Usage

Edit HOST inside payload.c, compile with make. Start nc and run pwn.sh inside the container.

Notes

This exploit is destructive: it'll overwrite /usr/bin/docker-runc binary on the host with the payload. It'll also overwrite /bin/sh inside the container.
Tested only on Debian 9.
No attempts were made to make it stable or reliable, it's only tested to work when a docker exec <id> /bin/sh is issued on the host.

The original commit I used to write the exploit is here.

The researchers who actually found the vulnerability have published a writeup here.

I've added the original exploit CVE_2019_5736_tar_xz which works differently than mine. Thanks to cyphar for pointing me to it.

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
CVE-2019-5736		CVE-2019-5736
CVE_2019_5736.tar.gz		CVE_2019_5736.tar.gz
CVE_2019_5736_tar_xz		CVE_2019_5736_tar_xz
Makefile		Makefile
README.md		README.md
exploit		exploit
exploit.c		exploit.c
payload		payload
payload.c		payload.c
push.sh		push.sh
pwn.sh		pwn.sh