William Vu
9633f5daf4
Thanks to JJ Lehmann and Ofri Ziv of Guardicore Labs for their work. https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/
66 lines
1.1 KiB
Ruby
66 lines
1.1 KiB
Ruby
# -*- coding: binary -*-
|
|
|
|
#
|
|
# This mixin is a wrapper around Net::LDAP
|
|
#
|
|
|
|
require 'net-ldap'
|
|
|
|
module Msf
|
|
module Exploit::Remote::LDAP
|
|
|
|
def initialize(info = {})
|
|
super
|
|
|
|
register_options([
|
|
Opt::RHOST,
|
|
Opt::RPORT(389)
|
|
])
|
|
end
|
|
|
|
def rhost
|
|
datastore['RHOST']
|
|
end
|
|
|
|
def rport
|
|
datastore['RPORT']
|
|
end
|
|
|
|
def peer
|
|
"#{rhost}:#{rport}"
|
|
end
|
|
|
|
def discover_base_dn(ldap)
|
|
print_status('Searching root DSE for base DN')
|
|
|
|
unless (root_dse = ldap.search_root_dse)
|
|
print_error('Could not retrieve root DSE')
|
|
return
|
|
end
|
|
|
|
vprint_line(root_dse.to_ldif)
|
|
|
|
# NOTE: Net::LDAP converts attribute names to lowercase
|
|
unless root_dse[:namingcontexts]
|
|
print_error('Could not find namingContexts attribute')
|
|
return
|
|
end
|
|
|
|
if root_dse[:namingcontexts].empty?
|
|
print_error('Could not find base DN')
|
|
return
|
|
end
|
|
|
|
# NOTE: We assume the first namingContexts value is the base DN
|
|
base_dn = root_dse[:namingcontexts].first
|
|
|
|
print_good("Discovered base DN: #{base_dn}")
|
|
base_dn
|
|
rescue Net::LDAP::Error => e
|
|
print_error("#{e.class}: #{e.message}")
|
|
nil
|
|
end
|
|
|
|
end
|
|
end
|