Working Screenshot capability!
parent
e8aa624a16
commit
676a0c53a0
|
@ -57,6 +57,38 @@ module Exploit::Remote::VIMSoap
|
|||
end
|
||||
end
|
||||
|
||||
|
||||
def vim_get_dc_name(dc)
|
||||
soap_req=
|
||||
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||
<env:Body>
|
||||
<RetrieveProperties xmlns="urn:vim25">
|
||||
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
|
||||
<specSet xsi:type="PropertyFilterSpec">
|
||||
<propSet xsi:type="PropertySpec">
|
||||
<type>Datacenter</type>
|
||||
<pathSet>name</pathSet>
|
||||
</propSet>
|
||||
<objectSet xsi:type="ObjectSpec">
|
||||
<obj type="Datacenter">#{dc}</obj>
|
||||
</objectSet>
|
||||
</specSet>
|
||||
</RetrieveProperties>
|
||||
</env:Body>
|
||||
</env:Envelope>|
|
||||
res = send_request_cgi({
|
||||
'uri' => '/sdk',
|
||||
'method' => 'POST',
|
||||
'agent' => 'VMware VI Client',
|
||||
'cookie' => @vim_cookie,
|
||||
'data' => soap_req,
|
||||
'headers' => { 'SOAPAction' => @soap_action}
|
||||
}, 25)
|
||||
name = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
|
||||
return name
|
||||
end
|
||||
|
||||
|
||||
def vim_get_dcs
|
||||
soap_req =
|
||||
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||
|
@ -136,8 +168,10 @@ module Exploit::Remote::VIMSoap
|
|||
'data' => soap_req,
|
||||
'headers' => { 'SOAPAction' => @soap_action}
|
||||
}, 25)
|
||||
@dcs << Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
|
||||
@dcs.flatten!
|
||||
tmp_dcs = []
|
||||
tmp_dcs = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
|
||||
tmp_dcs.flatten!
|
||||
tmp_dcs.each{|dc| @dcs << { 'name' => vim_get_dc_name(dc) , 'ref' => dc}}
|
||||
end
|
||||
|
||||
def vim_get_hosts(datacenter)
|
||||
|
@ -242,7 +276,7 @@ module Exploit::Remote::VIMSoap
|
|||
end
|
||||
|
||||
def vim_get_all_hosts
|
||||
@dcs.each{|dc| @hosts << vim_get_hosts(dc)}
|
||||
@dcs.each{|dc| @hosts << vim_get_hosts(dc['ref'])}
|
||||
@hosts.flatten!
|
||||
end
|
||||
|
||||
|
@ -291,18 +325,24 @@ module Exploit::Remote::VIMSoap
|
|||
return summaries.flatten.compact
|
||||
end
|
||||
|
||||
|
||||
|
||||
def vim_take_screenshot(vm)
|
||||
def vim_get_vm_datastore(vm)
|
||||
soap_req =
|
||||
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||
<env:Body>
|
||||
<CreateScreenshot_Task xmlns="urn:vim25">
|
||||
<_this type="VirtualMachine">#{vm}</_this>
|
||||
</CreateScreenshot_Task>
|
||||
</env:Body>
|
||||
</env:Envelope>|
|
||||
print_status "Request: #{soap_req}"
|
||||
<RetrieveProperties xmlns="urn:vim25">
|
||||
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
|
||||
<specSet xsi:type="PropertyFilterSpec">
|
||||
<propSet xsi:type="PropertySpec">
|
||||
<type>VirtualMachine</type>
|
||||
<pathSet>datastore</pathSet>
|
||||
</propSet>
|
||||
<objectSet xsi:type="ObjectSpec">
|
||||
<obj type="VirtualMachine">#{vm}</obj>
|
||||
</objectSet>
|
||||
</specSet>
|
||||
</RetrieveProperties>
|
||||
</env:Body
|
||||
></env:Envelope>|
|
||||
res = send_request_cgi({
|
||||
'uri' => '/sdk',
|
||||
'method' => 'POST',
|
||||
|
@ -311,7 +351,121 @@ module Exploit::Remote::VIMSoap
|
|||
'data' => soap_req,
|
||||
'headers' => { 'SOAPAction' => @soap_action}
|
||||
}, 25)
|
||||
print_status res.body
|
||||
datastore_ref = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
|
||||
|
||||
soap_req =
|
||||
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||
<env:Body>
|
||||
<RetrieveProperties xmlns="urn:vim25">
|
||||
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
|
||||
<specSet xsi:type="PropertyFilterSpec">
|
||||
<propSet xsi:type="PropertySpec">
|
||||
<type>Datastore</type>
|
||||
<pathSet>info</pathSet>
|
||||
</propSet>
|
||||
<objectSet xsi:type="ObjectSpec">
|
||||
<obj type="Datastore">#{datastore_ref}</obj>
|
||||
</objectSet>
|
||||
</specSet>
|
||||
</RetrieveProperties>
|
||||
</env:Body>
|
||||
</env:Envelope>|
|
||||
res = send_request_cgi({
|
||||
'uri' => '/sdk',
|
||||
'method' => 'POST',
|
||||
'agent' => 'VMware VI Client',
|
||||
'cookie' => @vim_cookie,
|
||||
'data' => soap_req,
|
||||
'headers' => { 'SOAPAction' => @soap_action}
|
||||
}, 25)
|
||||
datastore_name = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['name']
|
||||
datastore = { 'name' => datastore_name, 'ref' => datastore_ref}
|
||||
return datastore
|
||||
|
||||
end
|
||||
|
||||
|
||||
|
||||
def vim_take_screenshot(vm, user, pass)
|
||||
soap_req =
|
||||
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||
<env:Body>
|
||||
<CreateScreenshot_Task xmlns="urn:vim25">
|
||||
<_this type="VirtualMachine">#{vm['ref']}</_this>
|
||||
</CreateScreenshot_Task>
|
||||
</env:Body>
|
||||
</env:Envelope>|
|
||||
res = send_request_cgi({
|
||||
'uri' => '/sdk',
|
||||
'method' => 'POST',
|
||||
'agent' => 'VMware VI Client',
|
||||
'cookie' => @vim_cookie,
|
||||
'data' => soap_req,
|
||||
'headers' => { 'SOAPAction' => @soap_action}
|
||||
}, 25)
|
||||
if res.body.include? "NotAuthenticatedFault"
|
||||
return :expired
|
||||
elsif res.body.include? "<faultstring>"
|
||||
return :error
|
||||
end
|
||||
task_id = Hash.from_xml(res.body)['Envelope']['Body']['CreateScreenshot_TaskResponse']['returnval']
|
||||
|
||||
state= "running"
|
||||
while state == "running"
|
||||
soap_req =
|
||||
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
||||
<env:Body>
|
||||
<RetrieveProperties xmlns="urn:vim25">
|
||||
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
|
||||
<specSet xsi:type="PropertyFilterSpec">
|
||||
<propSet xsi:type="PropertySpec">
|
||||
<type>Task</type>
|
||||
<pathSet>info</pathSet>
|
||||
</propSet>
|
||||
<objectSet xsi:type="ObjectSpec">
|
||||
<obj type="Task">#{task_id}</obj>
|
||||
</objectSet>
|
||||
</specSet>
|
||||
</RetrieveProperties>
|
||||
</env:Body>
|
||||
</env:Envelope>|
|
||||
res = send_request_cgi({
|
||||
'uri' => '/sdk',
|
||||
'method' => 'POST',
|
||||
'agent' => 'VMware VI Client',
|
||||
'cookie' => @vim_cookie,
|
||||
'data' => soap_req,
|
||||
'headers' => { 'SOAPAction' => @soap_action}
|
||||
}, 25)
|
||||
hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
|
||||
state = hash['state']
|
||||
screenshot_file = hash['result']
|
||||
end
|
||||
unless screenshot_file
|
||||
return :error
|
||||
end
|
||||
(ss_folder, ss_file) = screenshot_file.split('/').last(2)
|
||||
ss_folder = URI.escape(ss_folder, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
|
||||
ss_file = URI.escape(ss_file, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
|
||||
ss_path = "#{ss_folder}/#{ss_file}"
|
||||
datastore = vim_get_vm_datastore(vm['ref'])
|
||||
user_pass = Rex::Text.encode_base64(user + ":" + pass)
|
||||
ss_uri = "/folder/#{ss_path}?dcPath=#{vm['dc_name']}&dsName=#{datastore['name']}"
|
||||
ss_uri =
|
||||
res = send_request_cgi({
|
||||
'uri' => ss_uri,
|
||||
'method' => 'GET',
|
||||
'agent' => 'VMware VI Client',
|
||||
'cookie' => @vim_cookie,
|
||||
'headers' => {
|
||||
'SOAPAction' => @soap_action,
|
||||
'Authorization' => "Basic #{user_pass}",
|
||||
}
|
||||
}, 25)
|
||||
if res.code == 200
|
||||
return res.body
|
||||
end
|
||||
return :error
|
||||
end
|
||||
|
||||
|
||||
|
@ -353,18 +507,21 @@ module Exploit::Remote::VIMSoap
|
|||
vim_setup_references
|
||||
@vmrefs = []
|
||||
vmlist= []
|
||||
print_status @dcs.inspect
|
||||
@dcs.each{|dc| @vmrefs << vim_get_dc_vms(dc)}
|
||||
unless @vmrefs.empty?
|
||||
@vmrefs.flatten!
|
||||
@vmrefs.compact!
|
||||
print_status "#{datastore['RHOST']} - Found a Total of #{@vmrefs.length} VMs"
|
||||
print_status "#{datastore['RHOST']} - Estimated Time: #{((@vmrefs.length * 7) /60)} Minutes"
|
||||
@vmrefs.each do |ref|
|
||||
print_status "#{datastore['RHOST']} - Getting Data for VM: #{ref}..."
|
||||
@dcs.each do |dc|
|
||||
dc_vm_refs = vim_get_dc_vms(dc['ref'])
|
||||
next if dc_vm_refs.nil? or dc_vm_refs.empty?
|
||||
dc_vm_refs.flatten!
|
||||
dc_vm_refs.compact!
|
||||
next if dc_vm_refs.nil? or dc_vm_refs.empty?
|
||||
print_status "#{datastore['RHOST']} - DataCenter: #{dc['name']} Found a Total of #{dc_vm_refs.length} VMs"
|
||||
print_status "#{datastore['RHOST']} - DataCenter: #{dc['name']} Estimated Time: #{((dc_vm_refs.length * 7) /60)} Minutes"
|
||||
dc_vm_refs.each do |ref|
|
||||
print_status "#{datastore['RHOST']} - DataCenter: #{dc['name']} - Getting Data for VM: #{ref}..."
|
||||
details = vim_get_vm_info(ref)
|
||||
if details
|
||||
details['ref'] = ref
|
||||
details['dc_ref'] = dc['ref']
|
||||
details['dc_name'] = dc['name']
|
||||
vmlist << details
|
||||
end
|
||||
end
|
||||
|
|
|
@ -36,7 +36,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
[
|
||||
Opt::RPORT(443),
|
||||
OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),
|
||||
OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ])
|
||||
OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ]),
|
||||
OptBool.new('SCREENSHOT', [true, "Wheter or not to try to take a screenshot", true])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue