# CVE-2024-3094 SSH Backdoor Container Env

This is an environment running CVE-2024-3094 sshd backdoor instance, working with this exploit: 

## Experiments

### Test in Docker

IT IS NOT a Docker container. I had tried making this vulnerability env with docker but failed:

1. xzbot not working inside it.
2. manually build docker image's filesystem from scratch with the dependence totally same as which have been successfully exploited with xzbot on an Ubuntu VM host: xzbot exploit still failed.

I doubt that it was related to systemd, cus all the ways I tried inside docker that spawning SSHD were running from cmdline, not systemd.

### Test in Host

Follow up on, I tested with experiment: On the VM machine where sshd(systemd) has been successfully exploited with xzbot, I directly lauched `/sbin/sshd -D -e -p 2024` with replaced, and the xzbot
exploitation failed, which indicates that it may be highly related to systemd.

### Test in Host with systemd

I gave up docker cus it's little complex running sshd from systemd inside docker.

Finally I extracted the minimized file system from my VM, and made it to a mini container based on chroot, which can easily run on host namespace with systemd.

It works both on my VM environment and another environment, which makes xzbot exploitation success.

I haven't figure out the principle, but anyway I organized the environment in this project for research.

## Usage

### Env Compose

`./` at root dir of this project.

### Env Remove

`./` at root dir of this project.

### Exploit

`./xzbot -addr -cmd 'whoami > /hello'`, and you can see file named `hello` below `env_fs` if exploit successful.

## Other Statement

### How is the Exploitation provides a nice tool, and it patched the with own pubkey, making it accessible. Turn to xzbot project for details.

Our mini file system contains the default patched lzma so file of xzbot. And a `xzbot` executable binary was compiled staticlly here. You can just `./xzbot -addr -cmd 'whoami > /hello'` for testing.

### How it works

A systemd xzback.service file will be dynamically deployed to `/etc/systemd/system/` on your host.

And xzback.service will starts with chroot to our mini file system, with no more influence on host file system.