From c9cf47bd4c1d6d833f4a08b804486ad737bbb197 Mon Sep 17 00:00:00 2001
From: David Maloney <David_Maloney@rapid7.com>
Date: Wed, 15 Feb 2012 16:39:13 -0600
Subject: [PATCH] Add Terminate Session module and some extra goodness to enum
 sessions

---
 lib/msf/core/exploit/vim_soap.rb              | 58 +++++++++++++++++
 .../admin/vmware/terminate_esx_session.rb     | 64 +++++++++++++++++++
 .../scanner/vmware/vmware_enum_sessions.rb    |  1 +
 3 files changed, 123 insertions(+)
 create mode 100644 modules/auxiliary/admin/vmware/terminate_esx_session.rb

diff --git a/lib/msf/core/exploit/vim_soap.rb b/lib/msf/core/exploit/vim_soap.rb
index 73bcaa9892..7056fd78fe 100644
--- a/lib/msf/core/exploit/vim_soap.rb
+++ b/lib/msf/core/exploit/vim_soap.rb
@@ -98,6 +98,64 @@ module Exploit::Remote::VIMSoap
 		return session_list.flatten.compact
 	end
 
+	def vim_session_is_active(key, username)
+		soap_req =
+		%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+			<env:Body>
+			<SessionIsActive xmlns="urn:vim25">
+				<_this type="SessionManager">#{@server_objects['sessionManager']}</_this>
+				<sessionID>#{key}</sessionID>
+				<userName>#{username}</userName>
+			</SessionIsActive>
+			</env:Body>
+			</env:Envelope>|
+		res = send_request_cgi({
+			'uri'     => '/sdk',
+			'method'  => 'POST',
+			'agent'   => 'VMware VI Client',
+			'cookie'  => @vim_cookie,
+			'data'    => soap_req,
+			'headers' => { 'SOAPAction' => @soap_action}
+			}, 25)
+		return :noresponse unless res
+		if res.body.include? "NotAuthenticatedFault"
+			return :expired
+		elsif res.body.include? "<faultstring>"
+			return :error
+		end
+		active = Hash.from_xml(res.body)['Envelope']['Body']['SessionIsActiveResponse']['returnval']
+		return active
+	end
+
+
+	def vim_terminate_session(key)
+		vim_setup_references
+		soap_req =
+		%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+			<env:Body>
+			<TerminateSession xmlns="urn:vim25">
+				<_this xsi:type="ManagedObjectReference" type="SessionManager" >#{@server_objects['sessionManager']}</_this>
+				<sessionId>#{key}</sessionId>
+			</TerminateSession>
+			</env:Body>
+			</env:Envelope>|
+		res = send_request_cgi({
+			'uri'     => '/sdk',
+			'method'  => 'POST',
+			'agent'   => 'VMware VI Client',
+			'cookie'  => @vim_cookie,
+			'data'    => soap_req,
+			'headers' => { 'SOAPAction' => @soap_action}
+			}, 25)
+		return :noresponse unless res
+		return :notfound if res.body.include? "NotFoundFault"
+		if res.body.include? "NotAuthenticatedFault"
+			return :expired
+		elsif res.body.include? "<faultstring>"
+			return :error
+		end
+		return :success
+	end
 
 
 	def vim_get_dc_name(dc)
diff --git a/modules/auxiliary/admin/vmware/terminate_esx_session.rb b/modules/auxiliary/admin/vmware/terminate_esx_session.rb
new file mode 100644
index 0000000000..95ed2eb0d2
--- /dev/null
+++ b/modules/auxiliary/admin/vmware/terminate_esx_session.rb
@@ -0,0 +1,64 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+require 'msf/core/exploit/vim_soap'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Report
+	include Msf::Exploit::Remote::VIMSoap
+
+	def initialize
+		super(
+			'Name'           => 'VMWare Terminate ESX Login Sessions',
+			'Description'    => %Q{
+							This module will log into the Web API of VMWare and try to terminate
+							a user's login session as specified by the session key.},
+			'Author'         => ['TheLightCosine <thelightcosine[at]metasploit.com>'],
+			'License'        => MSF_LICENSE
+		)
+
+		register_options(
+			[
+				Opt::RPORT(443),
+				OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),
+				OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ]),
+				OptString.new('KEY', [true, "The session key to terminate"])
+			], self.class)
+	end
+
+	def run
+
+		if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success
+			result = vim_terminate_session(datastore['KEY'])
+			case result
+			when :notfound
+				print_error "The specified Session was not found. Check your key"
+			when :success
+				print_good "The supplied session was terminated successfully."
+			when :error
+				print_error "There was an error encountered."
+			end
+		else
+			print_error "Login Failure on #{ip}"
+			return
+		end
+	end
+
+
+
+
+end
+
diff --git a/modules/auxiliary/scanner/vmware/vmware_enum_sessions.rb b/modules/auxiliary/scanner/vmware/vmware_enum_sessions.rb
index e0be6748a4..546e18340e 100644
--- a/modules/auxiliary/scanner/vmware/vmware_enum_sessions.rb
+++ b/modules/auxiliary/scanner/vmware/vmware_enum_sessions.rb
@@ -58,6 +58,7 @@ class Metasploit3 < Msf::Auxiliary
 				output = ''
 				vim_sessions.each do |vsession| 
 					tmp_line = "Name: #{vsession['fullName']} \n\t"
+					tmp_line << "Active: #{vim_session_is_active(vsession['key'],vsession['userName'])} \n\t"
 					tmp_line << "Username: #{vsession['userName']}\n\t"
 					tmp_line << "Session Key: #{vsession['key']}\n\t"
 					tmp_line << "Locale: #{vsession['locale']}\n\t"