vmware-detect: Vmware Vcenter - Build Version

id: vmware-detect

info:
  name: Vmware Vcenter - Build Version
  author: zan8in
  severity: info
  verified: true
  description: |
    通过调用 VMWare Sphere 组件的 SOAP API，可以获取其版本信息。
    Hunter: app.name="VMWare vSphere Information Page"
  tags: vmware,vmware-vcenter,build-version
  created: 2023/11/13

rules:
  r0:
    request:
      method: POST
      path: /sdk
      body: |
        <?xml version="1.0" encoding="UTF-8"?>
        <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
           <soap:Header>
              <operationID>00000001-00000001</operationID>
           </soap:Header>
           <soap:Body>
              <RetrieveServiceContent xmlns="urn:internalvim25">
                 <_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this>
              </RetrieveServiceContent>
           </soap:Body>
        </soap:Envelope>
    expression: |
      response.status == 200 && 
      response.body.bcontains(b"VMware vCenter Server") && 
      response.body.bcontains(b"<build>") &&
      response.body.bcontains(b"<version>")
    extractors:
      - type: regex
        extractor:
          ext1: '"<version>(?P<version>.*?)</version>".bsubmatch(response.raw)'
          version: ext1["version"]
expression: r0()