Add a new vmauthd_version scanner (also pulls in the SSL cert if

available)

modules/auxiliary/scanner/vmware/vmauthd_version.rb

@@ -0,0 +1,135 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core/exploit/tcp'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Exploit::Remote::Tcp
+	include Msf::Auxiliary::Scanner
+	include Msf::Auxiliary::Report
+
+	@@cached_rsa_key = nil
+
+	def initialize
+		super(
+			'Name'        => 'VMWare Authentication Daemon Version Scanner',
+			'Version'     => '$Revision$',
+			'Description' => %q{
+				This module will identify information about a host through the
+			vmauthd service.
+			},
+			'Author'      => ['TheLightCosine <thelightcosine[at]metasploit.com>', 'hdm'],
+			'License'     => MSF_LICENSE
+		)
+
+		register_options([Opt::RPORT(902)])
+
+	end
+
+
+
+	def run_host(ip)
+		begin
+		
+		connect rescue nil
+		if not self.sock
+			return
+		end
+		
+		banner = sock.get_once(-1, 10)
+		if not banner
+			print_error "#{rhost}:#{rport} No banner received from vmauthd"
+			return
+		end
+		
+		banner = banner.strip
+
+		unless banner =~ /VMware Authentication Daemon/
+			print_error "#{rhost}:#{rport} This does not appear to be a vmauthd service"
+			return
+		end
+
+		cert = nil
+		
+		if banner =~ /SSL/
+			print_status("#{rhost}:#{rport} Switching to SSL connection...")
+			swap_sock_plain_to_ssl
+			cert = self.sock.peer_cert
+		end
+		
+		if cert
+			banner << " Certificate:#{cert.subject.to_s}"
+		end
+		
+		print_status "#{rhost}:#{rport} Banner: #{banner}"
+		
+		report_service(
+			:host  => rhost,
+			:port  => rport,
+			:sname => 'vmauthd',
+			:info  => banner,
+			:proto => 'tcp'
+		)
+		
+		
+		rescue ::Interrupt
+			raise $!
+		ensure
+			disconnect
+		end
+
+	end
+
+	def do_login(user, pass, nsock=self.sock)
+		nsock.put("USER #{user}\r\n")
+		res = nsock.get_once
+		unless res.start_with? "331"
+			ret_msg = "Unexpected reply to the USER command: #{res}"
+			return ret_msg
+		end
+		nsock.put("PASS #{pass}\r\n")
+		res = nsock.get_once
+		if res.start_with? "530"
+			return :failed
+		elsif res.start_with? "230"
+			return :success
+		else
+			ret_msg = "Unexpected reply to the PASS command: #{res}"
+			return ret_msg
+		end
+	end
+
+	def swap_sock_plain_to_ssl(nsock=self.sock)
+		ctx =  generate_ssl_context()
+		ssl = OpenSSL::SSL::SSLSocket.new(nsock, ctx)
+
+		ssl.connect
+
+		nsock.extend(Rex::Socket::SslTcp)
+		nsock.sslsock = ssl
+		nsock.sslctx  = ctx
+	end
+
+	def generate_ssl_context
+		ctx = OpenSSL::SSL::SSLContext.new(:SSLv3)
+		@@cached_rsa_key ||= OpenSSL::PKey::RSA.new(1024){ }
+
+		ctx.key = @@cached_rsa_key
+
+		ctx.session_id_context = Rex::Text.rand_text(16)
+
+		return ctx
+	end
+
+
+end
+