Skip to content

giuliocandre/dirtycow-vdso

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

0xdeadbeef

PoC for Dirty COW (CVE-2016-5195).

This PoC relies on ptrace (instead of /proc/self/mem) to patch vDSO. It has a few advantages over PoCs modifying filesystem binaries:

  • no setuid binary required
  • SELinux bypass
  • container escape
  • no kernel crash because of filesystem writeback

And a few cons:

  • architecture dependent (since the payload is written in assembly)
  • doesn't work on every Linux version
  • subject to vDSO changes

Payload

The current payload is almost the same as in The Sea Watcher and is executed whenever a process makes a call to clock_gettime(). If the process has root privileges and /tmp/.x doesn't exist, it forks, creates /tmp/.x and finally creates a TCP reverse shell to the exploit. It isn't elegant but it could be used for container escape.

TODO

  • payload improvement
  • release of the tool for vDSO payloads testing

Detecting if vDSO is successfuly patched isn't bulletproof. During the restore step, the vDSO is effectively restored but the exploit fails to report it correctly. Indeed, the vDSO changes don't seem to affect the exploit process.

About

PoC for Dirty COW (CVE-2016-5195)

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 77.9%
  • Assembly 20.5%
  • Makefile 1.6%