Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
One-Liner to Detect DirtyCOW Code
#!/bin/bash
# - Matches on source and compiled code
# - Searches in user home directories by default
# - Detects certain strings in files smaller 300 kbyte
# - Does not print anything if nothing was found
# - Appends the file's time stamp of the files in question > good indicator to spot false positives
# - Should work on most Linux systems with bash
# Old version
# for f in $(find /home/ -type f -size -300 2> /dev/null); do if [[ $(strings -a "$f" 2> /dev/null | egrep "/proc/(self|%d)/(mem|maps)") != "" ]];then m=$(stat -c %y $f); echo "Contains DirtyCOW string: $f MOD_DATE: $m"; fi; done;
for f in $(find /home/ -type f -size -300 2> /dev/null); do if [[ $(egrep "/proc/(self|%d)/(mem|maps)" "$f") != "" ]];then m=$(stat -c %y "$f"); echo "Contains DirtyCOW string: $f MOD_DATE: $m"; fi; done;

Filenames in spaces will break this script. Try
for f in $(find /home/ -type f -size -300 2> /dev/null); do if [[ $(echo egrep "/proc/(self|%d)/(mem|maps)" "$f") != "" ]];then m=$(stat -c %y "$f"); echo "Contains DirtyCOW string: $f MOD_DATE: $m"; fi; done;

Owner
Neo23x0 commented Oct 24, 2016

Thanks - just updated

A small note: This tool gives you a false negative if your /home folder contains no users or file content (as is relatively common on servers).

Also, this must probably be run as a regular user. Running it as root is a silly way to test if you can get root. ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment