From 9858147dae061ce7d059bed9d11904727f14faf4 Mon Sep 17 00:00:00 2001
From: james <james@james-vm-msfdev.james-net>
Date: Fri, 4 Aug 2017 19:12:27 -0500
Subject: [PATCH] Add module to detect Docker and LXC containers

Detect Docker by:
 - Presence of .dockerenv file.
 - Finding "docker" in /proc/1/cgroup
Detect LXC by:
 - Finding "lxc" in /proc/1/cgroup
---
 lib/msf/core/db_manager/host.rb             |  2 +-
 lib/msf/core/post/common.rb                 | 18 +++----
 modules/post/linux/gather/checkcontainer.rb | 54 +++++++++++++++++++++
 modules/post/linux/gather/checkvm.rb        |  2 +-
 modules/post/windows/gather/checkvm.rb      |  2 +-
 5 files changed, 66 insertions(+), 12 deletions(-)
 create mode 100644 modules/post/linux/gather/checkcontainer.rb

diff --git a/lib/msf/core/db_manager/host.rb b/lib/msf/core/db_manager/host.rb
index 45e67086fd..f9af660efb 100644
--- a/lib/msf/core/db_manager/host.rb
+++ b/lib/msf/core/db_manager/host.rb
@@ -135,7 +135,7 @@ module Msf::DBManager::Host
   # +:arch+::         -- one of the ARCH_* constants
   # +:mac+::          -- the host's MAC address
   # +:scope+::        -- interface identifier for link-local IPv6
-  # +:virtual_host+:: -- the name of the VM host software, eg "VMWare", "QEMU", "Xen", etc.
+  # +:virtual_host+:: -- the name of the virtualization software, eg "VMWare", "QEMU", "Xen", "Docker", etc.
   #
   def report_host(opts)
 
diff --git a/lib/msf/core/post/common.rb b/lib/msf/core/post/common.rb
index 84d915d2b8..7073d7da0b 100644
--- a/lib/msf/core/post/common.rb
+++ b/lib/msf/core/post/common.rb
@@ -167,19 +167,19 @@ module Msf::Post::Common
   end
 
   #
-  # Reports to the database that the host is a virtual machine and reports
-  # the type of virtual machine it is (e.g VirtualBox, VMware, Xen)
+  # Reports to the database that the host is using virtualization and reports
+  # the type of virtualization it is (e.g VirtualBox, VMware, Xen, Docker)
   #
-  def report_vm(vm)
+  def report_virtualization(virt)
     return unless session
-    return unless vm
-    vm_normal = vm.to_s.strip
-    return if vm_normal.empty?
-    vm_data = {
+    return unless virt
+    virt_normal = virt.to_s.strip
+    return if virt_normal.empty?
+    virt_data = {
       :host => session.target_host,
-      :virtual_host => vm_normal
+      :virtual_host => virt_normal
     }
-    report_host(vm_data)
+    report_host(virt_data)
   end
 
   #
diff --git a/modules/post/linux/gather/checkcontainer.rb b/modules/post/linux/gather/checkcontainer.rb
new file mode 100644
index 0000000000..415c9fbc7b
--- /dev/null
+++ b/modules/post/linux/gather/checkcontainer.rb
@@ -0,0 +1,54 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Post
+  include Msf::Post::File
+
+  def initialize(info={})
+    super( update_info( info,
+        'Name'          => 'Linux Gather Container Detection',
+        'Description'   => %q{
+          This module attempts to determine whether the system is running
+          inside of a container and if so, which one. This module supports
+          detection of LXC and Docker.},
+        'License'       => MSF_LICENSE,
+        'Author'        => [ 'James Otten <jamesotten1[at]gmail.com>'],
+        'Platform'      => [ 'linux' ],
+        'SessionTypes'  => [ 'shell', 'meterpreter' ]
+      ))
+  end
+
+  # Run Method for when run command is issued
+  def run
+    container = nil
+
+    # Check for .dockerenv file
+    if container.nil?
+      if file?("/.dockerenv")
+        container = "Docker"
+      end
+    end
+
+    # Check cgroup on PID 1
+    if container.nil?
+      cgroup = read_file("/proc/1/cgroup")
+      if cgroup
+        case cgroup.tr("\n", " ")
+        when /docker/i
+          container = "Docker"
+        when /lxc/i
+          container = "LXC"
+        end
+      end
+    end
+
+    if container
+      print_good("This appears to be a '#{container}' container")
+      report_virtualization(container)
+    else
+      print_status("This does not appear to be a container")
+    end
+  end
+end
diff --git a/modules/post/linux/gather/checkvm.rb b/modules/post/linux/gather/checkvm.rb
index a18eabac60..6e28a78910 100644
--- a/modules/post/linux/gather/checkvm.rb
+++ b/modules/post/linux/gather/checkvm.rb
@@ -150,7 +150,7 @@ class MetasploitModule < Msf::Post
 
     if vm
       print_good("This appears to be a '#{vm}' virtual machine")
-      report_vm(vm)
+      report_virtualization(vm)
     else
       print_status("This does not appear to be a virtual machine")
     end
diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb
index 09ba428c3a..fc9151819d 100644
--- a/modules/post/windows/gather/checkvm.rb
+++ b/modules/post/windows/gather/checkvm.rb
@@ -324,7 +324,7 @@ class MetasploitModule < Msf::Post
     found ||= xenchk(session)
     found ||= qemuchk(session)
     if found
-      report_vm(found)
+      report_virtualization(found)
     else
       print_status("#{sysinfo['Computer']} appears to be a Physical Machine")
     end