2012-02-16 03:25:56 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2012-02-16 03:25:56 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
include Msf::Exploit::Remote::VIMSoap
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(
|
|
|
|
'Name' => 'VMWare ESX/ESXi Fingerprint Scanner',
|
|
|
|
'Description' => %Q{
|
2012-03-18 05:07:27 +00:00
|
|
|
This module accesses the web API interfaces for VMware ESX/ESXi servers
|
|
|
|
and attempts to identify version information for that server.
|
|
|
|
},
|
2012-09-20 02:46:14 +00:00
|
|
|
'Author' => ['theLightCosine'],
|
2012-02-16 03:25:56 +00:00
|
|
|
'License' => MSF_LICENSE
|
|
|
|
)
|
|
|
|
|
2012-03-15 23:15:29 +00:00
|
|
|
register_options([Opt::RPORT(443),
|
|
|
|
OptString.new('URI', [false, 'The uri path to test against' , '/sdk'])
|
|
|
|
], self.class)
|
2012-03-18 05:07:27 +00:00
|
|
|
|
2012-03-15 23:15:29 +00:00
|
|
|
register_advanced_options([OptBool.new('SSL', [ false, 'Negotiate SSL for outgoing connections', true]),])
|
2012-02-16 03:25:56 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def run_host(ip)
|
2012-08-07 20:59:01 +00:00
|
|
|
soap_data =
|
2012-02-16 03:25:56 +00:00
|
|
|
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
|
|
|
<env:Body>
|
|
|
|
<RetrieveServiceContent xmlns="urn:vim25">
|
|
|
|
<_this type="ServiceInstance">ServiceInstance</_this>
|
|
|
|
</RetrieveServiceContent>
|
|
|
|
</env:Body>
|
|
|
|
</env:Envelope>|
|
|
|
|
begin
|
|
|
|
res = send_request_cgi({
|
2012-11-08 16:42:48 +00:00
|
|
|
'uri' => normalize_uri(datastore['URI']),
|
2012-02-16 03:25:56 +00:00
|
|
|
'method' => 'POST',
|
|
|
|
'agent' => 'VMware VI Client',
|
2012-03-15 23:15:29 +00:00
|
|
|
'data' => soap_data,
|
|
|
|
'headers' => { 'SOAPAction' => @soap_action}
|
2012-02-16 03:25:56 +00:00
|
|
|
}, 25)
|
|
|
|
rescue ::Rex::ConnectionError => e
|
|
|
|
vprint_error("http://#{ip}:#{rport}#{datastore['URI']} - #{e}")
|
|
|
|
return false
|
|
|
|
rescue
|
|
|
|
vprint_error("Skipping #{ip} due to error - #{e}")
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
fingerprint_vmware(ip,res)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Takes an ip address and a response, and just checks the response
|
|
|
|
# to pull out version info. If it's ESX, report the OS as ESX (since
|
|
|
|
# it's a hypervisor deal then). Otherwise, just report the service.
|
|
|
|
# XXX: report_service is stomping on the report_host OS. This is le suck.
|
|
|
|
def fingerprint_vmware(ip,res)
|
|
|
|
unless res
|
|
|
|
vprint_error("http://#{ip}:#{rport} - No response")
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
return false unless res.body.include?('<vendor>VMware, Inc.</vendor>')
|
|
|
|
os_match = res.body.match(/<name>([\w\s]+)<\/name>/)
|
|
|
|
ver_match = res.body.match(/<version>([\w\s\.]+)<\/version>/)
|
|
|
|
build_match = res.body.match(/<build>([\w\s\.\-]+)<\/build>/)
|
|
|
|
full_match = res.body.match(/<fullName>([\w\s\.\-]+)<\/fullName>/)
|
|
|
|
this_host = nil
|
|
|
|
if full_match
|
|
|
|
print_good "Identified #{full_match[1]}"
|
|
|
|
report_service(:host => (this_host || ip), :port => rport, :proto => 'tcp', :name => 'https', :info => full_match[1])
|
|
|
|
end
|
|
|
|
if os_match and ver_match and build_match
|
|
|
|
if os_match[1] =~ /ESX/ or os_match[1] =~ /vCenter/
|
|
|
|
this_host = report_host( :host => ip, :os_name => os_match[1], :os_flavor => ver_match[1], :os_sp => "Build #{build_match[1]}" )
|
|
|
|
end
|
|
|
|
return true
|
|
|
|
else
|
|
|
|
vprint_error("http://#{ip}:#{rport} - Could not identify as VMWare")
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|