Module: Msf::Exploit::Remote::VIMSoap

Includes:
HttpClient
Defined in:
lib/msf/core/exploit/remote/vim_soap.rb

Instance Attribute Summary

Attributes included from HttpClient

#client, #cookie_jar

Instance Method Summary collapse

Methods included from HttpClient

#basic_auth, #cleanup, #configure_http_login_scanner, #connect, #connect_ws, #deregister_http_client_options, #disconnect, #download, #full_uri, #handler, #http_fingerprint, #initialize, #lookup_http_fingerprints, #normalize_uri, #path_from_uri, #peer, #proxies, #reconfig_redirect_opts!, #request_opts_from_url, #request_url, #rhost, #rport, #send_request_cgi, #send_request_cgi!, #send_request_raw, #service_details, #setup, #ssl, #ssl_version, #strip_tags, #target_uri, #validate_fingerprint, #vhost

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Instance Method Details

#vim_do_login(user, pass) ⇒ Object



200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 200

def (user, pass)
  unless vim_get_session
    return false
  end
  soap_data = vim_soap_envelope((user,pass))
  res = send_request_cgi({
      'uri'     => '/sdk',
      'method'  => 'POST',
      'agent'   => 'VMware VI Client',
      'cookie'  => @vim_cookie,
      'data' => soap_data,
      'headers' => { 'SOAPAction' => @soap_action}
      }, 25)
  if res.code == 200
    return :success
  else
    return :fail
  end
end

#vim_find_vm_by_name(name) ⇒ Object



477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 477

def vim_find_vm_by_name(name)
  vim_setup_references
  @dcs.each do |dc|
    soap_data = vim_soap_envelope(vim_soap_retrieve_properties('vmFolder', 'Datacenter' , dc['ref']))
    res = vim_send_soap_request(soap_data)
    if res.class == Hash
      vm_folders = []
      vm_folders << res['RetrievePropertiesResponse']['returnval']['propSet']['val']
      vm_folders.flatten!
      vm_folders.compact!
    else
      return res
    end


    vm_folders.each do |vm_folder|
      soap_data = vim_soap_envelope(vim_soap_find_child_byname('Folder', vm_folder, name))
      res = vim_send_soap_request(soap_data)
      if res.class == Hash
        vmref = res['FindChildResponse']['returnval']
        if vmref
          return vmref
        else
          next
        end
      else
        return res
      end
    end
  end
  return nil
end

#vim_get_all_host_summary(hw = false) ⇒ Object



435
436
437
438
439
440
441
442
443
444
445
446
447
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 435

def vim_get_all_host_summary(hw=false)
  vim_setup_references
  summaries = []
  @hosts.each do |host|
    details = {}
    details[host] = vim_get_host_summary(host)
    if details and hw
      details.merge!(vim_get_host_hw(host))
    end
    summaries << details
  end
  return summaries.flatten.compact
end

#vim_get_all_hostsObject



418
419
420
421
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 418

def vim_get_all_hosts
  @dcs.each{|dc| @hosts << vim_get_hosts(dc['ref'])}
  @hosts.flatten!
end

#vim_get_all_permissionsObject



303
304
305
306
307
308
309
310
311
312
313
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 303

def vim_get_all_permissions
  soap_data = vim_soap_envelope(vim_soap_retrieve_all_permissions)
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    permissions = []
    permissions << res['RetrieveAllPermissionsResponse']['returnval']
    return permissions.flatten.compact
  else
    return res
  end
end

#vim_get_dc_name(dc) ⇒ Object



331
332
333
334
335
336
337
338
339
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 331

def vim_get_dc_name(dc)
  soap_data = vim_soap_envelope(vim_soap_retrieve_properties('name','Datacenter',dc))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    return res['RetrievePropertiesResponse']['returnval']['propSet']['val']
  else
    return res
  end
end

#vim_get_dc_vms(datacenter) ⇒ Object



670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 670

def vim_get_dc_vms(datacenter)
  soap_data = vim_soap_envelope(vim_soap_retrieve_properties('vmFolder', 'Datacenter', datacenter))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    vmfolder = res['RetrievePropertiesResponse']['returnval']['propSet']['val']
  else
    return res
  end

  soap_data = vim_soap_envelope(vim_soap_retrieve_properties('childEntity', 'Folder', vmfolder))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    vm_index_array = res['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
    vm_index_array.delete_if{|ref| ref.start_with? "group"} unless vm_index_array.nil? or vm_index_array.empty? or vm_index_array.class != Array
    return vm_index_array
  else
    return res
  end
end

#vim_get_dcsObject



342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 342

def vim_get_dcs
  soap_data = vim_soap_envelope(vim_soap_retrieve_service_content)
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    @server_objects.merge!(res['RetrieveServiceContentResponse']['returnval'])
  else
    return res
  end

  soap_data = vim_soap_envelope(vim_soap_retrieve_properties('content', 'ServiceInstance', 'ServiceInstance'))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    hash = res['RetrievePropertiesResponse']['returnval']['propSet']['val']
    hash.delete('xsi:type')
    @server_objects.merge!(hash)
  else
    return res
  end

  soap_data = vim_soap_envelope(vim_soap_retrieve_properties('childEntity', 'Folder', @server_objects['rootFolder']))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    tmp_dcs = []
    tmp_dcs << res['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
    tmp_dcs.flatten!
    tmp_dcs.each{|dc| @dcs << { 'name' => vim_get_dc_name(dc) , 'ref' => dc}}
  else
    return res
  end
end

#vim_get_domainsObject



262
263
264
265
266
267
268
269
270
271
272
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 262

def vim_get_domains
  soap_data = vim_soap_envelope(vim_soap_retrieve_properties('domainList', 'UserDirectory', @server_objects['userDirectory']))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    domains = []
    domains << res['RetrievePropertiesResponse']['returnval']['propSet']['val']['string']
    return domains.flatten.compact
  else
    return res
  end
end

#vim_get_host_hw(host) ⇒ Object



425
426
427
428
429
430
431
432
433
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 425

def vim_get_host_hw(host)
  soap_data = vim_soap_envelope(vim_soap_retrieve_properties('hardware', 'HostSystem' , host))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    return res['RetrievePropertiesResponse']['returnval']['propSet']['val']
  else
    return res
  end
end

#vim_get_host_summary(host) ⇒ Object



626
627
628
629
630
631
632
633
634
635
636
637
638
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 626

def vim_get_host_summary(host)
  soap_data = vim_soap_envelope(vim_soap_retrieve_properties('summary', 'HostSystem', host))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    hash = res['RetrievePropertiesResponse']['returnval']['propSet']['val']
    hash['runtime'].delete('healthSystemRuntime')
    hash.delete('xsi:type')
    hash.delete('host')
    return hash
  else
    return res
  end
end

#vim_get_hosts(datacenter) ⇒ Object



375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 375

def vim_get_hosts(datacenter)
  dc_hosts = []
  soap_data = vim_soap_envelope(vim_soap_retrieve_properties('hostFolder', 'Datacenter' , datacenter))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    host_folders = []
    host_folders << res['RetrievePropertiesResponse']['returnval']['propSet']['val']
    host_folders.flatten!
  else
    return res
  end

  compute_refs = []
  host_folders.each do |folder|
    soap_data = vim_soap_envelope(vim_soap_retrieve_properties('childEntity', 'Folder' , folder))
    res = vim_send_soap_request(soap_data)
    if res.class == Hash
      ref = res['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
      unless ref.nil?
        compute_refs << ref
      end
    else
      return res
    end
  end
  compute_refs.flatten!

  compute_refs.each do |ref|
    next if ref.start_with? "group-"
    soap_data = vim_soap_envelope(vim_soap_retrieve_properties('host', 'ComputeResource' , ref))
    res = vim_send_soap_request(soap_data)
    if res.class == Hash
      dc_hosts << res['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
    else
      return res
    end
  end
  dc_hosts.flatten!
  return dc_hosts
end

#vim_get_rolesObject



317
318
319
320
321
322
323
324
325
326
327
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 317

def vim_get_roles
  soap_data = vim_soap_envelope(vim_soap_retrieve_properties('roleList', 'AuthorizationManager', @server_objects['authorizationManager']))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    roles = []
    roles << res['RetrievePropertiesResponse']['returnval']['propSet']['val']['AuthorizationRole']
    return roles.flatten.compact
  else
    return res
  end
end

#vim_get_sessionObject



178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 178

def vim_get_session
  soap_data = vim_soap_envelope(vim_soap_retrieve_service_content)
  res = send_request_cgi({
    'uri'     => '/sdk',
    'method'  => 'POST',
    'agent'   => 'VMware VI Client',
    'data' => soap_data,
    'headers' => { 'SOAPAction' => @soap_action}
  }, 25)
  return false unless res and res.code == 200
   @server_objects = (((Hash.from_xml(res.body)['Envelope'] || {})['Body'] || {})['RetrieveServiceContentResponse'] || {})['returnval']
   @soap_action = "urn:vim25/#{(@server_objects['about'] || {})['apiVersion']}"
  if res.headers['Set-Cookie']
    @vim_cookie = res.headers['Set-Cookie']
    return true
  else
    return false
  end
end

#vim_get_session_listObject



222
223
224
225
226
227
228
229
230
231
232
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 222

def vim_get_session_list
  soap_data = vim_soap_envelope(vim_soap_retrieve_properties('sessionList','SessionManager', @server_objects['sessionManager']))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    session_list = []
    session_list << res['RetrievePropertiesResponse']['returnval']['propSet']['val']['UserSession']
    return session_list.flatten.compact
  else
    return res
  end
end

#vim_get_user_list(domain = nil) ⇒ Object



276
277
278
279
280
281
282
283
284
285
286
287
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 276

def vim_get_user_list(domain=nil)
  soap_data = vim_soap_envelope(vim_soap_retrieve_usergroups(domain))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    return nil unless res['RetrieveUserGroupsResponse']['returnval']
    user_list = []
    user_list <<  res['RetrieveUserGroupsResponse']['returnval']
    return user_list.flatten.compact
  else
    return res
  end
end

#vim_get_vm_datastore(vm) ⇒ Object



449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 449

def vim_get_vm_datastore(vm)
  soap_data = vim_soap_envelope(vim_soap_retrieve_properties('datastore', 'VirtualMachine' , vm))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    datastore_refs = []
    datastore_refs << res['RetrievePropertiesResponse']['returnval']['propSet']['val']['ManagedObjectReference']
    datastore_refs.flatten!
    datastore_refs.compact!
    datastores = []
  else
    return res
  end

  datastore_refs.each do |datastore_ref|
    soap_data = vim_soap_envelope(vim_soap_retrieve_properties('info', 'Datastore' , datastore_ref))
    res = vim_send_soap_request(soap_data)
    if res.class == Hash
      datastore_name = res['RetrievePropertiesResponse']['returnval']['propSet']['val']['name']
      datastore = { 'name' => datastore_name, 'ref' => datastore_ref}
      datastores << datastore
    else
      return res
    end
  end
  return datastores

end

#vim_get_vm_info(vm_ref) ⇒ Object



690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 690

def vim_get_vm_info(vm_ref)
  vim_setup_references
  soap_data = vim_soap_envelope(vim_soap_retrieve_properties('summary', 'VirtualMachine', vm_ref))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    hash =  res['RetrievePropertiesResponse']['returnval']['propSet']['val']
    vm = hash['config']
    vm['runtime'] = hash['runtime']
    vm['guest'] = hash['guest']
    vm['quickStats'] = hash['quickStats']
    return vm
  else
    return res
  end
end

#vim_get_vmsObject



642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 642

def vim_get_vms
  vim_setup_references
  @vmrefs = []
  vmlist= []
  @dcs.each do |dc|
    dc_vm_refs = vim_get_dc_vms(dc['ref'])
    next if dc_vm_refs.nil? or dc_vm_refs.empty?
    dc_vm_refs.flatten!
    dc_vm_refs.compact!
    next if dc_vm_refs.nil? or dc_vm_refs.empty?
    print_status "#{datastore['RHOST']} - DataCenter: #{dc['name']} Found a Total of #{dc_vm_refs.length} VMs"
    print_status "#{datastore['RHOST']}  - DataCenter: #{dc['name']} Estimated Time: #{((dc_vm_refs.length * 7) /60)} Minutes"
    dc_vm_refs.each do |ref|
      print_status "#{datastore['RHOST']}  -  DataCenter: #{dc['name']} - Getting Data for VM: #{ref}..."
      details  = vim_get_vm_info(ref)
      if details
        details['ref'] = ref
        details['dc_ref'] = dc['ref']
        details['dc_name'] = dc['name']
        vmlist << details
      end
    end
  end
  return vmlist
end

#vim_instance_vars_set?Boolean

Returns:

  • (Boolean)


711
712
713
714
715
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 711

def vim_instance_vars_set?
  return false if @server_objects.nil? or @server_objects.empty?
  return false if @host.nil? or @host.empty?
  return true
end

#vim_log_event_vm(vm_ref, msg) ⇒ Object



291
292
293
294
295
296
297
298
299
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 291

def vim_log_event_vm(vm_ref, msg)
  soap_data = vim_soap_envelope(vim_soap_log_user_event_vm(vm_ref,msg))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    return :success
  else
    return res
  end
end

#vim_logged_in?Boolean

Returns:

  • (Boolean)


706
707
708
709
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 706

def vim_logged_in?
  return true if @vim_cookie
  return false
end

#vim_powerOFF_vm(vm_ref) ⇒ Object



544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 544

def vim_powerOFF_vm(vm_ref)
  soap_data = vim_soap_envelope(vim_soap_power_off_vm(vm_ref))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    task_id = res['PowerOffVM_TaskResponse']['returnval']
  else
    return res
  end

  state= "running"
  while state == "running"
    soap_data = vim_soap_envelope(vim_soap_retrieve_properties('info', 'Task', task_id))
    res = vim_send_soap_request(soap_data)
    if res.class == Hash
      state = res['RetrievePropertiesResponse']['returnval']['propSet']['val']['state']
      case state
      when 'running'
        select(nil, nil, nil, 5)
      when 'error'
        if res['RetrievePropertiesResponse']['returnval']['propSet']['val']['error']['fault']['existingState'] == 'poweredOn'
          return 'alreadyON'
        end
      end
    else
      return res
    end
  end
  return state
end

#vim_powerON_vm(vm_ref) ⇒ Object



512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 512

def vim_powerON_vm(vm_ref)
  soap_data = vim_soap_envelope(vim_soap_power_on_vm(vm_ref))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    task_id = res['PowerOnVM_TaskResponse']['returnval']
  else
    return res
  end

  state= "running"
  while state == "running"
    soap_data = vim_soap_envelope(vim_soap_retrieve_properties('info', 'Task', task_id))
    res = vim_send_soap_request(soap_data)
    if res.class == Hash
      state = res['RetrievePropertiesResponse']['returnval']['propSet']['val']['state']
      case state
      when 'running'
        select(nil, nil, nil, 5)
      when 'error'
        if res['RetrievePropertiesResponse']['returnval']['propSet']['val']['error']['fault']['existingState'] == 'poweredOn'
          return 'alreadyON'
        end
      end
    else
      return res
    end
  end
  return state
end

#vim_send_soap_request(soap_data) ⇒ Object



155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 155

def vim_send_soap_request(soap_data)
  res = send_request_cgi({
    'uri'     => '/sdk',
    'method'  => 'POST',
    'agent'   => 'VMware VI Client',
    'cookie'  => @vim_cookie,
    'data' => soap_data,
    'headers' => { 'SOAPAction' => @soap_action}
  }, 25)
  return :noresponse unless res
  if res.body.include? "NotAuthenticatedFault"
    return :expired
  elsif res.body.include? "<faultstring>"
    @vim_soap_error = res.body.match(/<faultstring>(.+?)<\/faultstring>/m)[1]
    return :error
  elsif res.code != 200
    @vim_soap_error = "An unknown error was encountered"
    return :error
  else
    return Hash.from_xml(res.body)['Envelope']['Body']
  end
end

#vim_session_is_active(key, username) ⇒ Object



236
237
238
239
240
241
242
243
244
245
246
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 236

def vim_session_is_active(key, username)
  soap_data = vim_soap_envelope(vim_soap_session_active?(key,username))
  res = vim_send_soap_request(soap_data)
  print_status "Error: #{@vim_soap_error}"
  if res.class == Hash
    active = res['SessionIsActiveResponse']['returnval']
    return active
  else
    return res
  end
end

#vim_setup_referencesObject



717
718
719
720
721
722
723
724
725
726
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 717

def vim_setup_references
  unless vim_instance_vars_set?
    @dcs = []
    @hosts = []
    vim_get_dcs
    vim_get_all_hosts
    @hosts.flatten!
    @hosts.compact!
  end
end

#vim_soap_create_screenshot(vm_ref) ⇒ Object



147
148
149
150
151
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 147

def vim_soap_create_screenshot(vm_ref)
  soap_data = '<CreateScreenshot_Task xmlns="urn:vim25">'
  soap_data << '<_this type="VirtualMachine">' + vm_ref + '</_this>'
  soap_data << '</CreateScreenshot_Task>'
end

#vim_soap_envelope(body) ⇒ Object



7
8
9
10
11
12
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 7

def vim_soap_envelope(body)
  soap_data = '<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
  soap_data << '<env:Body>'
  soap_data << body
  soap_data <<  '</env:Body></env:Envelope>'
end

#vim_soap_find_child_byname(type, entity, name) ⇒ Object



121
122
123
124
125
126
127
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 121

def vim_soap_find_child_byname(type,entity,name)
  soap_data = '<FindChild xmlns="urn:vim25">'
  soap_data << '<_this type="SearchIndex">' + @server_objects['searchIndex'] + '</_this>'
  soap_data << '<entity type="' + type + '">' + entity + '</entity>'
  soap_data << '<name>' + name + '</name>'
  soap_data << '</FindChild>'
end

#vim_soap_log_user_event_vm(vm_ref, msg) ⇒ Object



103
104
105
106
107
108
109
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 103

def vim_soap_log_user_event_vm(vm_ref,msg)
  soap_data = '<LogUserEvent xmlns="urn:vim25">'
  soap_data << '<_this type="EventManager">' + @server_objects['eventManager'] + '</_this>'
  soap_data << '<entity type="VirtualMachine">' + vm_ref + '</entity>'
  soap_data << '<msg>' + msg + '</msg>'
  soap_data << '</LogUserEvent>'
end

#vim_soap_login(user, pass) ⇒ Object



63
64
65
66
67
68
69
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 63

def (user,pass)
  soap_data = '<Login xmlns="urn:vim25">'
  soap_data << '<_this type="SessionManager">' + @server_objects['sessionManager'] + '</_this>'
  soap_data << '<userName>' + user + '</userName>'
  soap_data << '<password>' + pass + '</password>'
  soap_data << '</Login>'
end

#vim_soap_objset(type, ref) ⇒ Object



29
30
31
32
33
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 29

def vim_soap_objset(type, ref)
  soap_data = '<objectSet>'
  soap_data << '<obj type="' + type + '">' + ref + '</obj>'
  soap_data << '</objectSet>'
end

#vim_soap_power_off_vm(vm_ref) ⇒ Object



139
140
141
142
143
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 139

def vim_soap_power_off_vm(vm_ref)
  soap_data = '<PowerOffVM_Task xmlns="urn:vim25">'
  soap_data << '<_this type="VirtualMachine">' + vm_ref + '</_this>'
  soap_data << '</PowerOffVM_Task>'
end

#vim_soap_power_on_vm(vm_ref) ⇒ Object



131
132
133
134
135
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 131

def vim_soap_power_on_vm(vm_ref)
  soap_data = '<PowerOnVM_Task xmlns="urn:vim25">'
  soap_data << '<_this type="VirtualMachine">' + vm_ref + '</_this>'
  soap_data << '</PowerOnVM_Task>'
end

#vim_soap_propset(type, path, all = false) ⇒ Object



16
17
18
19
20
21
22
23
24
25
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 16

def vim_soap_propset(type,path,all = false)
  soap_data = '<propSet xsi:type="PropertySpec">'
  soap_data << '<type>' + type + '</type>'
  if all
    soap_data << '<all>true</all>'
  else
    soap_data << '<pathSet>' + path + '</pathSet>'
  end
  soap_data << '</propSet>'
end

#vim_soap_retrieve_all_permissionsObject



113
114
115
116
117
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 113

def vim_soap_retrieve_all_permissions
  soap_data = '<RetrieveAllPermissions xmlns="urn:vim25">'
  soap_data << '<_this type="AuthorizationManager">' + @server_objects['authorizationManager'] + '</_this>'
  soap_data << '</RetrieveAllPermissions>'
end

#vim_soap_retrieve_properties(path, type, ref, all = false) ⇒ Object



46
47
48
49
50
51
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 46

def vim_soap_retrieve_properties(path,type,ref,all=false)
  soap_data = '<RetrieveProperties xmlns="urn:vim25">'
  soap_data << '<_this type="PropertyCollector">' + @server_objects['propertyCollector'] + '</_this>'
  soap_data << vim_soap_specset(path,type,ref,all)
  soap_data << '</RetrieveProperties>'
end

#vim_soap_retrieve_service_contentObject



55
56
57
58
59
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 55

def vim_soap_retrieve_service_content
  soap_data = '<RetrieveServiceContent xmlns="urn:vim25">'
  soap_data << '<_this type="ServiceInstance">ServiceInstance</_this>'
  soap_data << '</RetrieveServiceContent>'
end

#vim_soap_retrieve_usergroups(domain = nil) ⇒ Object



93
94
95
96
97
98
99
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 93

def vim_soap_retrieve_usergroups(domain=nil)
  soap_data = '<RetrieveUserGroups xmlns="urn:internalvim25">'
  soap_data << '<_this xsi:type="ManagedObjectReference" type="UserDirectory">' + @server_objects['userDirectory'] + '</_this>'
  soap_data << '<domain>' + domain + '</domain>' if domain
  soap_data << '<searchStr></searchStr><exactMatch>false</exactMatch><findUsers>true</findUsers><findGroups>true</findGroups>'
  soap_data << '</RetrieveUserGroups>'
end

#vim_soap_session_active?(key, user) ⇒ Boolean

Returns:

  • (Boolean)


73
74
75
76
77
78
79
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 73

def vim_soap_session_active?(key, user)
  soap_data = '<SessionIsActive xmlns="urn:vim25">'
  soap_data << '<_this type="SessionManager">' + @server_objects['sessionManager'] + '</_this>'
  soap_data << '<sessionID>' + key+ '</sessionID>'
  soap_data << '<userName>' + user + '</userName>'
  soap_data << '</SessionIsActive>'
end

#vim_soap_specset(path, type, ref, all = false) ⇒ Object



37
38
39
40
41
42
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 37

def vim_soap_specset(path,type,ref,all=false)
  soap_data = '<specSet>'
  soap_data << vim_soap_propset(type,path,all)
  soap_data << vim_soap_objset(type,ref)
  soap_data << '</specSet>'
end

#vim_soap_terminate_session(key) ⇒ Object



84
85
86
87
88
89
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 84

def vim_soap_terminate_session(key)
  soap_data = '<TerminateSession xmlns="urn:vim25">'
  soap_data << '<_this xsi:type="ManagedObjectReference" type="SessionManager" >' + @server_objects['sessionManager'] + '</_this>'
  soap_data << '<sessionId>' + key + '</sessionId>'
  soap_data << '</TerminateSession>'
end

#vim_take_screenshot(vm, user, pass) ⇒ Object



576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 576

def vim_take_screenshot(vm, user, pass)
  soap_data = vim_soap_envelope(vim_soap_create_screenshot(vm['ref']))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    task_id = res['CreateScreenshot_TaskResponse']['returnval']
  else
    return res
  end

  state= "running"
  while state == "running"
    soap_data = vim_soap_envelope(vim_soap_retrieve_properties('info', 'Task', task_id))
    res = vim_send_soap_request(soap_data)
    if res.class == Hash
      state = res['RetrievePropertiesResponse']['returnval']['propSet']['val']['state']
      screenshot_file = res['RetrievePropertiesResponse']['returnval']['propSet']['val']['result']
    else
      return res
    end
  end
  unless screenshot_file
    return :error
  end
  (ss_folder, ss_file) = screenshot_file.split('/').last(2)
  ss_folder = Rex::Text.uri_encode(ss_folder)
  ss_file =  Rex::Text.uri_encode(ss_file)
  ss_path = "#{ss_folder}/#{ss_file}"
  datastores = vim_get_vm_datastore(vm['ref'])
  user_pass = Rex::Text.encode_base64(user + ":" + pass)
  datastores.each do |datastore|
    ss_uri = "/folder/#{ss_path}?dcPath=#{vm['dc_name']}&dsName=#{datastore['name']}"
    res = send_request_cgi({
      'uri'     => ss_uri,
      'method'  => 'GET',
      'agent'   => 'VMware VI Client',
      'cookie'  => @vim_cookie,
      'headers' => { 'Authorization' => "Basic #{user_pass}"}
    }, 25)
    next unless res
    if res.code == 200
      return res.body
    elsif res.code == 404
      next
    end
  end
  return :error
end

#vim_terminate_session(key) ⇒ Object



250
251
252
253
254
255
256
257
258
# File 'lib/msf/core/exploit/remote/vim_soap.rb', line 250

def vim_terminate_session(key)
  soap_data = vim_soap_envelope(vim_soap_terminate_session(key))
  res = vim_send_soap_request(soap_data)
  if res.class == Hash
    return :success
  else
    return res
  end
end