this branch del code of cve-2002-0492 to compiler in low version glib…

…c(don't have CLONE_NEWCGROUP)
SPuerBRead · Dec 14, 2022 · 2862cf8 · 2862cf8
1 parent da832a2
commit 2862cf8
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 16 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -3,4 +3,4 @@ project(shovel C)
 
 set(CMAKE_C_STANDARD 99)
 
-add_executable(shovel main.c exploits/release_agent.c exploits/release_agent.h docker/capability.c docker/capability.h util/output.c util/output.h exploits/cve_2022_0492.c exploits/cve_2022_0492.h docker/path.c docker/path.h util/regex_util.c util/regex_util.h util/random_str.c util/random_str.h exploits/devices_allow.c exploits/devices_allow.h util/program_info.c util/program_info.h util/utils.c util/utils.h util/custom_struts.c util/custom_struts.h docker/cgroup.c docker/cgroup.h docker/dev.c docker/dev.h util/mount_info.c util/mount_info.h docker/security.c docker/security.h)
+add_executable(shovel main.c exploits/release_agent.c exploits/release_agent.h docker/capability.c docker/capability.h util/output.c util/output.h docker/path.c docker/path.h util/regex_util.c util/regex_util.h util/random_str.c util/random_str.h exploits/devices_allow.c exploits/devices_allow.h util/program_info.c util/program_info.h util/utils.c util/utils.h util/custom_struts.c util/custom_struts.h docker/cgroup.c docker/cgroup.h docker/dev.c docker/dev.h util/mount_info.c util/mount_info.h docker/security.c docker/security.h)
diff --git a/docker/path.c b/docker/path.c
@@ -27,9 +27,9 @@ int get_storage_driver_type() {
     char *proc_mounts_path = "/proc/mounts";
     char *mtab_path = "/etc/mtab";
     char *vfs_mount_path = "/proc/1/mountinfo";
-    int length;
+    int length,i;
     if (access(proc_mounts_path, F_OK) == 0 && ((length = load_mount_info(proc_mounts_path, mounts_info)) != 0)) {
-        for (int i = 0; i < length; i++) {
+        for (i = 0; i < length; i++) {
             if (strcmp(mounts_info[i]->mnt_type, "overlay") == 0) {
                 printf_wrapper(INFO, "Storage driver type: overlayfs\n");
                 return OVERLAYFS;
@@ -49,7 +49,7 @@ int get_storage_driver_type() {
         }
     }
     if (access(mtab_path, F_OK) == 0 && ((length = load_mount_info(proc_mounts_path, mounts_info)) != 0)) {
-        for (int i = 0; i < length; i++) {
+        for (i = 0; i < length; i++) {
             if (strcmp(mounts_info[i]->mnt_type, "overlay") == 0) {
                 printf_wrapper(INFO, "Storage driver type: overlayfs\n");
                 return OVERLAYFS;
@@ -69,7 +69,7 @@ int get_storage_driver_type() {
         }
     }
     if (access(vfs_mount_path, F_OK) == 0 && ((length = load_mount_info(vfs_mount_path, mounts_info)) != 0)) {
-        for (int i = 0; i < length; i++) {
+        for (i = 0; i < length; i++) {
             if (strstr(mounts_info[i]->mnt_opts, "/var/lib/docker/vfs")) {
                 printf_wrapper(INFO, "Storage driver type: vfs\n");
                 return VFS;
@@ -81,10 +81,11 @@ int get_storage_driver_type() {
 }
 
 void get_container_path_in_host(char *container_path_in_host) {
+    int i;
     switch (get_storage_driver_type()) {
         case OVERLAYFS: {
             char *regex_match_result = (char *) malloc(512 * sizeof(char));
-            for (int i = 0; i < 1024; i++) {
+            for (i = 0; i < 1024; i++) {
                 if (mounts_info[i] != NULL) {
                     if (strcmp(mounts_info[i]->mnt_type, "overlay") == 0) {
                         regex_util(mounts_info[i]->mnt_opts, ".*?perdir=(.*?),", regex_match_result);
@@ -103,7 +104,7 @@ void get_container_path_in_host(char *container_path_in_host) {
         }
         case DEVICE_MAPPER: {
             char *regex_match_result = (char *) malloc(512 * sizeof(char));
-            for (int i = 0; i < 1024; i++) {
+            for (i = 0; i < 1024; i++) {
                 if (mounts_info[i] != NULL) {
                     if (strstr(mounts_info[i]->mnt_fsname, "/dev/mapper/docker")) {
                         regex_util(mounts_info[i]->mnt_fsname, "dev/mapper/docker-[0-9]*:[0-9]*-[0-9]*-(.*)",
@@ -124,7 +125,7 @@ void get_container_path_in_host(char *container_path_in_host) {
             break;
         }
         case VFS: {
-            for (int i = 0; i < 1024; i++) {
+            for (i = 0; i < 1024; i++) {
                 if (mounts_info[i] != NULL) {
                     if (strstr(mounts_info[i]->mnt_opts, "/var/lib/docker/vfs")) {
                         strcpy(container_path_in_host, mounts_info[i]->mnt_opts);
@@ -139,7 +140,7 @@ void get_container_path_in_host(char *container_path_in_host) {
         }
         case ZFS: {
             char *regex_match_result = (char *) malloc(512 * sizeof(char));
-            for (int i = 0; i < 1024; i++) {
+            for (i = 0; i < 1024; i++) {
                 if (mounts_info[i] != NULL) {
                     if (strcmp(mounts_info[i]->mnt_type, "zfs") == 0) {
                         regex_util(mounts_info[i]->mnt_fsname, "/([a-z0-9]*$)", regex_match_result);
@@ -161,7 +162,7 @@ void get_container_path_in_host(char *container_path_in_host) {
             char *regex_match_result = (char *) malloc(512 * sizeof(char));
             char *si_id = (char *) malloc(512 * sizeof(char));
             char *aufs_read_path = (char *) malloc(512 * sizeof(char));
-            for (int i = 0; i < 1024; i++) {
+            for (i = 0; i < 1024; i++) {
                 if (mounts_info[i] != NULL) {
                     if (strcmp(mounts_info[i]->mnt_type, "aufs") == 0) {
                         regex_util(mounts_info[i]->mnt_opts, "si=([a-z0-9]*),", si_id);
@@ -190,7 +191,7 @@ void get_container_path_in_host(char *container_path_in_host) {
         }
         case BTRFS: {
             char *regex_match_result = (char *) malloc(512 * sizeof(char));
-            for (int i = 0; i < 1024; i++) {
+            for (i = 0; i < 1024; i++) {
                 if (mounts_info[i] != NULL) {
                     if (strcmp(mounts_info[i]->mnt_type, "btrfs") == 0) {
                         regex_util(mounts_info[i]->mnt_opts, "subvol=(/btrfs/subvolumes/[a-z0-9]{64})",

diff --git a/exploits/devices_allow.c b/exploits/devices_allow.c
@@ -97,6 +97,7 @@ int device_allow_reverse() {
 }
 
 int device_allow_shell() {
+    int x;
     printf_wrapper(INFO, "Chroot to %s\n", device_allow_attack_info.host_filesystem_mount_path);
     int fd = open(".", O_RDONLY);
     if (chroot(device_allow_attack_info.host_filesystem_mount_path) != 0) {
@@ -118,7 +119,7 @@ int device_allow_shell() {
         printf_wrapper(ERROR, "fchdir to container root failed\n");
     }
     close(fd);
-    for (int x = 0; x < 1024; x++) {
+    for (x = 0; x < 1024; x++) {
         chdir("..");
     }
     chroot(".");

diff --git a/util/mount_info.c b/util/mount_info.c
@@ -2,7 +2,7 @@
 // Created by FlagT on 2022/7/10.
 //
 
-#include <bits/types/FILE.h>
+// #include <bits/types/FILE.h>
 #include <mntent.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -36,4 +36,4 @@ int load_mount_info(char *path, struct mntent *mounts_info[]) {
     }
     endmntent(mounts_file);
     return count;
-}
+}
diff --git a/util/random_str.c b/util/random_str.c
@@ -8,13 +8,14 @@
 #include <stdlib.h>
 
 void rand_string(char *str, size_t size) {
+    size_t n;
     const char charset[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456";
     if (size) {
         --size;
-        for (size_t n = 0; n < size; n++) {
+        for (n = 0; n < size; n++) {
             int key = (int) random() % (int) (sizeof charset - 1);
             str[n] = charset[key];
         }
         str[size] = '\0';
     }
-}
+}