Edit HOST inside payload.c, compile with make. Start nc and run pwn.sh inside the container.
- This exploit is destructive: it'll overwrite
/usr/bin/docker-runcbinary on the host with the payload. It'll also overwrite/bin/shinside the container. - Tested only on Debian 9.
- No attempts were made to make it stable or reliable, it's only tested to work when a
docker exec <id> /bin/shis issued on the host.
The original commit I used to write the exploit is here.
The researchers who actually found the vulnerability have published a writeup here.
I've added the original exploit CVE_2019_5736_tar_xz which works differently than mine. Thanks to
cyphar for pointing me to it.