Demo-ing CVE-2017-1000253 in a container# PIE-Stack-Clash-CVE-2017-1000253
Demo-ing CVE-2017-1000253 in a container.
This demo relies on [Qualys POC code](https://www.qualys.com/research/security-advisories/?_ga=2.83676118.1784152149.1507102441-274088665.1506491591) that performs the exploit over CentOS.
## Install a vulnerable kernel
1.Install CentOS 7
2.Install Docker
3.Edit the /etc/yum.repos.d/CentOS-Vault.repo file:
1.Change each entry to path to include 7.3.1611:
baseurl=http://vault.centos.org/7.3.1611/os/$basearch/
baseurl=http://vault.centos.org/7.3.1611/updates/$basearch/
...
2.Enable all the entries:
enabled=1
4.Update the repo list
yum repolist
5.Install a vulnerable kernel
yum install kernel-3.10.0-514.26.1.el7.x86_64
6.Check the kernel ID (in the following example, it is 0):
# awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg0
0 : CentOS Linux (3.10.0-514.26.1.el7.x86_64) 7 (Core)
1 : CentOS Linux (3.10.0-514.26.1.el7.x86_64) 7 (Core) with debugging
2 : CentOS Linux 7 (Core), with Linux 3.10.0-229.20.1.el7.x86_64
7.Set the default entry for grub:
grub2-set-default 0
8.Make sure it had changed:
# grub2-editenv list
saved_entry=0
9.Reboot
shutdown -r now
10.Make sure the vulnerable kernel was loaded
# uname -a
Linux devSDces71b305-vm0 3.10.0-514.26.1.el7.x86_64 #1 SMP Thu Jun 29 16:05:25 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
## Build the container
``` sh
docker build -t pie-cve .
```
## Run the container an a non-root user
``` sh
docker run -it -u 4444 pie-cve
```
Normally, after a few hours the exploit will be done. The "hacker.txt" file will be written the /root directory inside the container.
[4.0K] /data/pocs/8d6742a51d7b50d455dca74d735528326fc40af1
├── [ 26K] CVE-2017-1000253
├── [ 17K] CVE-2017-1000253.c
├── [ 269] Dockerfile
├── [ 61K] ping
├── [1.8K] README.md
├── [5.7K] rootshell
├── [1.4K] rootshell.c
└── [ 35K] rootshell.h
0 directories, 8 files