Adds a power on vm module

lib/msf/core/exploit/vim_soap.rb

@@ -392,6 +392,133 @@ module Exploit::Remote::VIMSoap
 
 	end
 
+	def vim_find_vm_by_name(name)
+		vim_setup_references
+		@dcs.each do |dc|
+			soap_req = 
+				%Q| <env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+				<env:Body>
+				<RetrieveProperties xmlns="urn:vim25">
+					<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
+					<specSet xsi:type="PropertyFilterSpec">
+						<propSet xsi:type="PropertySpec">
+							<type>Datacenter</type>
+							<pathSet>vmFolder</pathSet>
+						</propSet>
+						<objectSet xsi:type="ObjectSpec">
+							<obj type="Datacenter">#{dc['ref']}</obj>
+						</objectSet>
+					</specSet>
+				</RetrieveProperties>
+				</env:Body>
+				</env:Envelope>|
+			res = send_request_cgi({
+				'uri'     => '/sdk',
+				'method'  => 'POST',
+				'agent'   => 'VMware VI Client',
+				'cookie'  => @vim_cookie,
+				'data'    => soap_req,
+				'headers' => { 'SOAPAction' => @soap_action}
+			}, 25)
+			next unless res and res.code == 200
+			vm_folders = []
+			vm_folders << Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
+			vm_folders.flatten!
+			vm_folders.compact!
+			vm_folders.each do |vm_folder|
+				soap_req =
+					%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+					<env:Body>
+					<FindChild xmlns="urn:vim25">
+						<_this type="SearchIndex">#{@server_objects['searchIndex']}</_this>
+						<entity type="Folder">#{vm_folder}</entity>
+						<name>#{name}</name>
+					</FindChild>
+					</env:Body>
+					</env:Envelope>|
+				res = send_request_cgi({
+					'uri'     => '/sdk',
+					'method'  => 'POST',
+					'agent'   => 'VMware VI Client',
+					'cookie'  => @vim_cookie,
+					'data'    => soap_req,
+					'headers' => { 'SOAPAction' => @soap_action}
+				}, 25)
+				next unless res and res.code == 200
+				tmp_hash = Hash.from_xml(res.body)['Envelope']['Body']['FindChildResponse']
+				if tmp_hash['returnval']
+					return tmp_hash['returnval']
+				end
+			end
+		end
+		return nil
+	end
+
+
+
+	def vim_powerON_vm(vm_ref)
+		soap_req =
+			%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+			<env:Body>
+			<PowerOnVM_Task xmlns="urn:vim25">
+				<_this type="VirtualMachine">#{vm_ref}</_this>
+			</PowerOnVM_Task>
+			</env:Body>
+			</env:Envelope>| 
+		res = send_request_cgi({
+			'uri'     => '/sdk',
+			'method'  => 'POST',
+			'agent'   => 'VMware VI Client',
+			'cookie'  => @vim_cookie,
+			'data'    => soap_req,
+			'headers' => { 'SOAPAction' => @soap_action}
+		}, 25)
+		if res.body.include? "NotAuthenticatedFault"
+			return :expired
+		elsif res.body.include? "<faultstring>"
+			return :error
+		end
+		task_id = Hash.from_xml(res.body)['Envelope']['Body']['PowerOnVM_TaskResponse']['returnval']
+		state= "running"
+		while state == "running"
+			soap_req =
+				%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+				<env:Body>
+				<RetrieveProperties xmlns="urn:vim25">
+					<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
+					<specSet xsi:type="PropertyFilterSpec">
+						<propSet xsi:type="PropertySpec">
+							<type>Task</type>
+							<pathSet>info</pathSet>
+						</propSet>
+						<objectSet xsi:type="ObjectSpec">
+							<obj type="Task">#{task_id}</obj>
+						</objectSet>
+					</specSet>
+				</RetrieveProperties>
+				</env:Body>
+				</env:Envelope>| 
+			res = send_request_cgi({
+				'uri'     => '/sdk',
+				'method'  => 'POST',
+				'agent'   => 'VMware VI Client',
+				'cookie'  => @vim_cookie,
+				'data'    => soap_req,
+				'headers' => { 'SOAPAction' => @soap_action}
+			}, 25)
+			hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
+			state = hash['state']
+			case state
+			when 'running'
+				select(nil, nil, nil, 5)
+			when 'error'
+				if hash['error']['fault']['existingState'] == 'poweredOn'
+					return 'alreadyON'
+				end
+			end
+		end
+		return state
+	end
 
 
 	def vim_take_screenshot(vm, user, pass)
@@ -417,6 +544,7 @@ module Exploit::Remote::VIMSoap
 			return :error
 		end
 		task_id = Hash.from_xml(res.body)['Envelope']['Body']['CreateScreenshot_TaskResponse']['returnval']
+		
 
 		state= "running"
 		while state == "running"

modules/auxiliary/admin/vmware/poweron_vm.rb

@@ -0,0 +1,70 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+require 'msf/core/exploit/vim_soap'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Report
+	include Msf::Exploit::Remote::VIMSoap
+
+	def initialize
+		super(
+			'Name'           => 'VMWare Power On Virtual Machine',
+			'Description'    => %Q{
+							This module will log into the Web API of VMWare and try to power on
+							a specified Virtual Machine.},
+			'Author'         => ['TheLightCosine <thelightcosine[at]metasploit.com>'],
+			'License'        => MSF_LICENSE
+		)
+
+		register_options(
+			[
+				Opt::RPORT(443),
+				OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),
+				OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ]),
+				OptString.new('VM', [true, "The VM to try to Power On"])
+			], self.class)
+	end
+
+	def run
+
+		if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success
+			vm_ref = vim_find_vm_by_name(datastore['VM'])
+			if vm_ref 
+				return_state = vim_powerON_vm(vm_ref)
+				case return_state 
+				when 'success'
+					print_good "VM Powered On Successfully"
+				when 'alreadyON'
+					print_status "The Server says that VM #{datastore['VM']} is already on."
+				else
+					print_error "The server returned an unexpected status #{return_state}"
+				end
+			else
+				print_error "Could not locate VM #{datastore['VM']}"
+			end
+		else
+			print_error "Login Failure on #{ip}"
+			return
+		end
+	end
+
+
+
+
+
+end
+