A collection of exploits and documentation that can be used to exploit the Linux Dirty Pipe vulnerability.

C 99.46% Shell 0.54%

cve-2022-0847-dirtypipe-exploits's Introduction

CVE-2022-0847-DirtyPipe-Exploits

A collection of exploits and documentation for penetration testers and red teamers that can be used to aid the exploitation of the Linux Dirty Pipe vulnerability.

About The Vulnerability

Dirty Pipe (CVE-2022-0847) is a local privilege escalation vulnerability in the Linux kernel that could potentially allow an unprivileged user to do the following:
- Modify/overwrite arbitrary read-only files like /etc/passwd.
- Obtain an elevated shell.

Affected versions

Linux kernel versions newer than 5.8 are affected.
So far the vulnerability has been patched in the following Linux kernel versions:
- 5.16.11
- 5.15.25
- 5.10.102
You can learn more about the vulnerability here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847

DirtyPipe Vulnerability Scanner

If you are not sure if a target system is vulnerable, use this really cool bash script developed by @basharkey.
DirtyPipe Checker: https://github.com/basharkey/CVE-2022-0847-dirty-pipe-checker

Compiling the exploit

An automated compiler bash script has been provided to you to automate the compilation of both exploits.
In order to compile the exploit succesfully, you will need to have GCC installed.

sudo apt-get install gcc

After installing GCC, you can run the 'compile.sh" script as follows:

chmod +x compile.sh

./compile.sh

Exploit-1 - Modifying/overwriting read only files

This repo contains 2 exploits, the 'exploit-1.c' exploit can be used to modify or overwrite arbitrary read only files.
This exploit is a proof of concept that was developed by Max Kellermann and has been modified to change the root password in the /etc/passwd file, consequently providing you with access to an elevated shell.

Running the exploit binary

The exploit code has already been configured to replace the root password with the password "piped" and will take a backup of the /etc/passwd file under /tmp/passwd.bak. Furthermore, the exploit will also provide you with an elevated root shell and will restore the original passwd file when done.

./exploit-1

Exploit-2 - Hijacking SUID binaries

This exploit can be used to inject and overwrite data in read-only SUID process memory that run as root.

Finding SUID binaries

find / -perm -4000 2>/dev/null

Running the exploit binary

./exploit-2 /usr/bin/sudo

Important Note

I do not claim credit/ownership/disclosure of the vulnerability and all corresponding exploits hosted in this GitHub repo.
All the credit goes to the awesome Max Kellerman, you can check out the official disclosure here: https://dirtypipe.cm4all.com/

Credits

cve-2022-0847-dirtypipe-exploits's People

Contributors

Stargazers

Watchers

Forkers

redhwan2020 vertuzero9 gr33n37 nicosmash gobolappa tahidur mikekozlowicz chengcheng227 arnotic helkyd ykankaya inth3wild lord-dydx ron7 nemesis545 sapphire41 d4ni3ltw asdlei99 olivecasazza moussaouib crackercat giochoa dawarabbasi dev0x41 avijneyam tadryanom ninad1431 parrotassassin15 argonauta666 singularidad gladiopeace jy05un scriptidiot wqds12cs fdlucifer marakovalcik anarcypher amerdad marciopocebon cihuuy lunsovathana hklsb abandonedship srampv eaagteam hridhoy aels hkzck x0rr-dan 30579096 ocdbytes mangeshmatke9 jlabayna wkc41511 r3tr0m0rf0 fengjixuchui bb33bb 00xph4ntom xtiankisutsa leonnis12 dievus cifer-sudo ox1111 michaelkasede stollander33 geeede marcodaum zycoder0day im-hanzou realradioactive sudans1109 linulinu ghkdtlwns987 jej2660 beike2020 th3blackst0rk jiazheeeee neopi420 goddest majicmike woznicaoliver kalikex1 ikpehlivan evilc0d3rh4ck3r 5l1v3r1 n3k7ar91 markismus victornor trilin6 litobro xiaokanghub soez limitinit vaginessa vincss-pentest jenxp harshabidrae97 xnightganzzz ceiysbennova aruncs31s

cve-2022-0847-dirtypipe-exploits's Issues

Compile error

exploit-1.c: In function 'prepare_pipe':
exploit-1.c:49:41: error: 'F_GETPIPE_SZ' undeclared (first use in this function)
const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);
^~~~~~~~~~~~
exploit-1.c:49:41: note: each undeclared identifier is reported only once for each function it appears in
exploit-1.c: In function 'main':
exploit-1.c:96:2: error: unknown type name 'loff_t'; did you mean 'lloff_t'?
loff_t offset = 4; // after the "root"
^~~~~~
lloff_t
exploit-1.c:106:8: error: unknown type name 'loff_t'
const loff_t next_page = (offset | (PAGE_SIZE - 1)) + 1;
^~~~~~
exploit-1.c:107:8: error: unknown type name 'loff_t'
const loff_t end_offset = offset + (loff_t)data_size;
^~~~~~
exploit-1.c:107:38: error: 'loff_t' undeclared (first use in this function); did you mean 'lloff_t'?
const loff_t end_offset = offset + (loff_t)data_size;
^~~~~~
lloff_t
exploit-1.c:107:45: error: expected ',' or ';' before 'data_size'
const loff_t end_offset = offset + (loff_t)data_size;
^~~~~~~~~
exploit-1.c:146:19: warning: implicit declaration of function 'splice'; did you mean 'stime'? [-Wimplicit-function-declaration]
ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0);
^~~~~~
stime
exploit-2.c: In function 'prepare_pipe':
exploit-2.c:102:44: error: 'F_GETPIPE_SZ' undeclared (first use in this function)
const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);
^~~~~~~~~~~~
exploit-2.c:102:44: note: each undeclared identifier is reported only once for each function it appears in
exploit-2.c: In function 'hax':
exploit-2.c:143:22: warning: implicit declaration of function 'splice'; did you mean 'stime'? [-Wimplicit-function-declaration]
ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0);
^~~~~~

Exploits not working on "vulnerable" machine.

Hi,

After watching your video on this exploit I wanted to see if it would work on the bandit machines from the overthewire challenges. Even though the dirty pipe checker says its vulnerable since the version is 5.15.0, when I run exploit 1 it says system() function failed and when I run exploit 2 it says /tmp/sh: permission denied. I've included a screenshot below. Any idea what's causing this? This machine should be vulnerable but its not working so did the guys from bandit labs somehow fix this without updating the kernel?

Thx!

Exploit

Compile Issue for F_GETPIPE_SZ

exploit-1.c: In function 'prepare_pipe':
exploit-1.c:49:48: error: 'F_GETPIPE_SZ' undeclared (first use in this function)
49 | const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);
| ^~~~~~~~~~~~
exploit-1.c:49:48: note: each undeclared identifier is reported only once for each function it appears in
exploit-2.c: In function 'prepare_pipe':
exploit-2.c:102:44: error: 'F_GETPIPE_SZ' undeclared (first use in this function)
102 | const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);
| ^~~~~~~~~~~~
exploit-2.c:102:44: note: each undeclared identifier is reported only once for each function it appears in

System() fucntion call seems to have failed :(

when running the command ./exploit-1, there seems to be an output saying that sys call failed

alexisahmed / cve-2022-0847-dirtypipe-exploits Goto Github PK

cve-2022-0847-dirtypipe-exploits's Introduction

CVE-2022-0847-DirtyPipe-Exploits

About The Vulnerability

Affected versions

DirtyPipe Vulnerability Scanner

Compiling the exploit

Exploit-1 - Modifying/overwriting read only files

Running the exploit binary

Exploit-2 - Hijacking SUID binaries

Finding SUID binaries

Running the exploit binary

Important Note

Credits

cve-2022-0847-dirtypipe-exploits's People

Contributors

Stargazers

Watchers

Forkers

cve-2022-0847-dirtypipe-exploits's Issues

Recommend Projects

Recommend Topics

Recommend Org