From c4ea27d32b46d894e98280b800ebacb78b557aaf Mon Sep 17 00:00:00 2001 From: HD Moore Date: Sun, 19 Feb 2012 18:28:06 -0600 Subject: [PATCH] Add a new vmauthd_version scanner (also pulls in the SSL cert if available) --- .../scanner/vmware/vmauthd_version.rb | 135 ++++++++++++++++++ 1 file changed, 135 insertions(+) create mode 100644 modules/auxiliary/scanner/vmware/vmauthd_version.rb diff --git a/modules/auxiliary/scanner/vmware/vmauthd_version.rb b/modules/auxiliary/scanner/vmware/vmauthd_version.rb new file mode 100644 index 0000000000..39e8f67ba2 --- /dev/null +++ b/modules/auxiliary/scanner/vmware/vmauthd_version.rb @@ -0,0 +1,135 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core/exploit/tcp' + +class Metasploit3 < Msf::Auxiliary + + include Exploit::Remote::Tcp + include Msf::Auxiliary::Scanner + include Msf::Auxiliary::Report + + @@cached_rsa_key = nil + + def initialize + super( + 'Name' => 'VMWare Authentication Daemon Version Scanner', + 'Version' => '$Revision$', + 'Description' => %q{ + This module will identify information about a host through the + vmauthd service. + }, + 'Author' => ['TheLightCosine ', 'hdm'], + 'License' => MSF_LICENSE + ) + + register_options([Opt::RPORT(902)]) + + end + + + + def run_host(ip) + begin + + connect rescue nil + if not self.sock + return + end + + banner = sock.get_once(-1, 10) + if not banner + print_error "#{rhost}:#{rport} No banner received from vmauthd" + return + end + + banner = banner.strip + + unless banner =~ /VMware Authentication Daemon/ + print_error "#{rhost}:#{rport} This does not appear to be a vmauthd service" + return + end + + cert = nil + + if banner =~ /SSL/ + print_status("#{rhost}:#{rport} Switching to SSL connection...") + swap_sock_plain_to_ssl + cert = self.sock.peer_cert + end + + if cert + banner << " Certificate:#{cert.subject.to_s}" + end + + print_status "#{rhost}:#{rport} Banner: #{banner}" + + report_service( + :host => rhost, + :port => rport, + :sname => 'vmauthd', + :info => banner, + :proto => 'tcp' + ) + + + rescue ::Interrupt + raise $! + ensure + disconnect + end + + end + + def do_login(user, pass, nsock=self.sock) + nsock.put("USER #{user}\r\n") + res = nsock.get_once + unless res.start_with? "331" + ret_msg = "Unexpected reply to the USER command: #{res}" + return ret_msg + end + nsock.put("PASS #{pass}\r\n") + res = nsock.get_once + if res.start_with? "530" + return :failed + elsif res.start_with? "230" + return :success + else + ret_msg = "Unexpected reply to the PASS command: #{res}" + return ret_msg + end + end + + def swap_sock_plain_to_ssl(nsock=self.sock) + ctx = generate_ssl_context() + ssl = OpenSSL::SSL::SSLSocket.new(nsock, ctx) + + ssl.connect + + nsock.extend(Rex::Socket::SslTcp) + nsock.sslsock = ssl + nsock.sslctx = ctx + end + + def generate_ssl_context + ctx = OpenSSL::SSL::SSLContext.new(:SSLv3) + @@cached_rsa_key ||= OpenSSL::PKey::RSA.new(1024){ } + + ctx.key = @@cached_rsa_key + + ctx.session_id_context = Rex::Text.rand_text(16) + + return ctx + end + + +end +