Create a gist now

Instantly share code, notes, and snippets.

@iceb0y /bugbox.py Secret
Created Apr 19, 2017

What would you like to do?
bugbox
from butter.clone import unshare, CLONE_NEWNS, CLONE_NEWUSER
from butter.system import mount, pivot_root, umount, MS_BIND, MS_REMOUNT
from os import chdir, execve, getegid, geteuid, mkdir, path, rmdir, setresgid, setresuid
MNT_DETACH = 2
def bind_mount(src, target):
mkdir(target)
mount(src, target, '', MS_BIND)
def write_text_file(file, text):
with open(file, 'w') as f:
f.write(text)
host_euid = geteuid()
host_egid = getegid()
unshare(CLONE_NEWNS | CLONE_NEWUSER)
write_text_file('/proc/self/uid_map', '1000 {} 1'.format(host_euid))
try:
write_text_file('/proc/self/setgroups', 'deny')
except FileNotFoundError:
pass
write_text_file('/proc/self/gid_map', '1000 {} 1'.format(host_egid))
setresuid(1000, 1000, 1000)
setresgid(1000, 1000, 1000)
mount('tmpfs', '/tmp', 'tmpfs', 0)
bind_mount('/bin', '/tmp/bin')
bind_mount('/lib', '/tmp/lib')
bind_mount('/lib64', '/tmp/lib64')
chdir('/tmp')
mkdir('old_root')
pivot_root('.', 'old_root')
umount('old_root', MNT_DETACH)
rmdir('old_root')
mount('/', '/', '', MS_BIND)
mount('/', '/', '', MS_BIND | MS_REMOUNT)
execve('/bin/bash', ['bugbox'], {})
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment