Edit HOST inside
payload.c, compile with
nc and run
pwn.sh inside the container.
- This exploit is destructive: it'll overwrite
/usr/bin/docker-runcbinary on the host with the payload. It'll also overwrite
/bin/shinside the container.
- Tested only on Debian 9.
- No attempts were made to make it stable or reliable, it's only tested to work when a
docker exec <id> /bin/shis issued on the host.
The original commit I used to write the exploit is here.
The researchers who actually found the vulnerability have published a writeup here.
I've added the original exploit
CVE_2019_5736_tar_xz which works differently than mine. Thanks to
cyphar for pointing me to it.