Thursday, February 25, 2010

VMWare Directory Traversal Metasploit Module

Since everyone else is releasing code to check for/exploit the vmware server/esx/esxi directory traversal vulnerability I pushed up my checker module to the metasploit trunk as an auxiliary scanner module.

If you want to just download a full guest host check out:
GuestStealer --

or the

nmap script --

I don't feel like re-implementing it and I for sure don't want anything ever auto-downloading several gigabytes of information for me, so if you want that functionality write it or use the above tools. Gueststealer works great.

Vulnerability References:

The module:
The module is simple enough. By default it checks for:

FILE /etc/vmware/hostd/vmInventory.xml

If it receives a 200 to the traversal string and file it says its vulnerable. If you want to see the output of the file you can uncomment the following line from the code:

#print_status("Output Of Requested File:\n#{res.body}")

reload the module, then change the file to what you want (example: set FILE /etc/shadow).

Since VMWare runs as root you pretty much have access to anything on the file system.


1 comment:

Unknown said...

Working great against VMWare Server version 2.0.1 on my local machine.

I tried simply using netcat

#nc -vv -n 8222
GET /sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/shadow

and it spitted out my shadow file.

Just curious to know how you remain so much "updated" with metasploit :)