5585 Total CVEs
26 Years
GitHub
Home / 2019 / CVE-2019-13132
README.md
Rendering markdown...
POC / Dockerfile
⬇ Raw GitHub ✕ Close 
# CVE-2019-13132 lab — CURVE INITIATE stack overflow → RCE.
#
# Build:  docker build --platform linux/amd64 -t cve-2019-13132-lab .
# Run  :  docker run --rm -it --platform linux/amd64 --privileged \
#                   -p 5556:5556 cve-2019-13132-lab
#
# --privileged — needed to flip /proc/sys/kernel/randomize_va_space

FROM --platform=linux/amd64 debian:12

RUN apt-get update && apt-get install -y --no-install-recommends \
        build-essential cmake git ca-certificates pkg-config \
        python3 python3-pip python3-venv \
        binutils procps netcat-openbsd less vim gdb \
    && rm -rf /var/lib/apt/lists/*

RUN python3 -m venv /opt/venv && /opt/venv/bin/pip install pynacl
ENV PATH="/opt/venv/bin:$PATH"

ENV LAB_ROOT=/opt/zmq-curve-rce
WORKDIR /opt

COPY server-curve.c      /opt/lab/
COPY exploit.py          /opt/lab/
COPY calibrate.sh        /opt/lab/
COPY compute_offsets.py  /opt/lab/
COPY start_server.sh     /opt/lab/
COPY run_lab_test.sh     /opt/lab/
COPY entrypoint.sh       /opt/lab/

RUN chmod +x /opt/lab/*.sh /opt/lab/*.py

# Clone vulnerable libzmq 4.3.0
RUN git clone --depth 1 --branch v4.3.0 \
        https://github.com/zeromq/libzmq.git $LAB_ROOT/src

# Build libzmq: no canary, executable stack for shellcode
RUN mkdir -p $LAB_ROOT/src/build && cd $LAB_ROOT/src/build && \
    cmake .. \
        -DCMAKE_C_FLAGS="-O0 -g -fno-stack-protector" \
        -DCMAKE_CXX_FLAGS="-O0 -g -fno-stack-protector" \
        -DCMAKE_SHARED_LINKER_FLAGS="-z execstack" \
        -DBUILD_TESTS=OFF \
        -DBUILD_STATIC=OFF \
        -DENABLE_DRAFTS=OFF \
        -DWITH_PERF_TOOL=OFF \
    && make -j$(nproc)

# Build vulnerable server: no canary, no PIE, executable stack
RUN gcc -O0 -g -fno-stack-protector -fno-pie -no-pie -z execstack \
        /opt/lab/server-curve.c \
        -I $LAB_ROOT/src/include \
        -L $LAB_ROOT/src/build/lib \
        -lzmq -Wl,-rpath,$LAB_ROOT/src/build/lib \
        -o $LAB_ROOT/server-curve

# Pre-compute static offsets from the build artifacts
RUN python3 /opt/lab/compute_offsets.py $LAB_ROOT/build_offsets.json

RUN cp /opt/lab/exploit.py      $LAB_ROOT/ && \
    cp /opt/lab/calibrate.sh    $LAB_ROOT/ && \
    cp /opt/lab/start_server.sh $LAB_ROOT/ && \
    cp /opt/lab/run_lab_test.sh $LAB_ROOT/ && \
    cp /opt/lab/entrypoint.sh   $LAB_ROOT/

EXPOSE 5556
ENTRYPOINT ["/opt/zmq-curve-rce/entrypoint.sh"]