Crafting raw TCP/IP packets to send to poorly configured servers - CVE-2020-8558 PoC# Martian Packets
A repo containing a python script which can be used to craft raw TCP/IP packets.
Used for testing out martian packets following a vulnerability announced in kubernetes (kube-proxy: CVE-2020-8558). This PoC covers the pod -> node (host) localhost boundary bypass.
For a simple and robust PoC for the node -> node portion of the vulnerability, see [here](https://github.com/kubernetes/kubernetes/issues/90259).
Packet crafting credits:
https://inc0x0.com/tcp-ip-packets-introduction/tcp-ip-packets-3-manually-create-and-send-raw-tcp-ip-packets/
https://gist.github.com/NickKaramoff/b06520e3cb458ac7264cab1c51fa33d6
## Kube
There is a Dockerfile and pod manifest for deploying the exploit to kubernetes for easily proving whether a cluster is vulnerable. The script has been updated to target the unauthenticated kube api server on port 8080 which runs on master nodes (the manifest will deploy the pod to a master node).
The exploit will use the kube apiserver's REST API to create a pod in your cluster's default namespace with the name: `youve-been-pwned`. This pod just echos out text in an infinite loop and will need deleting manually.
I had some issues on certain clusters (running cilium) when starting the process immediately on container creation, where no syn/ack would be received from the host after sending an initial syn. I've hacked around this with the [start.sh](./start.sh) script, which just checks that the network is up before starting the exploit - this seemed to help.
[4.0K] /data/pocs/1f38e8f1d70a6de2958024b135d47d32c4736e50
├── [ 136] Dockerfile
├── [4.0K] kube
│ └── [ 790] pod.yaml
├── [4.0K] martian_packets
│ ├── [ 850] main.py
│ └── [4.0K] packets
│ ├── [ 0] __init__.py
│ ├── [3.6K] tcp_craft.py
│ └── [4.5K] tcp_exchange.py
├── [1.5K] README.md
└── [ 394] start.sh
3 directories, 8 files