frichetten / cve-2019-5736-poc Goto Github PK
View Code? Open in Web Editor NEWPoC for CVE-2019-5736
PoC for CVE-2019-5736
Dear author:
I tried your POC file, but it didn't work, because there is a existed pid named runc in /proc//cmdline
I tried with this bash script:
while true; do
for pid in $(ps -ef | awk '{print $2}'); do
cmdline=$(cat /proc/${pid}/cmdline)
if [[ ${cmdline} == *runc* ]]; then
echo !!!!!!!!!!!!!!!!!!!!!!!!!runc was found!!!!!!!!!!!!!!!!!!!!!!!
echo pid:${pid}
fi
done
done
and the output like this:
cat: /proc/876/cmdline: No such file or directory
cat: /proc/877/cmdline: No such file or directory
cat: /proc/878/cmdline: No such file or directory
cat: /proc/PID/cmdline: No such file or directory
!!!!!!!!runc was found !!!!!!!!!!!!!
pid:25
So this exploit will not work for me
And when I execute the go binary file, second time when I want execute docker exec command, an error will occurred to prevent this POC
docker exec -ti runc-test /bin/sh
/proc/self/exe: error while loading shared libraries: libseccomp.so.2: cannot open shared object file: No such file or directory
Appreciated
Thank you for your poc.
I work on Ubuntu 18.04 and Docker 18.09.1-ce. Everything went well. However, at the last step, after the command "sudo docker exec -it cve-test /bin/sh" is executed in a new terminal window, there are only two new messages printed and the program gets stuck
The printed messages:
root@10f52219f2bc:/home# ./main
[+] Overwritten /bin/sh successfully
[+] Found the PID: 15
[+] Successfully got the file handle
The last message "[+] Successfully got write handle" did not appear. The dir /tmp/shadow is still unreachable.
Thank you!
I've been trying to reproduce this exploit on Ubuntu 18.04 LTS
with the below versions of runc
& docker.io
runc=1.0.0~rc4+dfsg1-6
& docker.io=17.12.1-0ubuntu1
After executing the exploit in the container & running 'docker exec -it container /bin/sh` in the host the exploit hangs
Output:
./breakout
[+] Overwritten /bin/sh successfully
[+] Found the PID: 168
Any idea why? This was tested on bento/ubuntu-18.04
Vagrant box
vagrant@vagrant:~$ uname -r
4.15.0-156-generic
Also could you please specify the exact versions of runc
& docker.io
that were used by you? Thanks!
@Frichetten Hello, I cloned your repo and compile main.go
After I put the executable file main inside my ubuntu container and tried to execute it
I got the following error
error while loading shared libraries: libgo.so.13: cannot open shared object file: No such file or directory
I've tried to reinstall the whole GO package and install libgo13 again and again but the error continue to pop out , any solution for it?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.