diff --git a/lib/msf/core/exploit/vim_soap.rb b/lib/msf/core/exploit/vim_soap.rb
new file mode 100644
index 0000000000..f827724d12
--- /dev/null
+++ b/lib/msf/core/exploit/vim_soap.rb
@@ -0,0 +1,402 @@
+module Msf
+
+module Exploit::Remote::VIMSoap
+ include Msf::Exploit::Remote::HttpClient
+
+
+ def vim_get_session
+ soap_data =
+ %Q|
+
+
+ <_this type="ServiceInstance">ServiceInstance
+
+
+ |
+ res = send_request_cgi({
+ 'uri' => '/sdk',
+ 'method' => 'POST',
+ 'agent' => 'VMware VI Client',
+ 'data' => soap_data
+ }, 25)
+ @dc = Hash.from_xml(res.body)['Envelope']['Body']['RetrieveServiceContentResponse']['returnval']
+ print_status @dc.inspect
+ if res.headers['Set-Cookie']
+ @vim_cookie = res.headers['Set-Cookie']
+ return true
+ else
+ return false
+ end
+ end
+
+ def vim_do_login(user, pass)
+ unless vim_get_session
+ return false
+ end
+ soap_data =
+%Q|
+
+
+ <_this type="SessionManager">#{@dc['sessionManager']}
+ #{user}
+ #{pass}
+
+
+|
+ print_status "Soap Request: #{soap_data}"
+ res = send_request_cgi({
+ 'uri' => '/sdk',
+ 'method' => 'POST',
+ 'agent' => 'VMware VI Client',
+ 'cookie' => @vim_cookie,
+ 'data' => soap_data
+ }, 25)
+ print_status res.body
+ if res.code == 200
+ return :success
+ else
+ return :fail
+ end
+ end
+
+ def vim_get_dc
+ soap_req =
+ %Q|
+
+
+ <_this type="ServiceInstance">ServiceInstance
+
+
+ |
+
+ res = send_request_cgi({
+ 'uri' => '/sdk',
+ 'method' => 'POST',
+ 'agent' => 'VMware VI Client',
+ 'cookie' => @vim_cookie,
+ 'data' => soap_req
+ }, 25)
+
+ hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrieveServiceContentResponse']['returnval']
+ @dc.merge!(hash)
+ soap_req =
+ %Q|
+
+
+ <_this type="PropertyCollector">#{@dc['propertyCollector']}
+
+
+ ServiceInstance
+ content
+
+
+ ServiceInstance
+
+
+
+
+ |
+
+ res = send_request_cgi({
+ 'uri' => '/sdk',
+ 'method' => 'POST',
+ 'agent' => 'VMware VI Client',
+ 'cookie' => @vim_cookie,
+ 'data' => soap_req
+ }, 25)
+
+ hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
+ hash.delete('xsi:type')
+ @dc.merge!(hash)
+
+
+ soap_req =
+ %Q|
+
+
+ <_this type="PropertyCollector">#{@dc['propertyCollector']}
+
+
+ Folder
+ childEntity
+
+
+ #{@dc['rootFolder']}
+
+
+
+
+ |
+
+ res = send_request_cgi({
+ 'uri' => '/sdk',
+ 'method' => 'POST',
+ 'agent' => 'VMware VI Client',
+ 'cookie' => @vim_cookie,
+ 'data' => soap_req
+ }, 25)
+ print_status res.body
+ @dc['Datacenter'] = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
+ end
+
+ def vim_get_host
+ @host = {}
+ soap_req =
+ %Q|
+
+
+ <_this type="PropertyCollector">#{@dc['propertyCollector']}
+
+
+ Datacenter
+ hostFolder
+
+
+ #{@dc['Datacenter']}
+
+
+
+
+ |
+ res = send_request_cgi({
+ 'uri' => '/sdk',
+ 'method' => 'POST',
+ 'agent' => 'VMware VI Client',
+ 'cookie' => @vim_cookie,
+ 'data' => soap_req
+ }, 25)
+ @host['folderHost'] = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
+
+ soap_req =
+ %Q|
+
+
+ <_this type="PropertyCollector">#{@dc['propertyCollector']}
+
+
+ Folder
+ childEntity
+
+
+ #{@host['folderHost']}
+
+
+
+
+ |
+ res = send_request_cgi({
+ 'uri' => '/sdk',
+ 'method' => 'POST',
+ 'agent' => 'VMware VI Client',
+ 'cookie' => @vim_cookie,
+ 'data' => soap_req
+ }, 25)
+ @host['ComputeReference'] = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
+
+ soap_req =
+ %Q|
+
+
+ <_this type="PropertyCollector">#{@dc['propertyCollector']}
+
+
+ ComputeResource
+ host
+
+
+ #{@host['ComputeReference']}
+
+
+
+
+ |
+ res = send_request_cgi({
+ 'uri' => '/sdk',
+ 'method' => 'POST',
+ 'agent' => 'VMware VI Client',
+ 'cookie' => @vim_cookie,
+ 'data' => soap_req
+ }, 25)
+ @host['HostSystem'] = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
+ end
+
+ def vim_get_host_hw
+ vim_setup_references
+ soap_req =
+ %Q|
+
+
+ <_this type="PropertyCollector">#{@dc['propertyCollector']}
+
+
+ HostSystem
+ hardware
+
+
+ #{@host['HostSystem']}
+
+
+
+
+ |
+ res = send_request_cgi({
+ 'uri' => '/sdk',
+ 'method' => 'POST',
+ 'agent' => 'VMware VI Client',
+ 'cookie' => @vim_cookie,
+ 'data' => soap_req
+ }, 25)
+ hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
+ return hash
+ end
+
+ def vim_get_host_summary
+ vim_setup_references
+ soap_req =
+ %Q|
+
+
+ <_this type="PropertyCollector">#{@dc['propertyCollector']}
+
+
+ HostSystem
+ summary
+
+
+ #{@host['HostSystem']}
+
+
+
+
+ |
+ res = send_request_cgi({
+ 'uri' => '/sdk',
+ 'method' => 'POST',
+ 'agent' => 'VMware VI Client',
+ 'cookie' => @vim_cookie,
+ 'data' => soap_req
+ }, 25)
+ hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
+ hash['runtime'].delete('healthSystemRuntime')
+ hash.delete('xsi:type')
+ hash.delete('host')
+ return hash
+ end
+
+ def vim_get_vms
+ vim_setup_references
+ soap_req =
+ %Q|
+
+
+ <_this type="PropertyCollector">#{@dc['propertyCollector']}
+
+
+ Datacenter
+ vmFolder
+
+
+ #{@dc['Datacenter']}
+
+
+
+
+ |
+ res = send_request_cgi({
+ 'uri' => '/sdk',
+ 'method' => 'POST',
+ 'agent' => 'VMware VI Client',
+ 'cookie' => @vim_cookie,
+ 'data' => soap_req
+ }, 25)
+ @dc['vmFolder'] = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
+
+ soap_req =
+ %Q|
+
+
+ <_this type="PropertyCollector">#{@dc['propertyCollector']}
+
+
+ Folder
+ childEntity
+
+
+ #{@dc['vmFolder']}
+
+
+
+
+ |
+ res = send_request_cgi({
+ 'uri' => '/sdk',
+ 'method' => 'POST',
+ 'agent' => 'VMware VI Client',
+ 'cookie' => @vim_cookie,
+ 'data' => soap_req
+ }, 25)
+ vm_index_array = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
+ vms = []
+ vm_index_array.each{|i| vms << vim_get_vm_info(i)}
+ return vms
+ end
+
+ def vim_get_vm_info(vm_ref)
+ vim_setup_references
+ soap_req =
+ %Q|
+
+
+ <_this type="PropertyCollector">#{@dc['propertyCollector']}
+
+
+ VirtualMachine
+ summary
+
+
+ #{vm_ref}
+
+
+
+
+ |
+ res = send_request_cgi({
+ 'uri' => '/sdk',
+ 'method' => 'POST',
+ 'agent' => 'VMware VI Client',
+ 'cookie' => @vim_cookie,
+ 'data' => soap_req
+ }, 25)
+ hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
+ vm = hash['config']
+ vm['runtime'] = hash['runtime']
+ vm['guest'] = hash['guest']
+ vm['quickStats'] = hash['quickStats']
+ return vm
+ end
+
+ def vim_logged_in?
+ return true if @vim_cookie
+ return false
+ end
+
+ def vim_instance_vars_set?
+ return false if @dc.nil? or @dc.empty?
+ return false if @host.nil? or @host.empty?
+ return false unless @dc['propertyCollector']
+ return false unless @dc['Datacenter']
+ return false unless @dc['rootFolder']
+ return false unless @host['folderHost']
+ return false unless @host['HostSystem']
+ return true
+ end
+
+ def vim_setup_references
+ unless vim_instance_vars_set?
+ vim_get_dc
+ vim_get_host
+ end
+ end
+
+end
+end
diff --git a/modules/auxiliary/scanner/vmware/vmware_host_details.rb b/modules/auxiliary/scanner/vmware/vmware_host_details.rb
new file mode 100644
index 0000000000..8fca533525
--- /dev/null
+++ b/modules/auxiliary/scanner/vmware/vmware_host_details.rb
@@ -0,0 +1,67 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+require 'msf/core/exploit/vim_soap'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Exploit::Remote::VIMSoap
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'VMWare Enumerate Host Details',
+ 'Version' => '$Revision$',
+ 'Description' => %Q{This module attempts to enumerate information about the host systems through the VMWare web API.},
+ 'Author' => ['TheLightCosine '],
+ 'License' => MSF_LICENSE
+ )
+
+ register_options(
+ [
+ Opt::RPORT(443),
+ OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),
+ OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ]),
+ OptBool.new('HW_DETAILS', [true, "Enumerate the Hardware on the system as well?", false])
+ ], self.class)
+ end
+
+ def run_host(ip)
+
+ if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success
+ output = "VMWare Host at #{ip} details\n"
+ output << "-----------------------------\n"
+ host_summary = vim_get_host_summary
+ output << YAML.dump(host_summary)
+ if datastore['HW_DETAILS']
+ output << "\n--------HARDWARE----------\n"
+ hw_details = vim_get_host_hw
+ output << YAML.dump(hw_details)
+ end
+ print_good output
+ store_loot('vmware_host_details', "text/plain", datastore['RHOST'], output, "#{datastore['RHOST']}_vmware_host.txt", "VMWare Host Details")
+ else
+ print_error "Login Failure on #{ip}"
+ return
+ end
+ end
+
+
+
+
+
+end
+
diff --git a/modules/auxiliary/scanner/vmware/vmware_vm_discovery.rb b/modules/auxiliary/scanner/vmware/vmware_vm_discovery.rb
new file mode 100644
index 0000000000..bbabe8152c
--- /dev/null
+++ b/modules/auxiliary/scanner/vmware/vmware_vm_discovery.rb
@@ -0,0 +1,70 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+require 'msf/core/exploit/vim_soap'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::Report
+ include Msf::Exploit::Remote::VIMSoap
+ include Msf::Auxiliary::Scanner
+
+ def initialize
+ super(
+ 'Name' => 'VMWare Enumerate Virtual Machines',
+ 'Version' => '$Revision$',
+ 'Description' => %Q{
+ This module attempts to discover virtual machines on any VMWare instance
+ running the web interface. This would include ESX/ESXi and VMWare Server.},
+ 'Author' => ['TheLightCosine '],
+ 'License' => MSF_LICENSE
+ )
+
+ register_options(
+ [
+ Opt::RPORT(443),
+ OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),
+ OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ])
+ ], self.class)
+ end
+
+ def run_host(ip)
+
+ if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success
+ virtual_machines = vim_get_vms
+ virtual_machines.each do |vm|
+ print_good YAML.dump(vm)
+ report_note(
+ :host => rhost,
+ :type => "vmware.esx.vm",
+ :data => vm,
+ :port => rport,
+ :proto => 'tcp',
+ :update => :unique_data
+ )
+ end
+ store_loot('ESX_virtualmachines', "text/plain", datastore['RHOST'], YAML.dump(virtual_machines) , "#{datastore['RHOST']}_esx_vms.txt", "VMWare ESX Virtual Machines")
+ else
+ print_error "Login Failure on #{ip}"
+ return
+ end
+ end
+
+
+
+
+
+end
+