Fix up VMWware webscan to not false positive

Checks to see if a target is actually vmware based on the provided
cookie, using the http_fingerprint() function from HttpClient.

[Fixes #6340]

lib/msf/core/exploit/http/client.rb

@@ -619,6 +619,10 @@ module Exploit::Remote::HttpClient
 			extras << "#{res.code}-#{res.message}"
 		end
 
+		if res.headers['Set-Cookie'] =~ /^vmware_soap_session/
+			extras << "VMWare Web Services"
+		end
+
 		if (res.headers['X-Powered-By'])
 			extras << "Powered by " + res.headers['X-Powered-By']
 		end

modules/auxiliary/scanner/vmware/vmware_http_login.rb

@@ -44,6 +44,8 @@ class Metasploit3 < Msf::Auxiliary
 
 	def run_host(ip)
 
+		return unless check(ip)
+
 		each_user_pass { |user, pass|
 			result = do_login(user, pass)
 			case result
@@ -54,6 +56,8 @@ class Metasploit3 < Msf::Auxiliary
 					:port   => rport,
 					:user   => user,
 					:pass   => pass,
+					:proto  => 'tcp',
+					:sname  => 'https',
 					:source_type => "user_supplied",
 					:active => true
 				)
@@ -64,22 +68,58 @@ class Metasploit3 < Msf::Auxiliary
 		}
 	end
 
-	def do_login(user, pass)
+	# Mostly taken from the Apache Tomcat service validator
+	def check(ip)
+		datastore['URI'] ||= "/sdk"
+		user = Rex::Text.rand_text_alpha(8)
+		pass = Rex::Text.rand_text_alpha(8)
+		begin
+			res = send_request_cgi({
+				'uri'     => datastore['URI'],
+				'method'  => 'POST',
+				'agent'   => 'VMware VI Client',
+				'data' => gen_soap_data(user,pass)
+			}, 25)
+			if res
+				fp = http_fingerprint({ :response => res })
+				if fp =~ /VMWare/
+					return true
+				else
+					vprint_error("http://#{ip}:#{rport} - Could not identify as VMWare")
+					return false
+				end
+			else
+				vprint_error("http://#{ip}:#{rport} - No response")
+			end
+		rescue ::Rex::ConnectionError => e
+			vprint_error("http://#{ip}:#{rport}#{datastore['URI']} - #{e}")
+			return false
+		rescue
+			vprint_error("Skipping #{ip} due to error - #{e}")
+			return false
+		end
+	end
+
+	def gen_soap_data(user,pass)
 		soap_data = []
 		soap_data << '<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">'
 		soap_data << '    <SOAP-ENV:Body>'
 		soap_data << '        <Login xmlns="urn:vim25">'
 		soap_data << '            <_this type="SessionManager">ha-sessionmgr</_this>'
-		soap_data << '            <userName>' + user + '</userName>'
+		soap_data << '            <userName>' + user.to_s + '</userName>'
-		soap_data << '            <password>' + pass + '</password>'
+		soap_data << '            <password>' + pass.to_s + '</password>'
 		soap_data << '        </Login>'
 		soap_data << '    </SOAP-ENV:Body>'
 		soap_data << '</SOAP-ENV:Envelope>'
+		soap_data.join
+	end
+
+	def do_login(user, pass)
 		res = send_request_cgi({
 			'uri'     => '/sdk',
 			'method'  => 'POST',
 			'agent'   => 'VMware VI Client',
-			'data' => soap_data.join("\n")
+			'data' => gen_soap_data(user,pass)
 		}, 25)
 		if res.code == 200
 			return :success
@@ -88,7 +128,5 @@ class Metasploit3 < Msf::Auxiliary
 		end
 	end
 
-
-
 end