Since everyone else is releasing code to check for/exploit the vmware server/esx/esxi directory traversal vulnerability I pushed up my checker module to the metasploit trunk as an auxiliary scanner module.
If you want to just download a full guest host check out:
GuestStealer -- http://www.fyrmassociates.com/tools/gueststealer-v1.1.pl
or the
nmap script -- http://www.skullsecurity.org/blog/?p=436
I don't feel like re-implementing it and I for sure don't want anything ever auto-downloading several gigabytes of information for me, so if you want that functionality write it or use the above tools. Gueststealer works great.
Vulnerability References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3733
http://www.vmware.com/security/advisories/VMSA-2009-0015.html
The module:
The module is simple enough. By default it checks for:
FILE /etc/vmware/hostd/vmInventory.xml
If it receives a 200 to the traversal string and file it says its vulnerable. If you want to see the output of the file you can uncomment the following line from the code:
#print_status("Output Of Requested File:\n#{res.body}")
reload the module, then change the file to what you want (example: set FILE /etc/shadow).
Since VMWare runs as root you pretty much have access to anything on the file system.
Comments
i suppose i could just
i suppose i could just "assume" someone would go back and VERIFY the result manually or with an alternate file by uncommenting the line to see whats actually being returned..i know big assumption.
hmm true. the dilemma is
hmm true.
the dilemma is using that module to also download etc/shadow or whatever it would be impossible (or big pain in the ass) to check to make sure its not giving you a custom 404 or the file you requested.
A lot of servers return 200
A lot of servers return 200 Ok for every file -- broken 404 pages -- so watch out for that. In my Nmap script, I confirm a string exists in the file that is always present.