Script to check for vulnerable status of CVE-2020-3952
It is inspired from guardicore exploit but with a slight difference: it does NOT create an admin user.
It will assess the vulnerable status by validating that the builtin Administrators group can be tainted by creating or appending the harmless 'description' attribute.
Usage:
$ python exploit_check.py vserver_ip
suricata signature rule vmware.rules is a naive approach catching
the LDAP modify operation on the Administrators group. It needs to be
customized with a proper signature id sid and you can tune the src
and dst subnets that are set by default to any here.
It could be improved by looking specifically at members addition.