For The VMware ESXi OpenSLP Heap Overflow Vulnerability 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/06\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability.jpg","datePublished":"2021-06-03T15:57:55+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/06\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/06\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability.jpg","width":56,"height":55},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/check-out-this-great-rce-poc-walkthrough-for-the-vmware-esxi-openslp-heap-overflow-vulnerability\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,flaw","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackerflaw\/"},{"@type":"ListItem","position":3,"name":"Check Out This Great RCE PoC Walkthrough For The VMware ESXi OpenSLP Heap Overflow Vulnerability"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/41190","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=41190"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/41190\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/41191"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=41190"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=41190"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=41190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}