From 8d7ddab2af4849d73b8feee8dcc9319fc0793aeb Mon Sep 17 00:00:00 2001
From: David Maloney <David_Maloney@rapid7.com>
Date: Thu, 16 Feb 2012 00:45:48 -0600
Subject: [PATCH] Some minor bug fixes Added vm_tag module for 'flag planting'

---
 lib/msf/core/exploit/vim_soap.rb              | 29 ++++++++
 modules/auxiliary/admin/vmware/poweroff_vm.rb |  2 +-
 modules/auxiliary/admin/vmware/poweron_vm.rb  |  2 +-
 modules/auxiliary/admin/vmware/tag_vm.rb      | 74 +++++++++++++++++++
 .../admin/vmware/terminate_esx_sessions.rb    |  2 +-
 5 files changed, 106 insertions(+), 3 deletions(-)
 create mode 100644 modules/auxiliary/admin/vmware/tag_vm.rb

diff --git a/lib/msf/core/exploit/vim_soap.rb b/lib/msf/core/exploit/vim_soap.rb
index 35d71fcfab..e723ca4e00 100644
--- a/lib/msf/core/exploit/vim_soap.rb
+++ b/lib/msf/core/exploit/vim_soap.rb
@@ -236,6 +236,35 @@ module Exploit::Remote::VIMSoap
 		return user_list.flatten.compact
 	end
 
+	def vim_log_event_vm(vm_ref, msg)
+		soap_req =
+			%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+			<env:Body>
+			<LogUserEvent xmlns="urn:vim25">
+				<_this type="EventManager">#{@server_objects['eventManager']}</_this>
+				<entity type="VirtualMachine">#{vm_ref}</entity>
+				<msg>#{msg}</msg>
+			</LogUserEvent>
+			</env:Body>
+			</env:Envelope>| 
+		res = send_request_cgi({
+			'uri'     => '/sdk',
+			'method'  => 'POST',
+			'agent'   => 'VMware VI Client',
+			'cookie'  => @vim_cookie,
+			'data'    => soap_req,
+			'headers' => { 'SOAPAction' => @soap_action}
+			}, 25)
+		return :noresponse unless res
+		if res.body.include? "NotAuthenticatedFault"
+			return :expired
+		elsif res.body.include? "<faultstring>"
+			return :error
+		else
+			return :success
+		end
+	end
+
 
 	def vim_get_dc_name(dc)
 		soap_req=
diff --git a/modules/auxiliary/admin/vmware/poweroff_vm.rb b/modules/auxiliary/admin/vmware/poweroff_vm.rb
index dc6e31e9a9..61b2199763 100644
--- a/modules/auxiliary/admin/vmware/poweroff_vm.rb
+++ b/modules/auxiliary/admin/vmware/poweroff_vm.rb
@@ -57,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary
 				print_error "Could not locate VM #{datastore['VM']}"
 			end
 		else
-			print_error "Login Failure on #{ip}"
+			print_error "Login Failure on #{datastore['RHOST']}"
 			return
 		end
 	end
diff --git a/modules/auxiliary/admin/vmware/poweron_vm.rb b/modules/auxiliary/admin/vmware/poweron_vm.rb
index 0155c576a4..affe036a67 100644
--- a/modules/auxiliary/admin/vmware/poweron_vm.rb
+++ b/modules/auxiliary/admin/vmware/poweron_vm.rb
@@ -57,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary
 				print_error "Could not locate VM #{datastore['VM']}"
 			end
 		else
-			print_error "Login Failure on #{ip}"
+			print_error "Login Failure on #{datastore['RHOST']}"
 			return
 		end
 	end
diff --git a/modules/auxiliary/admin/vmware/tag_vm.rb b/modules/auxiliary/admin/vmware/tag_vm.rb
new file mode 100644
index 0000000000..7a3e30a384
--- /dev/null
+++ b/modules/auxiliary/admin/vmware/tag_vm.rb
@@ -0,0 +1,74 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+require 'msf/core/exploit/vim_soap'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Report
+	include Msf::Exploit::Remote::VIMSoap
+
+	def initialize
+		super(
+			'Name'           => 'VMWare Tag Virtual Machine',
+			'Description'    => %Q{
+							This module will log into the Web API of VMWare and 
+							'tag' a specified Virtual Machine. It does this by 
+							logging a user event with user supplied text},
+			'Author'         => ['TheLightCosine <thelightcosine[at]metasploit.com>'],
+			'License'        => MSF_LICENSE
+		)
+
+		register_options(
+			[
+				Opt::RPORT(443),
+				OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),
+				OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ]),
+				OptString.new('VM', [true, "The VM to try to Power On"]),
+				OptString.new('MSG', [true, "The message to put in the log", 'Pwned by Metasploit'])
+			], self.class)
+	end
+
+	def run
+
+		if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success
+			vm_ref = vim_find_vm_by_name(datastore['VM'])
+			if vm_ref 
+				result = vim_log_event_vm(vm_ref, datastore['MSG'])
+				case result
+				when :noresponse
+					print_error "Recieved no Response"
+				when :expired
+					print_error "The login session appears to have expired"
+				when :error
+					print_error "An error occured"
+				else
+					print_good "User Event logged"
+				end
+			else
+				print_error "Could not locate VM #{datastore['VM']}"
+			end
+		else
+			print_error "Login Failure on #{datastore['RHOST']}"
+			return
+		end
+	end
+
+
+
+
+
+end
+
diff --git a/modules/auxiliary/admin/vmware/terminate_esx_sessions.rb b/modules/auxiliary/admin/vmware/terminate_esx_sessions.rb
index 97b5aef1d1..39320a16ee 100644
--- a/modules/auxiliary/admin/vmware/terminate_esx_sessions.rb
+++ b/modules/auxiliary/admin/vmware/terminate_esx_sessions.rb
@@ -54,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary
 				end
 			end
 		else
-			print_error "Login Failure on #{ip}"
+			print_error "Login Failure on #{datastore['RHOST']}"
 			return
 		end
 	end