Working Screenshot capability!
parent
e8aa624a16
commit
676a0c53a0
|
@ -57,6 +57,38 @@ module Exploit::Remote::VIMSoap
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
def vim_get_dc_name(dc)
|
||||||
|
soap_req=
|
||||||
|
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||||
|
<env:Body>
|
||||||
|
<RetrieveProperties xmlns="urn:vim25">
|
||||||
|
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
|
||||||
|
<specSet xsi:type="PropertyFilterSpec">
|
||||||
|
<propSet xsi:type="PropertySpec">
|
||||||
|
<type>Datacenter</type>
|
||||||
|
<pathSet>name</pathSet>
|
||||||
|
</propSet>
|
||||||
|
<objectSet xsi:type="ObjectSpec">
|
||||||
|
<obj type="Datacenter">#{dc}</obj>
|
||||||
|
</objectSet>
|
||||||
|
</specSet>
|
||||||
|
</RetrieveProperties>
|
||||||
|
</env:Body>
|
||||||
|
</env:Envelope>|
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => '/sdk',
|
||||||
|
'method' => 'POST',
|
||||||
|
'agent' => 'VMware VI Client',
|
||||||
|
'cookie' => @vim_cookie,
|
||||||
|
'data' => soap_req,
|
||||||
|
'headers' => { 'SOAPAction' => @soap_action}
|
||||||
|
}, 25)
|
||||||
|
name = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
|
||||||
|
return name
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
def vim_get_dcs
|
def vim_get_dcs
|
||||||
soap_req =
|
soap_req =
|
||||||
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||||
|
@ -136,8 +168,10 @@ module Exploit::Remote::VIMSoap
|
||||||
'data' => soap_req,
|
'data' => soap_req,
|
||||||
'headers' => { 'SOAPAction' => @soap_action}
|
'headers' => { 'SOAPAction' => @soap_action}
|
||||||
}, 25)
|
}, 25)
|
||||||
@dcs << Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
|
tmp_dcs = []
|
||||||
@dcs.flatten!
|
tmp_dcs = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
|
||||||
|
tmp_dcs.flatten!
|
||||||
|
tmp_dcs.each{|dc| @dcs << { 'name' => vim_get_dc_name(dc) , 'ref' => dc}}
|
||||||
end
|
end
|
||||||
|
|
||||||
def vim_get_hosts(datacenter)
|
def vim_get_hosts(datacenter)
|
||||||
|
@ -242,7 +276,7 @@ module Exploit::Remote::VIMSoap
|
||||||
end
|
end
|
||||||
|
|
||||||
def vim_get_all_hosts
|
def vim_get_all_hosts
|
||||||
@dcs.each{|dc| @hosts << vim_get_hosts(dc)}
|
@dcs.each{|dc| @hosts << vim_get_hosts(dc['ref'])}
|
||||||
@hosts.flatten!
|
@hosts.flatten!
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -291,18 +325,24 @@ module Exploit::Remote::VIMSoap
|
||||||
return summaries.flatten.compact
|
return summaries.flatten.compact
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def vim_get_vm_datastore(vm)
|
||||||
|
soap_req =
|
||||||
def vim_take_screenshot(vm)
|
|
||||||
soap_req =
|
|
||||||
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||||
<env:Body>
|
<env:Body>
|
||||||
<CreateScreenshot_Task xmlns="urn:vim25">
|
<RetrieveProperties xmlns="urn:vim25">
|
||||||
<_this type="VirtualMachine">#{vm}</_this>
|
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
|
||||||
</CreateScreenshot_Task>
|
<specSet xsi:type="PropertyFilterSpec">
|
||||||
</env:Body>
|
<propSet xsi:type="PropertySpec">
|
||||||
</env:Envelope>|
|
<type>VirtualMachine</type>
|
||||||
print_status "Request: #{soap_req}"
|
<pathSet>datastore</pathSet>
|
||||||
|
</propSet>
|
||||||
|
<objectSet xsi:type="ObjectSpec">
|
||||||
|
<obj type="VirtualMachine">#{vm}</obj>
|
||||||
|
</objectSet>
|
||||||
|
</specSet>
|
||||||
|
</RetrieveProperties>
|
||||||
|
</env:Body
|
||||||
|
></env:Envelope>|
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => '/sdk',
|
'uri' => '/sdk',
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
|
@ -311,7 +351,121 @@ module Exploit::Remote::VIMSoap
|
||||||
'data' => soap_req,
|
'data' => soap_req,
|
||||||
'headers' => { 'SOAPAction' => @soap_action}
|
'headers' => { 'SOAPAction' => @soap_action}
|
||||||
}, 25)
|
}, 25)
|
||||||
print_status res.body
|
datastore_ref = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
|
||||||
|
|
||||||
|
soap_req =
|
||||||
|
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||||
|
<env:Body>
|
||||||
|
<RetrieveProperties xmlns="urn:vim25">
|
||||||
|
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
|
||||||
|
<specSet xsi:type="PropertyFilterSpec">
|
||||||
|
<propSet xsi:type="PropertySpec">
|
||||||
|
<type>Datastore</type>
|
||||||
|
<pathSet>info</pathSet>
|
||||||
|
</propSet>
|
||||||
|
<objectSet xsi:type="ObjectSpec">
|
||||||
|
<obj type="Datastore">#{datastore_ref}</obj>
|
||||||
|
</objectSet>
|
||||||
|
</specSet>
|
||||||
|
</RetrieveProperties>
|
||||||
|
</env:Body>
|
||||||
|
</env:Envelope>|
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => '/sdk',
|
||||||
|
'method' => 'POST',
|
||||||
|
'agent' => 'VMware VI Client',
|
||||||
|
'cookie' => @vim_cookie,
|
||||||
|
'data' => soap_req,
|
||||||
|
'headers' => { 'SOAPAction' => @soap_action}
|
||||||
|
}, 25)
|
||||||
|
datastore_name = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['name']
|
||||||
|
datastore = { 'name' => datastore_name, 'ref' => datastore_ref}
|
||||||
|
return datastore
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
def vim_take_screenshot(vm, user, pass)
|
||||||
|
soap_req =
|
||||||
|
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||||
|
<env:Body>
|
||||||
|
<CreateScreenshot_Task xmlns="urn:vim25">
|
||||||
|
<_this type="VirtualMachine">#{vm['ref']}</_this>
|
||||||
|
</CreateScreenshot_Task>
|
||||||
|
</env:Body>
|
||||||
|
</env:Envelope>|
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => '/sdk',
|
||||||
|
'method' => 'POST',
|
||||||
|
'agent' => 'VMware VI Client',
|
||||||
|
'cookie' => @vim_cookie,
|
||||||
|
'data' => soap_req,
|
||||||
|
'headers' => { 'SOAPAction' => @soap_action}
|
||||||
|
}, 25)
|
||||||
|
if res.body.include? "NotAuthenticatedFault"
|
||||||
|
return :expired
|
||||||
|
elsif res.body.include? "<faultstring>"
|
||||||
|
return :error
|
||||||
|
end
|
||||||
|
task_id = Hash.from_xml(res.body)['Envelope']['Body']['CreateScreenshot_TaskResponse']['returnval']
|
||||||
|
|
||||||
|
state= "running"
|
||||||
|
while state == "running"
|
||||||
|
soap_req =
|
||||||
|
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||||
|
<env:Body>
|
||||||
|
<RetrieveProperties xmlns="urn:vim25">
|
||||||
|
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
|
||||||
|
<specSet xsi:type="PropertyFilterSpec">
|
||||||
|
<propSet xsi:type="PropertySpec">
|
||||||
|
<type>Task</type>
|
||||||
|
<pathSet>info</pathSet>
|
||||||
|
</propSet>
|
||||||
|
<objectSet xsi:type="ObjectSpec">
|
||||||
|
<obj type="Task">#{task_id}</obj>
|
||||||
|
</objectSet>
|
||||||
|
</specSet>
|
||||||
|
</RetrieveProperties>
|
||||||
|
</env:Body>
|
||||||
|
</env:Envelope>|
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => '/sdk',
|
||||||
|
'method' => 'POST',
|
||||||
|
'agent' => 'VMware VI Client',
|
||||||
|
'cookie' => @vim_cookie,
|
||||||
|
'data' => soap_req,
|
||||||
|
'headers' => { 'SOAPAction' => @soap_action}
|
||||||
|
}, 25)
|
||||||
|
hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
|
||||||
|
state = hash['state']
|
||||||
|
screenshot_file = hash['result']
|
||||||
|
end
|
||||||
|
unless screenshot_file
|
||||||
|
return :error
|
||||||
|
end
|
||||||
|
(ss_folder, ss_file) = screenshot_file.split('/').last(2)
|
||||||
|
ss_folder = URI.escape(ss_folder, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
|
||||||
|
ss_file = URI.escape(ss_file, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
|
||||||
|
ss_path = "#{ss_folder}/#{ss_file}"
|
||||||
|
datastore = vim_get_vm_datastore(vm['ref'])
|
||||||
|
user_pass = Rex::Text.encode_base64(user + ":" + pass)
|
||||||
|
ss_uri = "/folder/#{ss_path}?dcPath=#{vm['dc_name']}&dsName=#{datastore['name']}"
|
||||||
|
ss_uri =
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => ss_uri,
|
||||||
|
'method' => 'GET',
|
||||||
|
'agent' => 'VMware VI Client',
|
||||||
|
'cookie' => @vim_cookie,
|
||||||
|
'headers' => {
|
||||||
|
'SOAPAction' => @soap_action,
|
||||||
|
'Authorization' => "Basic #{user_pass}",
|
||||||
|
}
|
||||||
|
}, 25)
|
||||||
|
if res.code == 200
|
||||||
|
return res.body
|
||||||
|
end
|
||||||
|
return :error
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
@ -353,18 +507,21 @@ module Exploit::Remote::VIMSoap
|
||||||
vim_setup_references
|
vim_setup_references
|
||||||
@vmrefs = []
|
@vmrefs = []
|
||||||
vmlist= []
|
vmlist= []
|
||||||
print_status @dcs.inspect
|
@dcs.each do |dc|
|
||||||
@dcs.each{|dc| @vmrefs << vim_get_dc_vms(dc)}
|
dc_vm_refs = vim_get_dc_vms(dc['ref'])
|
||||||
unless @vmrefs.empty?
|
next if dc_vm_refs.nil? or dc_vm_refs.empty?
|
||||||
@vmrefs.flatten!
|
dc_vm_refs.flatten!
|
||||||
@vmrefs.compact!
|
dc_vm_refs.compact!
|
||||||
print_status "#{datastore['RHOST']} - Found a Total of #{@vmrefs.length} VMs"
|
next if dc_vm_refs.nil? or dc_vm_refs.empty?
|
||||||
print_status "#{datastore['RHOST']} - Estimated Time: #{((@vmrefs.length * 7) /60)} Minutes"
|
print_status "#{datastore['RHOST']} - DataCenter: #{dc['name']} Found a Total of #{dc_vm_refs.length} VMs"
|
||||||
@vmrefs.each do |ref|
|
print_status "#{datastore['RHOST']} - DataCenter: #{dc['name']} Estimated Time: #{((dc_vm_refs.length * 7) /60)} Minutes"
|
||||||
print_status "#{datastore['RHOST']} - Getting Data for VM: #{ref}..."
|
dc_vm_refs.each do |ref|
|
||||||
|
print_status "#{datastore['RHOST']} - DataCenter: #{dc['name']} - Getting Data for VM: #{ref}..."
|
||||||
details = vim_get_vm_info(ref)
|
details = vim_get_vm_info(ref)
|
||||||
if details
|
if details
|
||||||
details['ref'] = ref
|
details['ref'] = ref
|
||||||
|
details['dc_ref'] = dc['ref']
|
||||||
|
details['dc_name'] = dc['name']
|
||||||
vmlist << details
|
vmlist << details
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -36,7 +36,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
[
|
[
|
||||||
Opt::RPORT(443),
|
Opt::RPORT(443),
|
||||||
OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),
|
OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),
|
||||||
OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ])
|
OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ]),
|
||||||
|
OptBool.new('SCREENSHOT', [true, "Wheter or not to try to take a screenshot", true])
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue