diff --git a/data/gui/lib/appframework-1.0.3.jar b/data/gui/lib/appframework-1.0.3.jar
old mode 100644
new mode 100755
diff --git a/data/gui/lib/msgpack-0.5.1-devel.jar b/data/gui/lib/msgpack-0.5.1-devel.jar
old mode 100644
new mode 100755
diff --git a/data/gui/lib/swing-worker-1.1.jar b/data/gui/lib/swing-worker-1.1.jar
old mode 100644
new mode 100755
diff --git a/data/gui/msfgui.jar b/data/gui/msfgui.jar
old mode 100644
new mode 100755
diff --git a/data/meterpreter/msflinker_linux_x86.bin b/data/meterpreter/msflinker_linux_x86.bin
old mode 100644
new mode 100755
diff --git a/data/wordlists/cms400net_default_userpass.txt b/data/wordlists/cms400net_default_userpass.txt
old mode 100644
new mode 100755
diff --git a/lib/msf/core/exploit/vim_soap.rb b/lib/msf/core/exploit/vim_soap.rb
index bc5f2743c3..3d641cf819 100644
--- a/lib/msf/core/exploit/vim_soap.rb
+++ b/lib/msf/core/exploit/vim_soap.rb
@@ -57,6 +57,38 @@ module Exploit::Remote::VIMSoap
end
end
+
+ def vim_get_dc_name(dc)
+ soap_req=
+ %Q|
+
+
+ <_this type="PropertyCollector">#{@server_objects['propertyCollector']}
+
+
+ Datacenter
+ name
+
+
+ #{dc}
+
+
+
+
+ |
+ res = send_request_cgi({
+ 'uri' => '/sdk',
+ 'method' => 'POST',
+ 'agent' => 'VMware VI Client',
+ 'cookie' => @vim_cookie,
+ 'data' => soap_req,
+ 'headers' => { 'SOAPAction' => @soap_action}
+ }, 25)
+ name = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
+ return name
+ end
+
+
def vim_get_dcs
soap_req =
%Q|
@@ -136,8 +168,10 @@ module Exploit::Remote::VIMSoap
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
- @dcs << Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
- @dcs.flatten!
+ tmp_dcs = []
+ tmp_dcs = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
+ tmp_dcs.flatten!
+ tmp_dcs.each{|dc| @dcs << { 'name' => vim_get_dc_name(dc) , 'ref' => dc}}
end
def vim_get_hosts(datacenter)
@@ -242,7 +276,7 @@ module Exploit::Remote::VIMSoap
end
def vim_get_all_hosts
- @dcs.each{|dc| @hosts << vim_get_hosts(dc)}
+ @dcs.each{|dc| @hosts << vim_get_hosts(dc['ref'])}
@hosts.flatten!
end
@@ -291,18 +325,24 @@ module Exploit::Remote::VIMSoap
return summaries.flatten.compact
end
-
-
- def vim_take_screenshot(vm)
- soap_req =
+ def vim_get_vm_datastore(vm)
+ soap_req =
%Q|
-
- <_this type="VirtualMachine">#{vm}
-
-
- |
- print_status "Request: #{soap_req}"
+
+ <_this type="PropertyCollector">#{@server_objects['propertyCollector']}
+
+
+ VirtualMachine
+ datastore
+
+
+ #{vm}
+
+
+
+ |
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
@@ -311,7 +351,121 @@ module Exploit::Remote::VIMSoap
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
- print_status res.body
+ datastore_ref = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
+
+ soap_req =
+ %Q|
+
+
+ <_this type="PropertyCollector">#{@server_objects['propertyCollector']}
+
+
+ Datastore
+ info
+
+
+ #{datastore_ref}
+
+
+
+
+ |
+ res = send_request_cgi({
+ 'uri' => '/sdk',
+ 'method' => 'POST',
+ 'agent' => 'VMware VI Client',
+ 'cookie' => @vim_cookie,
+ 'data' => soap_req,
+ 'headers' => { 'SOAPAction' => @soap_action}
+ }, 25)
+ datastore_name = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['name']
+ datastore = { 'name' => datastore_name, 'ref' => datastore_ref}
+ return datastore
+
+ end
+
+
+
+ def vim_take_screenshot(vm, user, pass)
+ soap_req =
+ %Q|
+
+
+ <_this type="VirtualMachine">#{vm['ref']}
+
+
+ |
+ res = send_request_cgi({
+ 'uri' => '/sdk',
+ 'method' => 'POST',
+ 'agent' => 'VMware VI Client',
+ 'cookie' => @vim_cookie,
+ 'data' => soap_req,
+ 'headers' => { 'SOAPAction' => @soap_action}
+ }, 25)
+ if res.body.include? "NotAuthenticatedFault"
+ return :expired
+ elsif res.body.include? ""
+ return :error
+ end
+ task_id = Hash.from_xml(res.body)['Envelope']['Body']['CreateScreenshot_TaskResponse']['returnval']
+
+ state= "running"
+ while state == "running"
+ soap_req =
+ %Q|
+
+
+ <_this type="PropertyCollector">#{@server_objects['propertyCollector']}
+
+
+ Task
+ info
+
+
+ #{task_id}
+
+
+
+
+ |
+ res = send_request_cgi({
+ 'uri' => '/sdk',
+ 'method' => 'POST',
+ 'agent' => 'VMware VI Client',
+ 'cookie' => @vim_cookie,
+ 'data' => soap_req,
+ 'headers' => { 'SOAPAction' => @soap_action}
+ }, 25)
+ hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
+ state = hash['state']
+ screenshot_file = hash['result']
+ end
+ unless screenshot_file
+ return :error
+ end
+ (ss_folder, ss_file) = screenshot_file.split('/').last(2)
+ ss_folder = URI.escape(ss_folder, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+ ss_file = URI.escape(ss_file, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+ ss_path = "#{ss_folder}/#{ss_file}"
+ datastore = vim_get_vm_datastore(vm['ref'])
+ user_pass = Rex::Text.encode_base64(user + ":" + pass)
+ ss_uri = "/folder/#{ss_path}?dcPath=#{vm['dc_name']}&dsName=#{datastore['name']}"
+ ss_uri =
+ res = send_request_cgi({
+ 'uri' => ss_uri,
+ 'method' => 'GET',
+ 'agent' => 'VMware VI Client',
+ 'cookie' => @vim_cookie,
+ 'headers' => {
+ 'SOAPAction' => @soap_action,
+ 'Authorization' => "Basic #{user_pass}",
+ }
+ }, 25)
+ if res.code == 200
+ return res.body
+ end
+ return :error
end
@@ -353,18 +507,21 @@ module Exploit::Remote::VIMSoap
vim_setup_references
@vmrefs = []
vmlist= []
- print_status @dcs.inspect
- @dcs.each{|dc| @vmrefs << vim_get_dc_vms(dc)}
- unless @vmrefs.empty?
- @vmrefs.flatten!
- @vmrefs.compact!
- print_status "#{datastore['RHOST']} - Found a Total of #{@vmrefs.length} VMs"
- print_status "#{datastore['RHOST']} - Estimated Time: #{((@vmrefs.length * 7) /60)} Minutes"
- @vmrefs.each do |ref|
- print_status "#{datastore['RHOST']} - Getting Data for VM: #{ref}..."
+ @dcs.each do |dc|
+ dc_vm_refs = vim_get_dc_vms(dc['ref'])
+ next if dc_vm_refs.nil? or dc_vm_refs.empty?
+ dc_vm_refs.flatten!
+ dc_vm_refs.compact!
+ next if dc_vm_refs.nil? or dc_vm_refs.empty?
+ print_status "#{datastore['RHOST']} - DataCenter: #{dc['name']} Found a Total of #{dc_vm_refs.length} VMs"
+ print_status "#{datastore['RHOST']} - DataCenter: #{dc['name']} Estimated Time: #{((dc_vm_refs.length * 7) /60)} Minutes"
+ dc_vm_refs.each do |ref|
+ print_status "#{datastore['RHOST']} - DataCenter: #{dc['name']} - Getting Data for VM: #{ref}..."
details = vim_get_vm_info(ref)
if details
details['ref'] = ref
+ details['dc_ref'] = dc['ref']
+ details['dc_name'] = dc['name']
vmlist << details
end
end
diff --git a/modules/auxiliary/scanner/vmware/vmware_vm_discovery.rb b/modules/auxiliary/scanner/vmware/vmware_vm_discovery.rb
index bbabe8152c..15e54dc555 100644
--- a/modules/auxiliary/scanner/vmware/vmware_vm_discovery.rb
+++ b/modules/auxiliary/scanner/vmware/vmware_vm_discovery.rb
@@ -36,7 +36,8 @@ class Metasploit3 < Msf::Auxiliary
[
Opt::RPORT(443),
OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),
- OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ])
+ OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ]),
+ OptBool.new('SCREENSHOT', [true, "Wheter or not to try to take a screenshot", true])
], self.class)
end