frichetten / cve-2019-5736-poc Goto Github PK

Dear author:

I tried your POC file, but it didn't work, because there is a existed pid named runc in /proc//cmdline

I tried with this bash script:

    while true; do
        for pid in $(ps -ef | awk '{print $2}'); do
            cmdline=$(cat /proc/${pid}/cmdline)
            if [[ ${cmdline} == *runc* ]]; then
                echo !!!!!!!!!!!!!!!!!!!!!!!!!runc was found!!!!!!!!!!!!!!!!!!!!!!!
                echo pid:${pid}
            fi
        done
    done

and the output like this:

cat: /proc/876/cmdline: No such file or directory
cat: /proc/877/cmdline: No such file or directory
cat: /proc/878/cmdline: No such file or directory
cat: /proc/PID/cmdline: No such file or directory
！！！！！！！！runc was found ！！！！！！！！！！！！！
pid:25

So this exploit will not work for me
And when I execute the go binary file, second time when I want execute docker exec command, an error will occurred to prevent this POC

docker exec -ti runc-test /bin/sh
/proc/self/exe: error while loading shared libraries: libseccomp.so.2: cannot open shared object file: No such file or directory

Appreciated

Thank you for your poc.
I work on Ubuntu 18.04 and Docker 18.09.1-ce. Everything went well. However, at the last step, after the command "sudo docker exec -it cve-test /bin/sh" is executed in a new terminal window, there are only two new messages printed and the program gets stuck

The printed messages:
root@10f52219f2bc:/home# ./main
[+] Overwritten /bin/sh successfully
[+] Found the PID: 15
[+] Successfully got the file handle

The last message "[+] Successfully got write handle" did not appear. The dir /tmp/shadow is still unreachable.

Thank you!

I've been trying to reproduce this exploit on Ubuntu 18.04 LTS with the below versions of runc & docker.io
runc=1.0.0~rc4+dfsg1-6 & docker.io=17.12.1-0ubuntu1

After executing the exploit in the container & running 'docker exec -it container /bin/sh` in the host the exploit hangs

Output:

./breakout
[+] Overwritten /bin/sh successfully
[+] Found the PID: 168

Any idea why? This was tested on bento/ubuntu-18.04 Vagrant box

vagrant@vagrant:~$ uname -r
4.15.0-156-generic

Also could you please specify the exact versions of runc & docker.io that were used by you? Thanks!

@Frichetten Hello, I cloned your repo and compile main.go
After I put the executable file main inside my ubuntu container and tried to execute it
I got the following error
error while loading shared libraries: libgo.so.13: cannot open shared object file: No such file or directory

I've tried to reinstall the whole GO package and install libgo13 again and again but the error continue to pop out , any solution for it?