Skip to content
/ POCs Public
forked from kings-way/POCs

Some POCs or Exploits for vulnerabilities

0 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mdly/POCs

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
CVE-2019-5736
CVE-2019-5736
 
 
readme.md
readme.md
 
 

Repository files navigation

Exploit for CVE-2019-5736

How to

  • build image

      cd CVE-2019-5376
  gcc run.c -o run -static
  docker build -t testpoc .

  • run

      docker run -it --privileged --name testpoc_instance testpoc
  
  # open another terminal, and run docker exec
  docker exec -it testpoc_instance bash

Notes:

  • original approach from DragonSector
    use a malicious.so(which used by runc) with malicious entry point (like #!/proc/self/exe) to hijack the execution of runc, and then open '/proc/self/exe' to hold the file descriptor. Then fork-exec to run another process, and the child process will inherit the file descriptor. Finally, the child process is able to write to the fd after the runc exits.

shortcoming: need a malicious entry point program. It's no problem for docker run, but docker exec has to run that specific program.

  • approach used here (also used by the some exploits from others)
    start the malicious container first, and run a process (in a loop) to monitor new processes in /proc. On finding a new one, open '/proc/{pid}/exe' to hold the file descriptor. Then it's the same like above.

shortcoming: works on every docker exec command towards the container, but will not work when using docker run to start the new container

About

Some POCs or Exploits for vulnerabilities

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 97.9%
  • Dockerfile 2.1%