PIE-Stack-Clash-CVE-2017-1000253

Demo-ing CVE-2017-1000253 in a container. This demo relies on Qualys POC code that performs the exploit over CentOS.

Install a vulnerable kernel

1.Install CentOS 7
2.Install Docker
3.Edit the /etc/yum.repos.d/CentOS-Vault.repo file:
     1.Change each entry to path to include 7.3.1611:
              baseurl=http://vault.centos.org/7.3.1611/os/$basearch/
              baseurl=http://vault.centos.org/7.3.1611/updates/$basearch/
              ...
     2.Enable all the entries:
              enabled=1
 4.Update the repo list
     yum repolist
 5.Install a vulnerable kernel 
     yum install kernel-3.10.0-514.26.1.el7.x86_64
 6.Check the kernel ID (in the following example, it is 0):
    # awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg0 
       0 : CentOS Linux (3.10.0-514.26.1.el7.x86_64) 7 (Core)
       1 : CentOS Linux (3.10.0-514.26.1.el7.x86_64) 7 (Core) with debugging
       2 : CentOS Linux 7 (Core), with Linux 3.10.0-229.20.1.el7.x86_64
 7.Set the default entry for grub:
     grub2-set-default 0
 8.Make sure it had changed:
   # grub2-editenv list
     saved_entry=0
 9.Reboot
   shutdown -r now
10.Make sure the vulnerable kernel was loaded
   # uname -a
     Linux devSDces71b305-vm0 3.10.0-514.26.1.el7.x86_64 #1 SMP Thu Jun 29 16:05:25 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Build the container

docker build -t pie-cve .

Run the container an a non-root user

docker run -it -u 4444 pie-cve

Normally, after a few hours the exploit will be done. The "hacker.txt" file will be written the /root directory inside the container.