Fix up VMWware webscan to not false positive
Checks to see if a target is actually vmware based on the provided cookie, using the http_fingerprint() function from HttpClient. [Fixes #6340]
This commit is contained in:
parent
cd0a806a06
commit
786d75493c
|
@ -619,6 +619,10 @@ module Exploit::Remote::HttpClient
|
||||||
extras << "#{res.code}-#{res.message}"
|
extras << "#{res.code}-#{res.message}"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
if res.headers['Set-Cookie'] =~ /^vmware_soap_session/
|
||||||
|
extras << "VMWare Web Services"
|
||||||
|
end
|
||||||
|
|
||||||
if (res.headers['X-Powered-By'])
|
if (res.headers['X-Powered-By'])
|
||||||
extras << "Powered by " + res.headers['X-Powered-By']
|
extras << "Powered by " + res.headers['X-Powered-By']
|
||||||
end
|
end
|
||||||
|
|
|
@ -44,6 +44,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
def run_host(ip)
|
def run_host(ip)
|
||||||
|
|
||||||
|
return unless check(ip)
|
||||||
|
|
||||||
each_user_pass { |user, pass|
|
each_user_pass { |user, pass|
|
||||||
result = do_login(user, pass)
|
result = do_login(user, pass)
|
||||||
case result
|
case result
|
||||||
|
@ -54,6 +56,8 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
:port => rport,
|
:port => rport,
|
||||||
:user => user,
|
:user => user,
|
||||||
:pass => pass,
|
:pass => pass,
|
||||||
|
:proto => 'tcp',
|
||||||
|
:sname => 'https',
|
||||||
:source_type => "user_supplied",
|
:source_type => "user_supplied",
|
||||||
:active => true
|
:active => true
|
||||||
)
|
)
|
||||||
|
@ -64,22 +68,58 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
def do_login(user, pass)
|
# Mostly taken from the Apache Tomcat service validator
|
||||||
|
def check(ip)
|
||||||
|
datastore['URI'] ||= "/sdk"
|
||||||
|
user = Rex::Text.rand_text_alpha(8)
|
||||||
|
pass = Rex::Text.rand_text_alpha(8)
|
||||||
|
begin
|
||||||
|
res = send_request_cgi({
|
||||||
|
'uri' => datastore['URI'],
|
||||||
|
'method' => 'POST',
|
||||||
|
'agent' => 'VMware VI Client',
|
||||||
|
'data' => gen_soap_data(user,pass)
|
||||||
|
}, 25)
|
||||||
|
if res
|
||||||
|
fp = http_fingerprint({ :response => res })
|
||||||
|
if fp =~ /VMWare/
|
||||||
|
return true
|
||||||
|
else
|
||||||
|
vprint_error("http://#{ip}:#{rport} - Could not identify as VMWare")
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
else
|
||||||
|
vprint_error("http://#{ip}:#{rport} - No response")
|
||||||
|
end
|
||||||
|
rescue ::Rex::ConnectionError => e
|
||||||
|
vprint_error("http://#{ip}:#{rport}#{datastore['URI']} - #{e}")
|
||||||
|
return false
|
||||||
|
rescue
|
||||||
|
vprint_error("Skipping #{ip} due to error - #{e}")
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def gen_soap_data(user,pass)
|
||||||
soap_data = []
|
soap_data = []
|
||||||
soap_data << '<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">'
|
soap_data << '<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">'
|
||||||
soap_data << ' <SOAP-ENV:Body>'
|
soap_data << ' <SOAP-ENV:Body>'
|
||||||
soap_data << ' <Login xmlns="urn:vim25">'
|
soap_data << ' <Login xmlns="urn:vim25">'
|
||||||
soap_data << ' <_this type="SessionManager">ha-sessionmgr</_this>'
|
soap_data << ' <_this type="SessionManager">ha-sessionmgr</_this>'
|
||||||
soap_data << ' <userName>' + user + '</userName>'
|
soap_data << ' <userName>' + user.to_s + '</userName>'
|
||||||
soap_data << ' <password>' + pass + '</password>'
|
soap_data << ' <password>' + pass.to_s + '</password>'
|
||||||
soap_data << ' </Login>'
|
soap_data << ' </Login>'
|
||||||
soap_data << ' </SOAP-ENV:Body>'
|
soap_data << ' </SOAP-ENV:Body>'
|
||||||
soap_data << '</SOAP-ENV:Envelope>'
|
soap_data << '</SOAP-ENV:Envelope>'
|
||||||
|
soap_data.join
|
||||||
|
end
|
||||||
|
|
||||||
|
def do_login(user, pass)
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => '/sdk',
|
'uri' => '/sdk',
|
||||||
'method' => 'POST',
|
'method' => 'POST',
|
||||||
'agent' => 'VMware VI Client',
|
'agent' => 'VMware VI Client',
|
||||||
'data' => soap_data.join("\n")
|
'data' => gen_soap_data(user,pass)
|
||||||
}, 25)
|
}, 25)
|
||||||
if res.code == 200
|
if res.code == 200
|
||||||
return :success
|
return :success
|
||||||
|
@ -88,7 +128,5 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue