-
Notifications
You must be signed in to change notification settings - Fork 551
Exploit: mount procfs
cdxy edited this page Apr 13, 2021
·
2 revisions
自动化逃逸挂载宿主机/proc目录的容器。
该脚本将用户指定的shell命令指向宿主机/sys/kernel/core_pattern
文件,在容器空间通过segment fault触发core dump,进而触发shellcode执行。
Automatic escape container which mounts host process filesystem (usually /proc
dir).
This exploit will first point user-defined shell cmd to host /sys/kernel/core_pattern
file, then use runtime segment fault to trigger core dump inside container, and the shell code will be executed by target host.
See Also:
cdk run mount-procfs <proc-dir> "<shell-cmd>"
# after exploit, the target host will execute user-specified commands in <shell-cmd> arg.
测试案例
- 宿主机启动测试容器,挂载宿主机的procfs,尝试逃逸当前容器。
docker run -v /root/cdk:/cdk -v /proc:/mnt/host_proc --rm -it ubuntu bash
- 容器内部执行
./cdk run mount-procfs /mnt/host_proc "touch /tmp/exp-success"
- 宿主机中出现
/tmp/exp-success
文件,说明exp已经成功执行,攻击者可以在宿主机执行任意命令。
Testing Case
- run a container in host
docker run -v /root/cdk:/cdk -v /proc:/mnt/host_proc --rm -it ubuntu bash
, try to escape this container using CDK. - attach into the container and execute
./cdk run /mnt/host_proc mount-procfs "touch /tmp/exp-success"
- back to the host, check
/tmp/exp-success
file exists, which means our shell cmd was executed successfully. by modifying<shell-cmd>
arg you can exec any cmd you want in target host.