Hangs after finding the PID
0xOsmian opened this issue · 3 comments
I've been trying to reproduce this exploit on Ubuntu 18.04 LTS with the below versions of runc & docker.io
runc=1.0.0~rc4+dfsg1-6 & docker.io=17.12.1-0ubuntu1
After executing the exploit in the container & running 'docker exec -it container /bin/sh` in the host the exploit hangs
Output:
./breakout
[+] Overwritten /bin/sh successfully
[+] Found the PID: 168
Any idea why? This was tested on bento/ubuntu-18.04 Vagrant box
vagrant@vagrant:~$ uname -r
4.15.0-156-generic
Also could you please specify the exact versions of runc & docker.io that were used by you? Thanks!
Hey, sorry, it's been a long time since I've looked at this. My only thought would be that I ran it in a local VM and not Vagrant. Leading into that, any idea what kind of performance the VM has? The reason I ask is that on lines 58-64, there is an endless for loop trying to get a file handle (seemingly where it hangs).
Also, maybe check if AppArmor is enabled and try with it being disabled.
Not sure about the version of runc I was using, but the tested versions at the time were 18.09.1-ce and 18.03.1-ce.
Thanks a lot, I was able to reproduce the exploit by installing docker-ce=18.03.1~ce~3-0~ubuntu instead of installing runc & docker.io individually.