infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adding a bunch of new VIM API auxiliary stuff 

Work in progress.
unstable
David Maloney 2012-02-01 12:05:20 -06:00
parent 25fbe1c7d0
commit 3f48e626a2
3 changed files with 539 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

402
lib/msf/core/exploit/vim_soap.rb Normal file
View File

@ -0,0 +1,402 @@
module Msf
module Exploit::Remote::VIMSoap
include Msf::Exploit::Remote::HttpClient
def vim_get_session
soap_data =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveServiceContent xmlns="urn:vim25">
<_this type="ServiceInstance">ServiceInstance</_this>
</RetrieveServiceContent>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'data' => soap_data
}, 25)
@dc = Hash.from_xml(res.body)['Envelope']['Body']['RetrieveServiceContentResponse']['returnval']
print_status @dc.inspect
if res.headers['Set-Cookie']
@vim_cookie = res.headers['Set-Cookie']
return true
else
return false
end
end
def vim_do_login(user, pass)
unless vim_get_session
return false
end
soap_data =
%Q|<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<Login xmlns="urn:vim25">
<_this type="SessionManager">#{@dc['sessionManager']}</_this>
<userName>#{user}</userName>
<password>#{pass}</password>
</Login>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>|
print_status "Soap Request: #{soap_data}"
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_data
}, 25)
print_status res.body
if res.code == 200
return :success
else
return :fail
end
end
def vim_get_dc
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveServiceContent xmlns="urn:vim25">
<_this type="ServiceInstance">ServiceInstance</_this>
</RetrieveServiceContent>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req
}, 25)
hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrieveServiceContentResponse']['returnval']
@dc.merge!(hash)
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@dc['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>ServiceInstance</type>
<pathSet>content</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="ServiceInstance">ServiceInstance</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req
}, 25)
hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
hash.delete('xsi:type')
@dc.merge!(hash)
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@dc['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>Folder</type>
<pathSet>childEntity</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="Folder">#{@dc['rootFolder']}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req
}, 25)
print_status res.body
@dc['Datacenter'] = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
end
def vim_get_host
@host = {}
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@dc['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>Datacenter</type>
<pathSet>hostFolder</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="Datacenter">#{@dc['Datacenter']}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req
}, 25)
@host['folderHost'] = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@dc['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>Folder</type>
<pathSet>childEntity</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="Folder">#{@host['folderHost']}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req
}, 25)
@host['ComputeReference'] = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@dc['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>ComputeResource</type>
<pathSet>host</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="ComputeResource">#{@host['ComputeReference']}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req
}, 25)
@host['HostSystem'] = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
end
def vim_get_host_hw
vim_setup_references
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@dc['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>HostSystem</type>
<pathSet>hardware</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="HostSystem">#{@host['HostSystem']}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req
}, 25)
hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
return hash
end
def vim_get_host_summary
vim_setup_references
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@dc['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>HostSystem</type>
<pathSet>summary</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="HostSystem">#{@host['HostSystem']}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req
}, 25)
hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
hash['runtime'].delete('healthSystemRuntime')
hash.delete('xsi:type')
hash.delete('host')
return hash
end
def vim_get_vms
vim_setup_references
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@dc['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>Datacenter</type>
<pathSet>vmFolder</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="Datacenter">#{@dc['Datacenter']}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req
}, 25)
@dc['vmFolder'] = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@dc['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>Folder</type>
<pathSet>childEntity</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="Folder">#{@dc['vmFolder']}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req
}, 25)
vm_index_array = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
vms = []
vm_index_array.each{|i| vms << vim_get_vm_info(i)}
return vms
end
def vim_get_vm_info(vm_ref)
vim_setup_references
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@dc['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>VirtualMachine</type>
<pathSet>summary</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="VirtualMachine">#{vm_ref}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req
}, 25)
hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
vm = hash['config']
vm['runtime'] = hash['runtime']
vm['guest'] = hash['guest']
vm['quickStats'] = hash['quickStats']
return vm
end
def vim_logged_in?
return true if @vim_cookie
return false
end
def vim_instance_vars_set?
return false if @dc.nil? or @dc.empty?
return false if @host.nil? or @host.empty?
return false unless @dc['propertyCollector']
return false unless @dc['Datacenter']
return false unless @dc['rootFolder']
return false unless @host['folderHost']
return false unless @host['HostSystem']
return true
end
def vim_setup_references
unless vim_instance_vars_set?
vim_get_dc
vim_get_host
end
end
end
end

67
modules/auxiliary/scanner/vmware/vmware_host_details.rb Normal file
View File

@ -0,0 +1,67 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/exploit/vim_soap'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::VIMSoap
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'VMWare Enumerate Host Details',
'Version' => '$Revision$',
'Description' => %Q{This module attempts to enumerate information about the host systems through the VMWare web API.},
'Author' => ['TheLightCosine <thelightcosine[at]metasploit.com>'],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),
OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ]),
OptBool.new('HW_DETAILS', [true, "Enumerate the Hardware on the system as well?", false])
], self.class)
end
def run_host(ip)
if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success
output = "VMWare Host at #{ip} details\n"
output << "-----------------------------\n"
host_summary = vim_get_host_summary
output << YAML.dump(host_summary)
if datastore['HW_DETAILS']
output << "\n--------HARDWARE----------\n"
hw_details = vim_get_host_hw
output << YAML.dump(hw_details)
end
print_good output
store_loot('vmware_host_details', "text/plain", datastore['RHOST'], output, "#{datastore['RHOST']}_vmware_host.txt", "VMWare Host Details")
else
print_error "Login Failure on #{ip}"
return
end
end
end

70
modules/auxiliary/scanner/vmware/vmware_vm_discovery.rb Normal file
View File

@ -0,0 +1,70 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/exploit/vim_soap'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::VIMSoap
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'VMWare Enumerate Virtual Machines',
'Version' => '$Revision$',
'Description' => %Q{
This module attempts to discover virtual machines on any VMWare instance
running the web interface. This would include ESX/ESXi and VMWare Server.},
'Author' => ['TheLightCosine <thelightcosine[at]metasploit.com>'],
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(443),
OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),
OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ])
], self.class)
end
def run_host(ip)
if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success
virtual_machines = vim_get_vms
virtual_machines.each do |vm|
print_good YAML.dump(vm)
report_note(
:host => rhost,
:type => "vmware.esx.vm",
:data => vm,
:port => rport,
:proto => 'tcp',
:update => :unique_data
)
end
store_loot('ESX_virtualmachines', "text/plain", datastore['RHOST'], YAML.dump(virtual_machines) , "#{datastore['RHOST']}_esx_vms.txt", "VMWare ESX Virtual Machines")
else
print_error "Login Failure on #{ip}"
return
end
end
end