Fix up VMWware webscan to not false positive
Checks to see if a target is actually vmware based on the provided cookie, using the http_fingerprint() function from HttpClient. [Fixes #6340]
This commit is contained in:
parent
cd0a806a06
commit
786d75493c
|
@ -619,6 +619,10 @@ module Exploit::Remote::HttpClient
|
|||
extras << "#{res.code}-#{res.message}"
|
||||
end
|
||||
|
||||
if res.headers['Set-Cookie'] =~ /^vmware_soap_session/
|
||||
extras << "VMWare Web Services"
|
||||
end
|
||||
|
||||
if (res.headers['X-Powered-By'])
|
||||
extras << "Powered by " + res.headers['X-Powered-By']
|
||||
end
|
||||
|
|
|
@ -44,6 +44,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
def run_host(ip)
|
||||
|
||||
return unless check(ip)
|
||||
|
||||
each_user_pass { |user, pass|
|
||||
result = do_login(user, pass)
|
||||
case result
|
||||
|
@ -54,6 +56,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
:port => rport,
|
||||
:user => user,
|
||||
:pass => pass,
|
||||
:proto => 'tcp',
|
||||
:sname => 'https',
|
||||
:source_type => "user_supplied",
|
||||
:active => true
|
||||
)
|
||||
|
@ -64,22 +68,58 @@ class Metasploit3 < Msf::Auxiliary
|
|||
}
|
||||
end
|
||||
|
||||
def do_login(user, pass)
|
||||
# Mostly taken from the Apache Tomcat service validator
|
||||
def check(ip)
|
||||
datastore['URI'] ||= "/sdk"
|
||||
user = Rex::Text.rand_text_alpha(8)
|
||||
pass = Rex::Text.rand_text_alpha(8)
|
||||
begin
|
||||
res = send_request_cgi({
|
||||
'uri' => datastore['URI'],
|
||||
'method' => 'POST',
|
||||
'agent' => 'VMware VI Client',
|
||||
'data' => gen_soap_data(user,pass)
|
||||
}, 25)
|
||||
if res
|
||||
fp = http_fingerprint({ :response => res })
|
||||
if fp =~ /VMWare/
|
||||
return true
|
||||
else
|
||||
vprint_error("http://#{ip}:#{rport} - Could not identify as VMWare")
|
||||
return false
|
||||
end
|
||||
else
|
||||
vprint_error("http://#{ip}:#{rport} - No response")
|
||||
end
|
||||
rescue ::Rex::ConnectionError => e
|
||||
vprint_error("http://#{ip}:#{rport}#{datastore['URI']} - #{e}")
|
||||
return false
|
||||
rescue
|
||||
vprint_error("Skipping #{ip} due to error - #{e}")
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
def gen_soap_data(user,pass)
|
||||
soap_data = []
|
||||
soap_data << '<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">'
|
||||
soap_data << ' <SOAP-ENV:Body>'
|
||||
soap_data << ' <Login xmlns="urn:vim25">'
|
||||
soap_data << ' <_this type="SessionManager">ha-sessionmgr</_this>'
|
||||
soap_data << ' <userName>' + user + '</userName>'
|
||||
soap_data << ' <password>' + pass + '</password>'
|
||||
soap_data << ' <userName>' + user.to_s + '</userName>'
|
||||
soap_data << ' <password>' + pass.to_s + '</password>'
|
||||
soap_data << ' </Login>'
|
||||
soap_data << ' </SOAP-ENV:Body>'
|
||||
soap_data << '</SOAP-ENV:Envelope>'
|
||||
soap_data.join
|
||||
end
|
||||
|
||||
def do_login(user, pass)
|
||||
res = send_request_cgi({
|
||||
'uri' => '/sdk',
|
||||
'method' => 'POST',
|
||||
'agent' => 'VMware VI Client',
|
||||
'data' => soap_data.join("\n")
|
||||
'data' => gen_soap_data(user,pass)
|
||||
}, 25)
|
||||
if res.code == 200
|
||||
return :success
|
||||
|
@ -88,7 +128,5 @@ class Metasploit3 < Msf::Auxiliary
|
|||
end
|
||||
end
|
||||
|
||||
|
||||
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue