dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Create a stable branch of vmware-api 

Just to pick up the soap library and the esx_fingerprint stuff.
This commit is contained in:
Tod Beardsley 2012-02-15 21:25:56 -06:00
parent 64cf8bb7ee
commit 95f54413d8
4 changed files with 1074 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/msf/core/constants.rb
View File

@ -64,6 +64,12 @@ module OperatingSystems
FREEBSD = "FreeBSD"
NETBSD = "NetBSD"
OPENBSD = "OpenBSD"
VMWARE = "VMware"
module VmwareVersions
ESX = "ESX"
ESXI = "ESXi"
end
module WindowsVersions
NT = "NT"

955
lib/msf/core/exploit/vim_soap.rb Normal file
View File

@ -0,0 +1,955 @@
module Msf
module Exploit::Remote::VIMSoap
include Msf::Exploit::Remote::HttpClient
def vim_get_session
soap_data =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveServiceContent xmlns="urn:vim25">
<_this type="ServiceInstance">ServiceInstance</_this>
</RetrieveServiceContent>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'data' => soap_data
}, 25)
return false unless res and res.code == 200
@server_objects = Hash.from_xml(res.body)['Envelope']['Body']['RetrieveServiceContentResponse']['returnval']
@soap_action = "urn:vim25/#{@server_objects['about']['apiVersion']}"
if res.headers['Set-Cookie']
@vim_cookie = res.headers['Set-Cookie']
return true
else
return false
end
end
def vim_do_login(user, pass)
unless vim_get_session
return false
end
soap_data =
%Q|<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<Login xmlns="urn:vim25">
<_this type="SessionManager">#{@server_objects['sessionManager']}</_this>
<userName>#{user}</userName>
<password>#{pass}</password>
</Login>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_data,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
if res.code == 200
return :success
else
return :fail
end
end
def vim_get_session_list
vim_setup_references
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>SessionManager</type>
<pathSet>sessionList</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="SessionManager">#{@server_objects['sessionManager']}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
return :noresponse unless res
if res.body.include? "NotAuthenticatedFault"
return :expired
elsif res.body.include? "<faultstring>"
return :error
end
session_list = []
session_list << Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['UserSession']
return session_list.flatten.compact
end
def vim_session_is_active(key, username)
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<SessionIsActive xmlns="urn:vim25">
<_this type="SessionManager">#{@server_objects['sessionManager']}</_this>
<sessionID>#{key}</sessionID>
<userName>#{username}</userName>
</SessionIsActive>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
return :noresponse unless res
if res.body.include? "NotAuthenticatedFault"
return :expired
elsif res.body.include? "<faultstring>"
return :error
end
active = Hash.from_xml(res.body)['Envelope']['Body']['SessionIsActiveResponse']['returnval']
return active
end
def vim_terminate_session(key)
vim_setup_references
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<TerminateSession xmlns="urn:vim25">
<_this xsi:type="ManagedObjectReference" type="SessionManager" >#{@server_objects['sessionManager']}</_this>
<sessionId>#{key}</sessionId>
</TerminateSession>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
return :noresponse unless res
return :notfound if res.body.include? "NotFoundFault"
if res.body.include? "NotAuthenticatedFault"
return :expired
elsif res.body.include? "<faultstring>"
return :error
end
return :success
end
def vim_get_dc_name(dc)
soap_req=
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>Datacenter</type>
<pathSet>name</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="Datacenter">#{dc}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
name = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
return name
end
def vim_get_dcs
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveServiceContent xmlns="urn:vim25">
<_this type="ServiceInstance">ServiceInstance</_this>
</RetrieveServiceContent>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrieveServiceContentResponse']['returnval']
@server_objects.merge!(hash)
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>ServiceInstance</type>
<pathSet>content</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="ServiceInstance">ServiceInstance</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
hash.delete('xsi:type')
@server_objects.merge!(hash)
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>Folder</type>
<pathSet>childEntity</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="Folder">#{@server_objects['rootFolder']}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
tmp_dcs = []
tmp_dcs << Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
tmp_dcs.flatten!
tmp_dcs.each{|dc| @dcs << { 'name' => vim_get_dc_name(dc) , 'ref' => dc}}
end
def vim_get_hosts(datacenter)
dc_hosts = []
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>Datacenter</type>
<pathSet>hostFolder</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="Datacenter">#{datacenter}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
host_folders = []
host_folders << Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
host_folders.flatten!
compute_refs = []
host_folders.each do |folder|
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>Folder</type>
<pathSet>childEntity</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="Folder">#{folder}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
ref = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
if ref.nil? or ref.empty?
return nil
else
compute_refs << ref
end
end
compute_refs.flatten!
compute_refs.each do |ref|
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>ComputeResource</type>
<pathSet>host</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="ComputeResource">#{ref}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
next if res.body.include? "<faultstring>"
dc_hosts << Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
end
dc_hosts.flatten!
return dc_hosts
end
def vim_get_all_hosts
@dcs.each{|dc| @hosts << vim_get_hosts(dc['ref'])}
@hosts.flatten!
end
def vim_get_host_hw(host)
vim_setup_references
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>HostSystem</type>
<pathSet>hardware</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="HostSystem">#{host}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
return hash
end
def vim_get_all_host_summary(hw=false)
vim_setup_references
summaries = []
@hosts.each do |host|
details = {}
details[host] = vim_get_host_summary(host)
if details and hw
details.merge!(vim_get_host_hw(host))
end
summaries << details
end
return summaries.flatten.compact
end
def vim_get_vm_datastore(vm)
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>VirtualMachine</type>
<pathSet>datastore</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="VirtualMachine">#{vm}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body
></env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
datastore_refs = []
datastore_refs << Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
datastore_refs.flatten!
datastore_refs.compact!
datastores = []
datastore_refs.each do |datastore_ref|
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>Datastore</type>
<pathSet>info</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="Datastore">#{datastore_ref}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
datastore_name = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['name']
datastore = { 'name' => datastore_name, 'ref' => datastore_ref}
datastores << datastore
end
return datastores
end
def vim_find_vm_by_name(name)
vim_setup_references
@dcs.each do |dc|
soap_req =
%Q| <env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>Datacenter</type>
<pathSet>vmFolder</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="Datacenter">#{dc['ref']}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
next unless res and res.code == 200
vm_folders = []
vm_folders << Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
vm_folders.flatten!
vm_folders.compact!
vm_folders.each do |vm_folder|
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<FindChild xmlns="urn:vim25">
<_this type="SearchIndex">#{@server_objects['searchIndex']}</_this>
<entity type="Folder">#{vm_folder}</entity>
<name>#{name}</name>
</FindChild>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
next unless res and res.code == 200
tmp_hash = Hash.from_xml(res.body)['Envelope']['Body']['FindChildResponse']
if tmp_hash['returnval']
return tmp_hash['returnval']
end
end
end
return nil
end
def vim_powerON_vm(vm_ref)
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<PowerOnVM_Task xmlns="urn:vim25">
<_this type="VirtualMachine">#{vm_ref}</_this>
</PowerOnVM_Task>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
if res.body.include? "NotAuthenticatedFault"
return :expired
elsif res.body.include? "<faultstring>"
return :error
end
task_id = Hash.from_xml(res.body)['Envelope']['Body']['PowerOnVM_TaskResponse']['returnval']
state= "running"
while state == "running"
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>Task</type>
<pathSet>info</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="Task">#{task_id}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
state = hash['state']
case state
when 'running'
select(nil, nil, nil, 5)
when 'error'
if hash['error']['fault']['existingState'] == 'poweredOn'
return 'alreadyON'
end
end
end
return state
end
def vim_powerOFF_vm(vm_ref)
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<PowerOffVM_Task xmlns="urn:vim25">
<_this type="VirtualMachine">#{vm_ref}</_this>
</PowerOffVM_Task>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
if res.body.include? "NotAuthenticatedFault"
return :expired
elsif res.body.include? "<faultstring>"
return :error
end
task_id = Hash.from_xml(res.body)['Envelope']['Body']['PowerOffVM_TaskResponse']['returnval']
state= "running"
while state == "running"
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>Task</type>
<pathSet>info</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="Task">#{task_id}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
state = hash['state']
case state
when 'running'
select(nil, nil, nil, 5)
when 'error'
if hash['error']['fault']['existingState'] == 'poweredOff'
return 'alreadyOFF'
end
end
end
return state
end
def vim_take_screenshot(vm, user, pass)
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<CreateScreenshot_Task xmlns="urn:vim25">
<_this type="VirtualMachine">#{vm['ref']}</_this>
</CreateScreenshot_Task>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
if res.body.include? "NotAuthenticatedFault"
return :expired
elsif res.body.include? "<faultstring>"
return :error
end
task_id = Hash.from_xml(res.body)['Envelope']['Body']['CreateScreenshot_TaskResponse']['returnval']
state= "running"
while state == "running"
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>Task</type>
<pathSet>info</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="Task">#{task_id}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
state = hash['state']
screenshot_file = hash['result']
end
unless screenshot_file
return :error
end
(ss_folder, ss_file) = screenshot_file.split('/').last(2)
ss_folder = Rex::Text.uri_encode(ss_folder)
ss_file = Rex::Text.uri_encode(ss_file)
ss_path = "#{ss_folder}/#{ss_file}"
datastores = vim_get_vm_datastore(vm['ref'])
user_pass = Rex::Text.encode_base64(user + ":" + pass)
datastores.each do |datastore|
ss_uri = "/folder/#{ss_path}?dcPath=#{vm['dc_name']}&dsName=#{datastore['name']}"
res = send_request_cgi({
'uri' => ss_uri,
'method' => 'GET',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'headers' => { 'Authorization' => "Basic #{user_pass}"}
}, 25)
next unless res
if res.code == 200
return res.body
elsif res.code == 404
next
end
end
return :error
end
def vim_get_host_summary(host)
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>HostSystem</type>
<pathSet>summary</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="HostSystem">#{host}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
hash['runtime'].delete('healthSystemRuntime')
hash.delete('xsi:type')
hash.delete('host')
return hash
end
def vim_get_vms
vim_setup_references
@vmrefs = []
vmlist= []
@dcs.each do |dc|
dc_vm_refs = vim_get_dc_vms(dc['ref'])
next if dc_vm_refs.nil? or dc_vm_refs.empty?
dc_vm_refs.flatten!
dc_vm_refs.compact!
next if dc_vm_refs.nil? or dc_vm_refs.empty?
print_status "#{datastore['RHOST']} - DataCenter: #{dc['name']} Found a Total of #{dc_vm_refs.length} VMs"
print_status "#{datastore['RHOST']} - DataCenter: #{dc['name']} Estimated Time: #{((dc_vm_refs.length * 7) /60)} Minutes"
dc_vm_refs.each do |ref|
print_status "#{datastore['RHOST']} - DataCenter: #{dc['name']} - Getting Data for VM: #{ref}..."
details = vim_get_vm_info(ref)
if details
details['ref'] = ref
details['dc_ref'] = dc['ref']
details['dc_name'] = dc['name']
vmlist << details
end
end
end
return vmlist
end
def vim_get_dc_vms(datacenter)
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>Datacenter</type>
<pathSet>vmFolder</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="Datacenter">#{datacenter}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
vmfolder = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>Folder</type>
<pathSet>childEntity</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="Folder">#{vmfolder}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
vm_index_array = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
vm_index_array.delete_if{|ref| ref.start_with? "group"} unless vm_index_array.nil? or vm_index_array.empty?
return vm_index_array
end
def vim_get_vm_info(vm_ref)
vim_setup_references
soap_req =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveProperties xmlns="urn:vim25">
<_this type="PropertyCollector">#{@server_objects['propertyCollector']}</_this>
<specSet xsi:type="PropertyFilterSpec">
<propSet xsi:type="PropertySpec">
<type>VirtualMachine</type>
<pathSet>summary</pathSet>
</propSet>
<objectSet xsi:type="ObjectSpec">
<obj type="VirtualMachine">#{vm_ref}</obj>
</objectSet>
</specSet>
</RetrieveProperties>
</env:Body>
</env:Envelope>|
res = send_request_cgi({
'uri' => '/sdk',
'method' => 'POST',
'agent' => 'VMware VI Client',
'cookie' => @vim_cookie,
'data' => soap_req,
'headers' => { 'SOAPAction' => @soap_action}
}, 25)
if res.body.include? "<faultstring>"
return nil
end
hash = Hash.from_xml(res.body)['Envelope']['Body']['RetrievePropertiesResponse']['returnval']['propSet']['val']
vm = hash['config']
vm['runtime'] = hash['runtime']
vm['guest'] = hash['guest']
vm['quickStats'] = hash['quickStats']
return vm
end
def vim_logged_in?
return true if @vim_cookie
return false
end
def vim_instance_vars_set?
return false if @server_objects.nil? or @server_objects.empty?
return false if @host.nil? or @host.empty?
return true
end
def vim_setup_references
unless vim_instance_vars_set?
@dcs = []
@hosts = []
vim_get_dcs
vim_get_all_hosts
@hosts.flatten!
@hosts.compact!
end
end
end
end

16
lib/msf/core/model/host.rb
View File

@ -686,6 +686,16 @@ class Host < ActiveRecord::Base
wtype['server'] = wtype['server'].to_i + points
end # End of s.info for SMTP
when 'https'
points = 101
case s.info
when /(VMware\s(ESXi?)).*\s([\d\.]+)/
# Very reliable fingerprinting from our own esx_fingerprint module
wname[$1] = wname[$1].to_i + (points * 5)
wflav[$3] = wflav[$3].to_i + (points * 5)
wtype['device'] = wtype['device'].to_i + points
end # End of s.info for HTTPS
when 'netbios'
points = 201
case s.info
@ -720,7 +730,7 @@ class Host < ActiveRecord::Base
best_match[:name] = whost.keys.sort{|a,b| whost[b] <=> whost[a]}[0]
best_match[:os_lang] = wlang.keys.sort{|a,b| wlang[b] <=> wlang[a]}[0]
best_match[:os_flavor] ||= ""
best_match[:os_flavor] ||= host[:os_flavor] || ""
if best_match[:os_name]
# Handle cases where the flavor contains the base name
# Don't use gsub!() here because the string was a hash key in a
@ -728,7 +738,9 @@ class Host < ActiveRecord::Base
best_match[:os_flavor] = best_match[:os_flavor].gsub(best_match[:os_name], '')
end
best_match[:os_name] ||= 'Unknown'
# If we didn't get anything, use whatever the host already has.
# Failing that, fallback to "Unknown"
best_match[:os_name] ||= host[:os_name] || 'Unknown'
best_match[:purpose] ||= 'device'
[:os_name, :purpose, :os_flavor, :os_sp, :arch, :name, :os_lang].each do |host_attr|

99
modules/auxiliary/scanner/vmware/esx_fingerprint.rb Normal file
View File

@ -0,0 +1,99 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/exploit/vim_soap'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::VIMSoap
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'VMWare ESX/ESXi Fingerprint Scanner',
'Version' => '$Revision$',
'Description' => %Q{
This module accesses the web API interfaces for VMware ESX/ESXi servers
and attempts to identify version information for that server.},
'Author' => ['TheLightCosine <thelightcosine[at]metasploit.com>'],
'License' => MSF_LICENSE
)
register_options([Opt::RPORT(443)], self.class)
end
def run_host(ip)
soap_data =
%Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<RetrieveServiceContent xmlns="urn:vim25">
<_this type="ServiceInstance">ServiceInstance</_this>
</RetrieveServiceContent>
</env:Body>
</env:Envelope>|
datastore['URI'] ||= "/sdk"
res = nil
begin
res = send_request_cgi({
'uri' => datastore['URI'],
'method' => 'POST',
'agent' => 'VMware VI Client',
'data' => soap_data
}, 25)
rescue ::Rex::ConnectionError => e
vprint_error("http://#{ip}:#{rport}#{datastore['URI']} - #{e}")
return false
rescue
vprint_error("Skipping #{ip} due to error - #{e}")
return false
end
fingerprint_vmware(ip,res)
end
# Takes an ip address and a response, and just checks the response
# to pull out version info. If it's ESX, report the OS as ESX (since
# it's a hypervisor deal then). Otherwise, just report the service.
# XXX: report_service is stomping on the report_host OS. This is le suck.
def fingerprint_vmware(ip,res)
unless res
vprint_error("http://#{ip}:#{rport} - No response")
return false
end
return false unless res.body.include?('<vendor>VMware, Inc.</vendor>')
os_match = res.body.match(/<name>([\w\s]+)<\/name>/)
ver_match = res.body.match(/<version>([\w\s\.]+)<\/version>/)
build_match = res.body.match(/<build>([\w\s\.\-]+)<\/build>/)
full_match = res.body.match(/<fullName>([\w\s\.\-]+)<\/fullName>/)
this_host = nil
if full_match
print_good "Identified #{full_match[1]}"
report_service(:host => (this_host || ip), :port => rport, :proto => 'tcp', :name => 'https', :info => full_match[1])
end
if os_match and ver_match and build_match
if os_match[1] =~ /ESX/ or os_match[1] =~ /vCenter/
this_host = report_host( :host => ip, :os_name => os_match[1], :os_flavor => ver_match[1], :os_sp => "Build #{build_match[1]}" )
end
return true
else
vprint_error("http://#{ip}:#{rport} - Could not identify as VMWare")
return false
end
end
end