Skip to content

Exploit: docker api pwn

cdxy edited this page Feb 8, 2021 · 1 revision

Exploit: docker-api-pwn

Docker Remote API(port 2375) has no authorization designed to listen local addresses only, expose this port will cause RCE. In this exploit first we connect Docker API then we send requests to let dockerd pull image and create a container which has /host mounted all host filesystems, then you can execute cmd inside the container and write payloads to host filesystem(e.g. /etc/crontab) to escape.

攻击Docker API 2375未授权访问漏洞,控制宿主机的dockerd创建一个新容器,并挂在宿主机根目录/到容器内部/host,然后执行用户输入的指令来篡改宿主机的文件,比如可以写/etc/crontab来搞定宿主机。

Usage

./cdk run docker-api-pwn <sock_path> <shell_cmd>

Example

./cdk run docker-api-pwn http://127.0.0.1:2375 "touch /host/tmp/docker-api-pwn"