runC container escape via /proc/self/exe overwrite

Repository is a small Linux-focused exploit PoC with two functional files: main.go and runC.sh. main.go is a standalone Go exploit that embeds a compressed binary payload and writes it into a target executable using Linux AF_ALG sockets, ancillary control messages, and splice-based file descriptor operations. The overwrite occurs in 4-byte chunks, suggesting it is implementing a kernel/file-descriptor abuse primitive rather than a normal file write. The code defaults to targeting /usr/bin/su and can optionally execute su after the overwrite. Error handling explicitly treats aborted AF_ALG requests as a sign of a patched or mitigated kernel. runC.sh provides the container-escape orchestration. It overwrites /bin/sh with a shebang pointing to /proc/self/exe, then waits in a loop for a process matching /proc/self/exe to appear, identifying a runC process ID. Once found, it invokes /exploit against /proc/<pid>/exe, attempting to overwrite the host-side runC binary while it is executing. This is conceptually similar to the classic runC overwrite/escape technique referenced in the script comments (CVE-2019-5736), but the repository labels the exploit as CVE-2026-31431 and the Go code appears to rely on a vulnerable Linux kernel AF_ALG behavior to perform the overwrite primitive. Overall purpose: provide an operational container-escape exploit chain for Linux environments. The Go component supplies the binary-overwrite primitive and embedded payload; the shell script adapts it to a runC container breakout scenario by locating the runtime process and targeting /proc/<pid>/exe. No network communication is present; the exploit is entirely local/container-based and interacts with Linux file paths, process paths under /proc, and kernel crypto socket interfaces.

This repository is a C-based proof-of-concept exploit for CVE-2019-5736, a critical container escape vulnerability in Docker's runc runtime. The exploit is designed to be run from within a malicious Docker container. It works by overwriting the host's runc binary via a race condition, allowing arbitrary command execution as root on the host. The default payload copies the host's /etc/shadow file to /tmp/pwned and makes it world-readable, but the payload can be customized via command-line arguments. The repository includes scripts for setting up a vulnerable Docker environment, building the exploit, and automating the exploitation process. The main exploit logic is implemented in C (src/main.c and src/exploit.c), with supporting headers and build scripts. The exploit targets Linux systems running Docker 18.09.1 and runc, specifically on Ubuntu 18.04.1 as tested. Key fingerprintable endpoints include /bin/sh (overwritten), /proc/self/exe (used for redirection), /etc/shadow (exfiltrated), and /usr/bin/runc (the main target). The exploit is a functional PoC and not weaponized, but demonstrates full host compromise from a container context.

This repository contains a Go implementation of an exploit for CVE-2019-5736, a critical container escape vulnerability in runc, the default container runtime for Docker and other container systems. The exploit works by overwriting the /bin/sh binary inside a container to point to /proc/self/exe, then locating the runc process on the host and overwriting its binary via the /proc filesystem. The default payload is a bash reverse shell that connects to the attacker's machine (10.10.14.12) on port 1234. The README provides detailed instructions for setting up the exploit, including modifying the payload, compiling the Go code, hosting the binary for download, and orchestrating the attack using multiple terminals. The exploit requires the attacker to have code execution inside a container and is effective against vulnerable runc versions on Linux. The main exploit logic is in main.go, which is the only code file. The repository is operational and provides a working exploit with a customizable payload.

This repository is a Proof-of-Concept (PoC) exploit for CVE-2019-5736, a critical container escape vulnerability affecting Docker's runc runtime on Linux. The exploit is implemented in Go (main.go) and is designed to be executed from within a Docker container where the attacker has root privileges. The exploit works by overwriting the /bin/sh binary in the container to point to /proc/self/exe, then locating the runc process on the host, obtaining a file handle to its binary, and overwriting it with a malicious payload. This payload is a shell script that executes arbitrary commands as root on the host when triggered (typically when a user attaches to the container with 'docker exec'). The README.md provides detailed background, usage instructions, and warnings about the destructive nature of the exploit (overwriting runc disables Docker on the host until runc is restored). The exploit targets Docker versions 18.09.1-ce and 18.03.1-ce on Linux distributions such as Ubuntu 18.04, Debian 9, and Arch Linux. The main attack vector is local privilege escalation from within a container to root on the host. The repository contains no network endpoints, but several critical file paths are used as part of the exploit chain.

This repository is a proof-of-concept exploit for CVE-2019-5736, a critical container escape vulnerability in Docker's runC. The exploit consists of several components: - A Dockerfile that builds a malicious container image, modifies libseccomp, compiles a C binary (overwrite_runc), and adds a malicious bash script (new_runc). - 'overwrite_runc.c' is a C program that, when executed, overwrites the runC binary on the host with the attacker's payload ('new_runc'). - 'run_at_link.c' is appended to libseccomp and is used to trigger the overwrite process by executing 'overwrite_runc' with a file descriptor to the runC binary. - 'new_runc' is a bash script that, once runC is replaced and executed on the host, installs a desktop environment and VNC server, sets up a default password, and configures the VNC server as a persistent systemd service, granting the attacker remote desktop access to the host. The exploit demonstrates a full container escape, allowing arbitrary code execution on the host and persistent access via VNC. The main attack vector is a container escape via a vulnerable runC binary. The repository is well-structured for operational exploitation and is not just a detection script or a simple proof of concept.

This repository contains a working exploit for CVE-2019-5736, a critical container escape vulnerability affecting Docker's runc and LXC on Linux. The exploit allows an attacker with code execution inside a container to overwrite the host's runc binary (or LXC equivalent), leading to root-level code execution on the host. The repository is organized into two main exploit implementations: 1. The 'CVE-2019-5736' directory contains a PoC that uses a malicious shared library and shell script to overwrite the runc binary when a container is started or attached. Key files include 'bad_libseccomp.c' (malicious shared library), 'bad_init.sh' (script to overwrite the binary), and 'make.sh' (build and setup script). 2. The root directory contains a more direct exploit: 'exploit.c' (main exploit logic), 'payload.c' (reverse shell payload), and 'pwn.sh' (automation script to trigger the exploit repeatedly). The payload is a reverse shell connecting to 127.0.0.1:4455 by default, but this can be changed in 'payload.c'. The exploit works by overwriting the host's runc binary (typically /usr/bin/docker-runc) with a malicious script or binary, so that subsequent container operations by the host will execute attacker-controlled code as root. The exploit is operational and includes a working payload, but is not weaponized for mass exploitation. The repository also includes documentation and references to the original vulnerability research.

This repository provides two proof-of-concept exploits for CVE-2019-5736, a critical vulnerability in runc, the container runtime used by Docker and other container systems. The repository is organized into two main PoCs: 1. exec_POC: Demonstrates the ability to overwrite the runc binary on the host with a benign payload (a program that prints a message). It uses a combination of shell scripts and C code to locate the runc process and replace the binary via /proc filesystem tricks. 2. malicious_image_POC: Demonstrates a more weaponized scenario where the runc binary is replaced with a bash script that opens a reverse shell to 0.0.0.0:2345, allowing remote code execution on the host. This PoC involves modifying libseccomp, compiling a custom overwrite tool, and using a crafted entrypoint to trigger the exploit. Key files include C source code for the overwrite logic, bash scripts for orchestration, Dockerfiles for building the PoC images, and payloads for the runc replacement. The exploit targets Linux systems running vulnerable versions of runc and requires the ability to run a container with a malicious image or code. The main attack vector is through container escape, leading to host compromise by overwriting the runc binary with attacker-controlled code.

This repository is a proof-of-concept exploit for CVE-2019-5736, a critical container escape vulnerability in Docker's runc. The exploit is implemented in two C files (stage1.c and stage2.c) and orchestrated via a Dockerfile. The Dockerfile builds a container that, when run, appends a string to the host's runc binary by exploiting the way runc handles /proc/self/exe. The exploit works by injecting code into the runc binary from within a container, demonstrating the ability to overwrite files on the host. The payload is currently a simple string, but the README notes that arbitrary payloads can be used by modifying stage2.c. The repository is structured for easy demonstration and testing of the vulnerability, and does not include weaponized payloads by default.