2011-07-11 05:52:51 +00:00
|
|
|
require 'vm_driver'
|
|
|
|
|
|
|
|
##
|
2011-07-29 18:20:02 +00:00
|
|
|
## $Id$
|
2011-07-11 05:52:51 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
# This driver was built against:
|
|
|
|
# VMware ESX Host Agent 4.1.0 build-348481
|
|
|
|
|
|
|
|
module Lab
|
|
|
|
module Drivers
|
|
|
|
|
|
|
|
class RemoteEsxDriver < VmDriver
|
|
|
|
|
2011-08-29 16:03:28 +00:00
|
|
|
def initialize(config)
|
|
|
|
unless config['user'] then raise ArgumentError, "Must provide a username" end
|
|
|
|
unless config['host'] then raise ArgumentError, "Must provide a hostname" end
|
|
|
|
|
|
|
|
super(config)
|
2011-09-17 03:00:57 +00:00
|
|
|
|
2011-08-29 16:03:28 +00:00
|
|
|
@user = filter_command(config['user'])
|
|
|
|
@host = filter_command(config['host'])
|
2011-11-01 16:15:51 +00:00
|
|
|
@port = config['port']
|
2011-07-11 05:52:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def start
|
2011-11-01 16:15:51 +00:00
|
|
|
remote_system_command("vim-cmd vmsvc/power.on #{@vmid}")
|
2011-07-11 05:52:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def stop
|
2011-11-01 16:15:51 +00:00
|
|
|
remote_system_command("vim-cmd vmsvc/power.off #{@vmid}")
|
2011-07-11 05:52:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def suspend
|
2011-11-01 16:15:51 +00:00
|
|
|
remote_system_command("vim-cmd vmsvc/power.suspend #{@vmid}")
|
2011-07-11 05:52:51 +00:00
|
|
|
end
|
|
|
|
|
2011-11-01 16:15:51 +00:00
|
|
|
def pause
|
|
|
|
remote_system_command("vim-cmd vmsvc/power.suspend #{@vmid}")
|
2011-07-11 05:52:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def resume
|
2011-11-01 16:15:51 +00:00
|
|
|
remote_system_command("vim-cmd vmsvc/power.suspendResume #{@vmid}")
|
2011-07-11 05:52:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def reset
|
2011-11-01 16:15:51 +00:00
|
|
|
remote_system_command("vim-cmd vmsvc/power.reset #{@vmid}")
|
2011-07-11 05:52:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def create_snapshot(snapshot)
|
|
|
|
snapshot = filter_input(snapshot)
|
|
|
|
|
2011-11-01 16:15:51 +00:00
|
|
|
remote_system_command("vim-cmd vmsvc/snapshot.create #{@vmid} #{snapshot} \'lab created snapshot\' 1 true")
|
2011-07-11 05:52:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def revert_snapshot(snapshot)
|
2011-08-29 16:03:28 +00:00
|
|
|
|
2011-09-17 03:00:57 +00:00
|
|
|
snapshots = get_snapshots
|
|
|
|
|
|
|
|
# Look through our snapshot list, choose the right one based on display_name
|
|
|
|
snapshots.each do |snapshot_obj|
|
2011-11-01 16:15:51 +00:00
|
|
|
|
|
|
|
#puts "DEBUG: checking #{snapshot_obj}"
|
|
|
|
|
2011-09-17 03:00:57 +00:00
|
|
|
if snapshot_obj[:display_name].downcase == snapshot.downcase
|
2011-11-01 16:15:51 +00:00
|
|
|
snapshot_identifier = snapshot_obj[:name].join(" ")
|
|
|
|
|
|
|
|
#puts "DEBUG: I would revert to #{snapshot_obj}"
|
|
|
|
remote_system_command("vim-cmd vmsvc/snapshot.revert #{@vmid} 0 #{snapshot_identifier}")
|
2011-09-17 03:00:57 +00:00
|
|
|
return true
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# If we got here, the snapshot didn't exist
|
|
|
|
raise "Invalid Snapshot Name"
|
2011-07-11 05:52:51 +00:00
|
|
|
end
|
|
|
|
|
2011-11-01 16:15:51 +00:00
|
|
|
def delete_snapshot(snapshot, remove_children=false)
|
|
|
|
snapshots = get_snapshots
|
|
|
|
|
|
|
|
# Look through our snapshot list, choose the right one based on display_name
|
|
|
|
snapshots.each do |snapshot_obj|
|
|
|
|
|
|
|
|
#puts "DEBUG: checking #{snapshot_obj}"
|
|
|
|
|
|
|
|
if snapshot_obj[:display_name].downcase == snapshot.downcase
|
|
|
|
snapshot_identifier = snapshot_obj[:name].join(" ")
|
|
|
|
remote_system_command("vim-cmd vmsvc/snapshot.remove #{@vmid} #{remove_children} #{snapshot_identifier}")
|
|
|
|
return true
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
# If we got here, the snapshot didn't exist
|
|
|
|
raise "Invalid Snapshot Name"
|
2011-07-11 05:52:51 +00:00
|
|
|
end
|
|
|
|
|
2011-11-01 16:15:51 +00:00
|
|
|
def delete_all_snapshots
|
|
|
|
remote_system_command("vim-cmd vmsvc/snapshot.removeall #{@vmid}")
|
|
|
|
end
|
2012-01-06 05:09:29 +00:00
|
|
|
|
|
|
|
def check_file_exists(file)
|
|
|
|
raise "Not Implemented"
|
|
|
|
end
|
|
|
|
|
|
|
|
def create_directory(directory)
|
2011-07-11 05:52:51 +00:00
|
|
|
raise "Not Implemented"
|
|
|
|
end
|
2012-01-06 05:09:29 +00:00
|
|
|
|
|
|
|
def run_command(command, timeout=60)
|
|
|
|
|
|
|
|
setup_session
|
|
|
|
#puts "Using session #{@session}"
|
|
|
|
|
|
|
|
# TODO: pass the timeout down
|
2011-07-11 05:52:51 +00:00
|
|
|
|
2012-01-06 05:09:29 +00:00
|
|
|
if @session
|
|
|
|
if @session.type == "shell"
|
|
|
|
#puts "Running command via shell: #{command}"
|
|
|
|
@session.shell_command_token(command, timeout)
|
|
|
|
elsif @session.type == "meterpreter"
|
|
|
|
#puts "Running command via meterpreter: #{command}"
|
|
|
|
@session.shell_command(command)
|
|
|
|
end
|
2011-08-29 16:03:28 +00:00
|
|
|
else
|
2012-01-06 05:09:29 +00:00
|
|
|
raise "No session"
|
2011-08-29 16:03:28 +00:00
|
|
|
end
|
2011-07-11 05:52:51 +00:00
|
|
|
end
|
|
|
|
|
2012-01-06 05:09:29 +00:00
|
|
|
def copy_to_guest(local,remote)
|
|
|
|
setup_session
|
|
|
|
if @session.type == "meterpreter"
|
|
|
|
@session.run_cmd("upload #{local} #{remote}")
|
2012-01-06 02:42:58 +00:00
|
|
|
else
|
2012-01-06 05:09:29 +00:00
|
|
|
@driver.copy_to(local,remote)
|
2012-01-06 02:42:58 +00:00
|
|
|
end
|
2011-07-11 05:52:51 +00:00
|
|
|
end
|
2012-01-06 05:09:29 +00:00
|
|
|
|
|
|
|
def copy_from_guest(local, remote)
|
|
|
|
setup_session
|
|
|
|
if @session.type == "meterpreter"
|
|
|
|
@session.run_cmd("download #{local} #{remote}")
|
|
|
|
else
|
|
|
|
@driver.copy_from(local,remote)
|
|
|
|
end
|
2012-01-06 02:42:58 +00:00
|
|
|
end
|
|
|
|
|
2012-01-06 05:09:05 +00:00
|
|
|
def cleanup
|
2012-01-06 02:42:58 +00:00
|
|
|
end
|
|
|
|
|
2012-01-06 05:09:05 +00:00
|
|
|
def running?
|
2012-01-06 05:09:29 +00:00
|
|
|
power_status_string = `ssh #{@user}@#{@host} \"vim-cmd vmsvc/power.getstate #{@vmid}\"`
|
|
|
|
return true if power_status_string =~ /Powered on/
|
2012-01-06 05:09:05 +00:00
|
|
|
end
|
|
|
|
|
2012-01-06 05:09:29 +00:00
|
|
|
private
|
|
|
|
|
|
|
|
def create_framework
|
|
|
|
return if @framework
|
|
|
|
@framework = Msf::Simple::Framework.create
|
|
|
|
end
|
|
|
|
|
|
|
|
# perform the setup only once
|
|
|
|
def setup_session
|
|
|
|
return if @session
|
|
|
|
|
|
|
|
# require the framework (assumes this sits in lib/lab/modifiers)
|
|
|
|
require 'msf/base'
|
|
|
|
|
|
|
|
create_framework # TODO - this should use a single framework for all hosts, not one-per-host
|
|
|
|
|
|
|
|
@session = nil
|
|
|
|
@session_input = Rex::Ui::Text::Input::Buffer.new
|
|
|
|
@session_output = Rex::Ui::Text::Output::Buffer.new
|
|
|
|
|
|
|
|
if @os == "windows"
|
|
|
|
exploit_name = 'windows/smb/psexec'
|
|
|
|
|
|
|
|
# TODO - check for x86, choose the appropriate payload
|
|
|
|
|
|
|
|
payload_name = 'windows/meterpreter/bind_tcp'
|
|
|
|
options = {
|
|
|
|
"RHOST" => @hostname,
|
|
|
|
"SMBUser" => @vm_user,
|
|
|
|
"SMBPass" => @vm_pass}
|
|
|
|
|
|
|
|
#puts "DEBUG: using options #{options}"
|
|
|
|
|
|
|
|
# Initialize the exploit instance
|
|
|
|
exploit = @framework.exploits.create(exploit_name)
|
|
|
|
|
|
|
|
begin
|
|
|
|
# Fire it off.
|
|
|
|
@session = exploit.exploit_simple(
|
|
|
|
'Payload' => payload_name,
|
|
|
|
'Options' => options,
|
|
|
|
'LocalInput' => @session_input,
|
|
|
|
'LocalOutput' => @session_output)
|
|
|
|
@session.load_stdapi
|
|
|
|
|
|
|
|
#puts "DEBUG: Generated session: #{@session}"
|
|
|
|
|
|
|
|
rescue Exception => e
|
|
|
|
#puts "DEBUG: Unable to exploit"
|
|
|
|
#puts e.to_s
|
|
|
|
end
|
|
|
|
else
|
|
|
|
module_name = 'scanner/ssh/ssh_login'
|
|
|
|
|
|
|
|
# TODO - check for x86, choose the appropriate payload
|
|
|
|
|
|
|
|
payload_name = 'linux/x86/shell_bind_tcp'
|
|
|
|
options = { "RHOSTS" => @hostname,
|
|
|
|
"USERNAME" => @vm_user,
|
|
|
|
"PASSWORD" => @vm_pass,
|
|
|
|
"BLANK_PASSWORDS" => false,
|
|
|
|
"USER_AS_PASS" => false,
|
|
|
|
"VERBOSE" => false}
|
|
|
|
|
|
|
|
# Initialize the module instance
|
|
|
|
aux = @framework.auxiliary.create(module_name)
|
|
|
|
|
|
|
|
#puts "DEBUG: created module: #{aux}"
|
|
|
|
|
|
|
|
begin
|
|
|
|
# Fire it off.
|
|
|
|
aux.run_simple(
|
|
|
|
'Payload' => payload_name,
|
|
|
|
'Options' => options,
|
|
|
|
'LocalInput' => @session_input,
|
|
|
|
'LocalOutput' => @session_output)
|
|
|
|
|
|
|
|
@session = @framework.sessions.first.last
|
|
|
|
rescue Exception => e
|
|
|
|
#puts "DEBUG: Unable to exploit"
|
|
|
|
#puts e.to_s
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-09-17 03:00:57 +00:00
|
|
|
def get_snapshots
|
|
|
|
# Command take the format:
|
|
|
|
# vmware-vim-cmd vmsvc/snapshot.revert [vmid: int] [snapshotlevel: int] [snapshotindex: int]
|
|
|
|
output = `ssh #{@user}@#{@host} \"vim-cmd vmsvc/snapshot.get #{@vmid}\"`
|
|
|
|
|
|
|
|
# this keeps track of the snapshots, takes the form:
|
|
|
|
#[ {:name => [0,0], :display_name => "String containing the snapshotname},
|
|
|
|
# {:name => [0,1], :display_name => "String containing the snapshotname}, ]
|
|
|
|
# ...
|
|
|
|
snapshots = []
|
|
|
|
|
2012-01-06 05:09:29 +00:00
|
|
|
# Use these to keep track of the parsing...
|
2011-09-17 03:00:57 +00:00
|
|
|
current_tree = -1
|
|
|
|
current_num = 0
|
|
|
|
count = 0
|
|
|
|
|
|
|
|
# Do the parsing & stick the snapshots in the snapshots array
|
|
|
|
output_lines = output.split("\n")
|
|
|
|
output_lines.each do |line|
|
|
|
|
if line.include?("|") # this is a new snapshot
|
|
|
|
if line.include?("ROOT") # it's a root
|
|
|
|
current_num = 0
|
2011-11-01 16:15:51 +00:00
|
|
|
current_tree = current_tree + 1 # new tree
|
|
|
|
snapshots << { :name => [current_num, current_tree], :display_name => output_lines[count+1].split(":").last.strip }
|
2011-09-17 03:00:57 +00:00
|
|
|
else
|
|
|
|
current_num = current_num + 1 # new snapshot in current tree
|
2011-11-01 16:15:51 +00:00
|
|
|
snapshots << { :name => [current_num, current_tree], :display_name => output_lines[count+1].split(":").last.strip }
|
2011-09-17 03:00:57 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
count = count+1
|
|
|
|
end
|
|
|
|
|
|
|
|
snapshots
|
|
|
|
end
|
|
|
|
|
2011-07-11 05:52:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|