Skip to content
master
Switch branches/tags
Code

Latest commit

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 

0xdeadbeef

PoC for Dirty COW (CVE-2016-5195).

This PoC relies on ptrace (instead of /proc/self/mem) to patch vDSO. It has a few advantages over PoCs modifying filesystem binaries:

  • no setuid binary required
  • SELinux bypass
  • container escape
  • no kernel crash because of filesystem writeback

And a few cons:

  • architecture dependent (since the payload is written in assembly)
  • doesn't work on every Linux version
  • subject to vDSO changes

Payload

The current payload is almost the same as in The Sea Watcher and is executed whenever a process makes a call to clock_gettime(). If the process has root privileges and /tmp/.x doesn't exist, it forks, creates /tmp/.x and finally creates a TCP reverse shell to the exploit. It isn't elegant but it could be used for container escape.

TODO

  • payload improvement
  • release of the tool for vDSO payloads testing

Detecting if vDSO is successfuly patched isn't bulletproof. During the restore step, the vDSO is effectively restored but the exploit fails to report it correctly. Indeed, the vDSO changes don't seem to affect the exploit process.

About

PoC for Dirty COW (CVE-2016-5195)

Resources

License

Releases

No releases published

Packages

No packages published