Working Screenshot capability!

lib/msf/core/exploit/vim_soap.rb

@@ -57,6 +57,38 @@ module Exploit::Remote::VIMSoap
 		end
 	end
 
+
+	def vim_get_dc_name(dc)
+		soap_req=
+			%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+			<env:Body>
+			<RetrieveProperties xmlns="urn:vim25">
+				<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
+				<specSet xsi:type="PropertyFilterSpec">
+					<propSet xsi:type="PropertySpec">
+						<type>Datacenter</type>
+						<pathSet>name</pathSet>
+					</propSet>
+					<objectSet xsi:type="ObjectSpec">
+						<obj type="Datacenter">#{dc}</obj>
+					</objectSet>
+				</specSet>
+			</RetrieveProperties>
+			</env:Body>
+			</env:Envelope>|
+		res = send_request_cgi({
+			'uri'     => '/sdk',
+			'method'  => 'POST',
+			'agent'   => 'VMware VI Client',
+			'cookie'  => @vim_cookie,
+			'data'    => soap_req,
+			'headers' => { 'SOAPAction' => @soap_action}
+			}, 25)
+		name = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
+		return name
+	end
+
+
 	def vim_get_dcs
 			soap_req = 
 				%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
@@ -136,8 +168,10 @@ module Exploit::Remote::VIMSoap
 					'data'    => soap_req,
 					'headers' => { 'SOAPAction' => @soap_action}
 					}, 25)
-			@dcs << Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
-			@dcs.flatten!
+			tmp_dcs = []
+			tmp_dcs = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
+			tmp_dcs.flatten!
+			tmp_dcs.each{|dc| @dcs << { 'name' => vim_get_dc_name(dc) , 'ref' => dc}}
 	end
 
 	def vim_get_hosts(datacenter)
@@ -242,7 +276,7 @@ module Exploit::Remote::VIMSoap
 	end
 
 	def vim_get_all_hosts
-		@dcs.each{|dc| @hosts << vim_get_hosts(dc)}
+		@dcs.each{|dc| @hosts << vim_get_hosts(dc['ref'])}
 		@hosts.flatten!
 	end
 
@@ -291,18 +325,24 @@ module Exploit::Remote::VIMSoap
 		return summaries.flatten.compact
 	end
 
-
-
-	def vim_take_screenshot(vm)
-		soap_req =
+	def vim_get_vm_datastore(vm)
+		soap_req = 
 			%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 			<env:Body>
-			<CreateScreenshot_Task xmlns="urn:vim25">
-				<_this type="VirtualMachine">#{vm}</_this>
-			</CreateScreenshot_Task>
-			</env:Body>
-			</env:Envelope>| 
-		print_status "Request: #{soap_req}"
+			<RetrieveProperties xmlns="urn:vim25">
+				<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
+				<specSet xsi:type="PropertyFilterSpec">
+					<propSet xsi:type="PropertySpec">
+						<type>VirtualMachine</type>
+						<pathSet>datastore</pathSet>
+					</propSet>
+					<objectSet xsi:type="ObjectSpec">
+						<obj type="VirtualMachine">#{vm}</obj>
+					</objectSet>
+				</specSet>
+			</RetrieveProperties>
+			</env:Body
+			></env:Envelope>| 
 		res = send_request_cgi({
 			'uri'     => '/sdk',
 			'method'  => 'POST',
@@ -311,7 +351,121 @@ module Exploit::Remote::VIMSoap
 			'data'    => soap_req,
 			'headers' => { 'SOAPAction' => @soap_action}
 		}, 25)
-		print_status res.body
+		datastore_ref = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
+
+		soap_req = 
+			%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+			<env:Body>
+			<RetrieveProperties xmlns="urn:vim25">
+				<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
+				<specSet xsi:type="PropertyFilterSpec">
+					<propSet xsi:type="PropertySpec">
+						<type>Datastore</type>
+						<pathSet>info</pathSet>
+					</propSet>
+					<objectSet xsi:type="ObjectSpec">
+						<obj type="Datastore">#{datastore_ref}</obj>
+					</objectSet>
+				</specSet>
+			</RetrieveProperties>
+			</env:Body>
+			</env:Envelope>|
+			res = send_request_cgi({
+			'uri'     => '/sdk',
+			'method'  => 'POST',
+			'agent'   => 'VMware VI Client',
+			'cookie'  => @vim_cookie,
+			'data'    => soap_req,
+			'headers' => { 'SOAPAction' => @soap_action}
+		}, 25)
+		datastore_name = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['name']
+		datastore = { 'name' => datastore_name, 'ref' => datastore_ref}
+		return datastore
+
+	end
+
+
+
+	def vim_take_screenshot(vm, user, pass)
+		soap_req =
+			%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+			<env:Body>
+			<CreateScreenshot_Task xmlns="urn:vim25">
+				<_this type="VirtualMachine">#{vm['ref']}</_this>
+			</CreateScreenshot_Task>
+			</env:Body>
+			</env:Envelope>| 
+		res = send_request_cgi({
+			'uri'     => '/sdk',
+			'method'  => 'POST',
+			'agent'   => 'VMware VI Client',
+			'cookie'  => @vim_cookie,
+			'data'    => soap_req,
+			'headers' => { 'SOAPAction' => @soap_action}
+		}, 25)
+		if res.body.include? "NotAuthenticatedFault"
+			return :expired
+		elsif res.body.include? "<faultstring>"
+			return :error
+		end
+		task_id = Hash.from_xml(res.body)['Envelope']['Body']['CreateScreenshot_TaskResponse']['returnval']
+
+		state= "running"
+		while state == "running"
+			soap_req =
+				%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+				<env:Body>
+				<RetrieveProperties xmlns="urn:vim25">
+					<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
+					<specSet xsi:type="PropertyFilterSpec">
+						<propSet xsi:type="PropertySpec">
+							<type>Task</type>
+							<pathSet>info</pathSet>
+						</propSet>
+						<objectSet xsi:type="ObjectSpec">
+							<obj type="Task">#{task_id}</obj>
+						</objectSet>
+					</specSet>
+				</RetrieveProperties>
+				</env:Body>
+				</env:Envelope>| 
+			res = send_request_cgi({
+				'uri'     => '/sdk',
+				'method'  => 'POST',
+				'agent'   => 'VMware VI Client',
+				'cookie'  => @vim_cookie,
+				'data'    => soap_req,
+				'headers' => { 'SOAPAction' => @soap_action}
+			}, 25)
+			hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
+			state = hash['state']
+			screenshot_file = hash['result'] 
+		end
+		unless screenshot_file
+			return :error
+		end
+		(ss_folder, ss_file) = screenshot_file.split('/').last(2)
+		ss_folder = URI.escape(ss_folder,  Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+		ss_file = URI.escape(ss_file,  Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+		ss_path = "#{ss_folder}/#{ss_file}"
+		datastore = vim_get_vm_datastore(vm['ref'])
+		user_pass = Rex::Text.encode_base64(user + ":" + pass)
+		ss_uri = "/folder/#{ss_path}?dcPath=#{vm['dc_name']}&dsName=#{datastore['name']}"
+		ss_uri = 
+		res = send_request_cgi({
+			'uri'     => ss_uri,
+			'method'  => 'GET',
+			'agent'   => 'VMware VI Client',
+			'cookie'  => @vim_cookie,
+			'headers' => { 
+				'SOAPAction' => @soap_action,
+				'Authorization' => "Basic #{user_pass}",
+				}
+		}, 25)
+		if res.code == 200
+			return res.body
+		end
+		return :error
 	end
 
 
@@ -353,18 +507,21 @@ module Exploit::Remote::VIMSoap
 		vim_setup_references
 		@vmrefs = []
 		vmlist= []
-		print_status @dcs.inspect
-		@dcs.each{|dc| @vmrefs << vim_get_dc_vms(dc)}
-		unless @vmrefs.empty?
-			@vmrefs.flatten!
-			@vmrefs.compact!
-			print_status "#{datastore['RHOST']} - Found a Total of #{@vmrefs.length} VMs"
-			print_status "#{datastore['RHOST']}  - Estimated Time: #{((@vmrefs.length * 7) /60)} Minutes"
-			@vmrefs.each do |ref|
-				print_status "#{datastore['RHOST']}  - Getting Data for VM: #{ref}..."
+		@dcs.each do |dc| 
+			dc_vm_refs = vim_get_dc_vms(dc['ref'])
+			next if dc_vm_refs.nil? or dc_vm_refs.empty?
+			dc_vm_refs.flatten!
+			dc_vm_refs.compact!
+			next if dc_vm_refs.nil? or dc_vm_refs.empty?
+			print_status "#{datastore['RHOST']} - DataCenter: #{dc['name']} Found a Total of #{dc_vm_refs.length} VMs"
+			print_status "#{datastore['RHOST']}  - DataCenter: #{dc['name']} Estimated Time: #{((dc_vm_refs.length * 7) /60)} Minutes"
+			dc_vm_refs.each do |ref|
+				print_status "#{datastore['RHOST']}  -  DataCenter: #{dc['name']} - Getting Data for VM: #{ref}..."
 				details  = vim_get_vm_info(ref)
 				if details
 					details['ref'] = ref
+					details['dc_ref'] = dc['ref']
+					details['dc_name'] = dc['name']
 					vmlist << details
 				end
 			end

modules/auxiliary/scanner/vmware/vmware_vm_discovery.rb

@@ -36,7 +36,8 @@ class Metasploit3 < Msf::Auxiliary
 			[
 				Opt::RPORT(443),
 				OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),
-				OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ])
+				OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ]),
+				OptBool.new('SCREENSHOT', [true, "Wheter or not to try to take a screenshot", true])
 			], self.class)
 	end