Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-0847 PoC — Linux kernel 安全漏洞

Source
https://github.com/morgenm/dirtypipe
Associated Vulnerability
Title:Linux kernel 安全漏洞 (CVE-2022-0847)
Description:Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在安全漏洞,该漏洞源于新管道缓冲区结构的“flag”变量在 Linux 内核中的 copy_page_to_iter_pipe 和 push_pipe 函数中缺乏正确初始化。非特权本地用户利用该漏洞可以提升权限至root。以下产品和版本受到影响:Linux Kernel 5.8-5.16.11、5.8-5.15.25、5.8-5.10.102。
Description
DirtyPipe (CVE-2022-0847) exploit written in Rust
Readme
> **DISCLAIMER**
>
> This code is for **educational and research purposes only.** 
>
> Do not use it on systems you do not own or have permission to test.
>
> The author is **not responsible** for any misuse, damage, or legal consequences resulting from the use of this code.

# DirtyPipe (CVE-2022-0847)
View the writeup for this exploit on my [blog](https://morgenm.github.io/blog/2025/dirtypipe/). This is an implementation of the DirtyPipe ([CVE-2022-0847](https://nvd.nist.gov/vuln/detail/cve-2022-0847)) exploit I wrote in Rust based on [Max Kellermann's writeup](https://dirtypipe.cm4all.com/).
The program allows you to overwrite specific files or to overwrite an SUID binary in order to escalate privileges.

## Features
- Check if kernel version is vulnerable
- Overwrite any file with data from specified input file
- Overwrite a SUID binary (default `passwd`) to gain root
- Backup target files to `/tmp` before exploitation

## Usage
### Overwriting a file
First create an input file. The data within this file will be used to overwrite the target. Then, simply run the following:

```bash
./dirtypipe_exploit -m overwrite -i input.txt -o target_file -b offset
```

Where offset is the offset in bytes to begin writing in the file. The offset must not be on a page boundary and writing cannot cros a page boundary, due to the nature of the vulnerability.

### SUID for Privilege Escalation
`SUID` mode will replace a specified SUID binary with a given ELF payload. The `suid` ELF is provided in the release on this repo and will be used by the exploit unless otherwise specified in the options.
Additionally, you can generate this on your own, or modify the payload using the `gen_suid.py` pwntools script and the `loader.asm` file. This option will be discussed below.
The exploit sets the target to `/usr/bin/passwd` by default.

Run the following to replace `/usr/bin/passwd` with the provided payload (spawns a shell as root):
```bash
./dirtypipe_exploit -m suid
```

Then run `/usr/bin/passwd` to get a root shell.

To generate your own payload, follow these steps:
1. Run the `gen_suid.py` script, which uses pwntools to generate a payload (`shellcode.bin`) that spawns a root shell. Modify it as you see fit.
2. Create the ELF binary payload by running `nasm -f bin -o [PAYLOAD_NAME] loader.asm`. This will turn the `shellcode.bin` file into an executable.
3. Run `./dirtypipe_exploit -m suid -i [PAYLOAD_NAME] -o [TARGET_FILE]`.
4. Execute the target to gain root.

Thank you to the author of [STALKR's BLOG](https://blog.stalkr.net/) for the 64-bit Tiny ELF header ([here](https://blog.stalkr.net/2014/10/tiny-elf-3264-with-nasm.html)).
File Snapshot

 [4.0K]  /data/pocs/2699141c78fe6ee67b5a64e2766a9875246666ac
├── [6.0K]  Cargo.lock
├── [ 133]  Cargo.toml
├── [ 265]  gen_suid.py
├── [ 960]  loader.asm
├── [2.6K]  README.md
└── [4.0K]  src
    ├── [2.0K]  exploit.rs
    ├── [2.0K]  helpers.rs
    └── [2.8K]  main.rs

1 directory, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.