Skip to content

scumjr/dirtycow-vdso

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits

tools

tools

 
 

.gitignore

.gitignore

 
 

0xdeadbeef.c

0xdeadbeef.c

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

payload.s

payload.s

 
 

Repository files navigation

0xdeadbeef

PoC for Dirty COW (CVE-2016-5195).

This PoC relies on ptrace (instead of /proc/self/mem) to patch vDSO. It has a few advantages over PoCs modifying filesystem binaries:

  • no setuid binary required
  • SELinux bypass
  • container escape
  • no kernel crash because of filesystem writeback

And a few cons:

  • architecture dependent (since the payload is written in assembly)
  • doesn't work on every Linux version
  • subject to vDSO changes

Payload

The current payload is almost the same as in The Sea Watcher and is executed whenever a process makes a call to clock_gettime(). If the process has root privileges and /tmp/.x doesn't exist, it forks, creates /tmp/.x and finally creates a TCP reverse shell to the exploit. It isn't elegant but it could be used for container escape.

TODO

  • payload improvement
  • release of the tool for vDSO payloads testing

Detecting if vDSO is successfuly patched isn't bulletproof. During the restore step, the vDSO is effectively restored but the exploit fails to report it correctly. Indeed, the vDSO changes don't seem to affect the exploit process.

About

PoC for Dirty COW (CVE-2016-5195)

Resources

Readme

License

MIT license
Activity

Stars

477 stars

Watchers

21 watching

Forks

146 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages