arinerron / cve-2022-0847-dirtypipe-exploit Goto Github PK

A root exploit for CVE-2022-0847 (Dirty Pipe)

License: GNU General Public License v2.0

Shell 0.69% C 99.31%

cve-2022-0847-dirtypipe-exploit's Introduction

What is this

This is Max Kellermann's proof of concept for Dirty Pipe, but modified to overwrite root's password field in /etc/passwd and restore after popping a root shell.

Side Note: I do not claim any credit for finding this vulnerability or writing the proof of concept. This exploit is merely a small modification of Kellermann's proof of concept to enable quick/easy exploitation. Please read the original article on this extremely interesting vulnerability @ https://dirtypipe.cm4all.com/ when you get the opportunity. It really does deserve your time to understand it.

How to use this

Compile with ./compile.sh (assumes gcc is installed)
Run ./exploit and it'll pop a root shell

su: must be run from a terminal

If you get this error message:

Login as root with the password aaron.
Then, restore /etc/passwd by running mv /tmp/passwd.bak /etc/passwd

(oops sorry my laptop battery is dying and my charger broke so I don't have time to fix this the right now, sorry)

cve-2022-0847-dirtypipe-exploit's People

Contributors

Stargazers

Watchers

Forkers

mixobixo7 memuratozturk p2-98 andrey888888 renjunfeng scopion 419066074 raztyn godzeo redteam-site alphabugx kvi74 jeromeyoung xbalien steward007 ezioz asura88 tongchengbin reposities bdragonh sneakyturt1e toolsec yanshu911 fyyyyyy incorrectk fbwfbi hackerxj007 jungerschwarz lovelj520 qianniaoge scriptidiot uzju eagleatman fengjixuchui getcode2git fb-sec ssssdl int2ecall buzashop1998 oneoy sbkrepof ykankaya listenquiet zarathustra-skip gha193 conanjun developer191 asnblock crackercat arryboom p65c fuck123fuckabc mytfx ttstormxx im-hanzou aishou rickycga zzhsec y11en jxpsx obiwahn-abandoned terrisgo zeusbox plainee sven-hash raphhael sesyi ls95 brinhosa silentmargins sukusec301 el-corsario g-gini infernalheaven benv666 mrchucu1 meowwbox kakoulis p0intsec jermainlaforce nizar0x1f m3t4lw1z4rd dutchcyberguy f8al tilt41 johanchen elliot-bia zzzzfeng fbion heyzm vest12385 a1124510616 dlangman shutupandhack-club simontrek leekeey techsd huifeidebaba stkeeper jenxp

cve-2022-0847-dirtypipe-exploit's Issues

Does not work on Redhat 7.

Tested on a vanilla VM and a configured image, both running Redhat 7.
Authentication fails for both, so the exploit does not work.

Note: Any claims that CrowdStrike allows this exploit are 100% false.

Doesn't work on 5.15.0-89-generic

Backing up /etc/passwd to /tmp/passwd.bak ...
Setting root password to "aaron"...
Password: aaron
su: Authentication failure

Not worked

Does not work on Mint Linux

uname -a
Linux 39 5.4.0-104-generic #118-Ubuntu SMP Wed Mar 2 19:02:41 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
head -n1 /etc/passwd
root: x:0:0:root:/root:/bin/bash

execv failed because argv is not terminated with NULL

in exploit.c,
execv will fail, because argv is not terminated with NULL
char *argv[] = {"/bin/sh", "-c", "(echo aaron; cat) | su - -c \"" "echo \\\"Restoring /etc/passwd from /tmp/passwd.bak...\\\";" "cp /tmp/passwd.bak /etc/passwd;" "echo \\\"Done! Popping shell... (run commands now)\\\";" "/bin/sh;" "\" root"}; execv("/bin/sh", argv);
it should be:
char *argv[] = {"/bin/sh", "-c", "(echo aaron; cat) | su - -c \"" "echo \\\"Restoring /etc/passwd from /tmp/passwd.bak...\\\";" "cp /tmp/passwd.bak /etc/passwd;" "echo \\\"Done! Popping shell... (run commands now)\\\";" "/bin/sh;" "\" root", NULL}; execv("/bin/sh", argv);

Su error

su: must be run from a terminal
If I got this error message, how can I deal with this problem?

Not work

ENV:
#cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

#uname -a
Linux xxx 4.15.0-147-generic #151-Ubuntu SMP Fri Jun 18 19:21:19 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

test@xxx:~/CVE-2022-0847-DirtyPipe-Exploit$ ./exploit
Backing up /etc/passwd to /tmp/passwd.bak ...
Setting root password to "aaron"...
system() function call seems to have failed :(

CVE-2021-39809

This is a CVE that allows for our of bounds read. Please attempt to create an exploit for this one to get a full filesystem backup or disk image backup of an unrooted Android device. Works on all versions of Android, unlike this one which works only on snow cone. This has potential for full backup of data so the user feels good to unlock the bootloader and enjoy the root.

Doesn't work on Raspberry Pi

Works well on Ubuntu (kernel 5.8.0-63-generic) but doesn't work on Raspberry Pi details below;

Linux raspberrypi 5.10.17-v7l+ #1414 SMP Fri Apr 30 13:20:47 BST 2021 armv7l GNU/Linux

When run it just hangs here;

Backing up /etc/passwd to /tmp/passwd.bak ...

and the file gets really big, way beyond what it should be (there are less than 20 users);

-rw-r--r-- 1 pi pi 665M Feb 1 18:50 /tmp/passwd.bak

If I don't kill it, I think it would just keep running until the Pi is outta space. Any thoughts what could fix it?