Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-5736 PoC — Docker 操作系统命令注入漏洞

Source
https://github.com/Perimora/cve_2019-5736-PoC
Associated Vulnerability
Title:Docker 操作系统命令注入漏洞 (CVE-2019-5736)
Description:runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
Description
C-based PoC for  CVE-2019-5736
Readme
# CVE-2019-5736 PoC

This repository contains a C-based proof-of-concept exploit for [CVE-2019-5736](https://nvd.nist.gov/vuln/detail/CVE-2019-5736).

This vulnerability allows a malicious Docker container to overwrite the host's `runc` binary and execute arbitrary commands on the host with root privileges – fully compromising the host system.

> Inspired by the original Go-based PoC by [Frichetten](https://github.com/Frichetten/CVE-2019-5736-PoC?tab=readme-ov-file)

## Disclaimer

This code is for **educational purposes only**. Do not run it on any system you do not own or have permission to test. Misuse may result in legal consequences.

## Contents

1. [Project Structure](#1-project-structure)
2. [Environment Setup & Installation](#2-environment-setup--installation)
3. [Usage](#3-usage)  

## 1. Project Structure

```
.
├── docker/                       
│   └── Dockerfile
├── lib/                           
│   └── exploit.h
├── scripts/                       
│   ├── build_docker.sh
│   ├── purge_docker_installation.sh
│   ├── setup_env.sh
│   ├── start_docker.sh
│   └── trigger_exploit.sh
├── src/                         
│   ├── exploit.c
│   └── main.c
├── LICENSE
├── Makefile
└── README.md
```

## 2. Environment Setup & Installation

This exploit has been tested on:

- **Ubuntu 18.04.1** → [Download ISO](https://old-releases.ubuntu.com/releases/18.04.1/)
- **Docker 18.09.1** → [Download binaries](https://download.docker.com/linux/static/stable/x86_64/docker-18.09.1.tgz)


### Step-by-step Installation

#### 0. Install dependencies
```bash
sudo ./scripts/install_dependencies.sh
```
> Note: You can safely skip this if you already have installed `wget` and `build-essential`.

#### 1. Install Docker via script
```bash
sudo ./scripts/setup_env.sh
```

> This script installs Docker without systemd or socket activation. It’s ideal for VM labs.

#### 2. Start Docker manually
```bash
sudo dockerd
```

> Note: You’ll need a second terminal to run this in the background.

#### 3. Build the exploit container
```bash
sudo ./scripts/build_docker.sh
```

> This script compiles the exploit and builds a Docker image with the binary inside.

> Note: You can also manually build the exploit binary by running `make`.

### Optional: Clean up the environment

You can completely remove Docker and restore the system to a pre-installation state:
```bash
sudo ./scripts/purge_docker_installation.sh
```

## 3. Usage
First we start our exploit container. You can either use this command:

```bash
sudo docker run -it --name exp --rm runc_exploit
```
or the included shell script:

```bash
sudo ./scripts/start_docker.sh
```

Inside the container we can now start our exploit binary:

```bash
./exploit -c "$COMAND"
```

> The binary takes three arguments: `-h` prints the usage message and `-c` defines the command string payload we want to execute on the host. The last `-d` argument toggles debug prints during execution. (eg. parsing information of `/proc`)

> Note: If the `-c` argument is not provided the exploit will execute `cp /etc/shadow > /tmp/pwned && chmod 644 /tmp/pwned`.

The exploit now waits for an incomming runc process on the host execute 

```bash
sudo ./scripts/trigger_exploit.sh
```

This script will open a new process inside the container executing `bin/sh` and therefore triggering the exploit.

> Note: You could also trigger the exploit by manually executing `docker exec` on the host but the timing is critical for the current PoC version to work. So it could take a few tries... 

If runc was exploited successfully you should see a similiar output:

![output](doc/img/output.png)

We are now able to open our pwned shadow file:

![shadow](doc/img/shadow.png)
File Snapshot

 [4.0K]  /data/pocs/12097be4ef791c190ce1865a2467c7eb8ae93e89
├── [4.0K]  doc
│   └── [4.0K]  img
│       ├── [ 41K]  output.png
│       └── [135K]  shadow.png
├── [4.0K]  docker
│   └── [  79]  Dockerfile
├── [4.0K]  lib
│   └── [ 772]  exploit.h
├── [1.0K]  LICENSE
├── [ 389]  Makefile
├── [3.7K]  README.md
├── [4.0K]  scripts
│   ├── [ 222]  build_docker.sh
│   ├── [  60]  install_dependencies.sh
│   ├── [ 160]  purge_docker_installation.sh
│   ├── [ 709]  setup_env.sh
│   ├── [ 132]  start_docker.sh
│   └── [  91]  trigger_exploit.sh
└── [4.0K]  src
    ├── [4.7K]  exploit.c
    └── [2.7K]  main.c

6 directories, 15 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →