130 lines
2.5 KiB
Ruby
130 lines
2.5 KiB
Ruby
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/
|
|
##
|
|
|
|
require 'msf/core/exploit/tcp'
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
include Exploit::Remote::Tcp
|
|
include Msf::Auxiliary::Scanner
|
|
include Msf::Auxiliary::Report
|
|
|
|
@@cached_rsa_key = nil
|
|
|
|
def initialize
|
|
super(
|
|
'Name' => 'VMWare Authentication Daemon Version Scanner',
|
|
'Description' => %q{
|
|
This module will identify information about a host through the
|
|
vmauthd service.
|
|
},
|
|
'Author' => ['theLightCosine', 'hdm'],
|
|
'License' => MSF_LICENSE
|
|
)
|
|
|
|
register_options([Opt::RPORT(902)])
|
|
|
|
end
|
|
|
|
|
|
|
|
def run_host(ip)
|
|
begin
|
|
|
|
connect rescue nil
|
|
if not self.sock
|
|
return
|
|
end
|
|
|
|
banner = sock.get_once(-1, 10)
|
|
if not banner
|
|
print_error "#{rhost}:#{rport} No banner received from vmauthd"
|
|
return
|
|
end
|
|
|
|
banner = banner.strip
|
|
|
|
unless banner =~ /VMware Authentication Daemon/
|
|
print_error "#{rhost}:#{rport} This does not appear to be a vmauthd service"
|
|
return
|
|
end
|
|
|
|
cert = nil
|
|
|
|
if banner =~ /SSL/
|
|
print_status("#{rhost}:#{rport} Switching to SSL connection...")
|
|
swap_sock_plain_to_ssl
|
|
cert = self.sock.peer_cert
|
|
end
|
|
|
|
if cert
|
|
banner << " Certificate:#{cert.subject.to_s}"
|
|
end
|
|
|
|
print_status "#{rhost}:#{rport} Banner: #{banner}"
|
|
|
|
report_service(
|
|
:host => rhost,
|
|
:port => rport,
|
|
:sname => 'vmauthd',
|
|
:info => banner,
|
|
:proto => 'tcp'
|
|
)
|
|
|
|
|
|
rescue ::Interrupt
|
|
raise $!
|
|
ensure
|
|
disconnect
|
|
end
|
|
|
|
end
|
|
|
|
def do_login(user, pass, nsock=self.sock)
|
|
nsock.put("USER #{user}\r\n")
|
|
res = nsock.get_once
|
|
unless res.start_with? "331"
|
|
ret_msg = "Unexpected reply to the USER command: #{res}"
|
|
return ret_msg
|
|
end
|
|
nsock.put("PASS #{pass}\r\n")
|
|
res = nsock.get_once || ''
|
|
if res.start_with? "530"
|
|
return :failed
|
|
elsif res.start_with? "230"
|
|
return :success
|
|
else
|
|
ret_msg = "Unexpected reply to the PASS command: #{res}"
|
|
return ret_msg
|
|
end
|
|
end
|
|
|
|
def swap_sock_plain_to_ssl(nsock=self.sock)
|
|
ctx = generate_ssl_context()
|
|
ssl = OpenSSL::SSL::SSLSocket.new(nsock, ctx)
|
|
|
|
ssl.connect
|
|
|
|
nsock.extend(Rex::Socket::SslTcp)
|
|
nsock.sslsock = ssl
|
|
nsock.sslctx = ctx
|
|
end
|
|
|
|
def generate_ssl_context
|
|
ctx = OpenSSL::SSL::SSLContext.new(:SSLv3)
|
|
@@cached_rsa_key ||= OpenSSL::PKey::RSA.new(1024){ }
|
|
|
|
ctx.key = @@cached_rsa_key
|
|
|
|
ctx.session_id_context = Rex::Text.rand_text(16)
|
|
|
|
return ctx
|
|
end
|
|
|
|
|
|
end
|