By Tony Flick | March 1, 2010
In addition to the previously mentioned Nmap script, GuestStealer has now made its way into a [Nessus plugin] (http://www.nessus.org/plugins/index.php?view=single&id=44646) and a Metasploit module. Nessus Plugin 44646 was released by Tenable a few weeks ago and the Metasploit module was pushed up to the trunk last week.
GuestStealer has been mentioned in several articles and blog posts recently, including [DarkReading – Tech Insight: Securing The Virtualized Server Environment] (https://www.darkreading.com/tech-insight-securing-the-virtualized-server-environment/d/d-id/1132946) and The Hacker News Network. While most have been accurate, several early blogs stated that GuestStealer used a cross site scripting attack to steal the guests. So to clarify and avoid any confusion, GuestStealer exploits the directory traversal vulnerability described in [CVE-2009-3733] (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3733). For further information, check out the [presentation slides] (https://www.slideshare.net/mascasa/shmoocon-2010-stealing-guests-the-vmware-way).