Initial Release

This PoC is based off of scumjr/dirtycow-vdso in that it backdoors the vDSO which is mapped into all user-space processes by the kernel. scumjr's version uses ptrace which is not whitelisted by docker's seccomp past 1.11. Therefore it won't escape containers that were started in the default way, whereas this /proc/self/mem approach does

The Clear Containers runtime runs container workloads in lightweight VMs with KVM enabled to achieve similar startup and running speeds to runc. This means the container's kernel is different than that of the host. Therefore kernel exploits don't let you break out of the container.

This demo exploits the DirtyCoW kernel vulnerability (CVE-2016-5195) to spawn a root shell outside the container which connects back to the PoC over a TCP socket. Before it exploits it lists files and directories in /home/. It does the same in the shell it catches. If you ran with the Clear Containers runtime then the listing will be the same. If you ran with runc you will see the /home/ of the host system.