runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (1)

• Exploit Database
• 115 阅读

• 作者： feexd
  日期： 2019-02-12
• 类别：

  • local
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/46359/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14

  # Usage Edit HOST inside <code>payload.c</code>, compile with <code>make</code>. Start <code>nc</code> and run <code>pwn.sh</code> inside the container.   # Notes - This exploit is destructive: it&apos;ll overwrite <code>/usr/bin/docker-runc</code> binary *on the host* with the payload. It&apos;ll also overwrite <code>/bin/sh</code> inside the container. - Tested only on Debian 9. - No attempts were made to make it stable or reliable, it&apos;s only tested to work when a <code>docker exec <id> /bin/sh</code> is issued on the host.   More complete explanation [here](https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d).   Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46359.zip