Dirty COW

Repository purpose: a boot2root/CTF-style penetration testing writeup for the BornToSecHackMe VM, including multiple local privilege escalation exploits and helper scripts. Core exploit capability: several C programs implementing the Dirty COW (CVE-2016-5195) 'pokemon' technique (madvise(MADV_DONTNEED) racing with ptrace(PTRACE_POKETEXT) writes to a MAP_PRIVATE read-only mapping) to overwrite privileged files/binaries. Outcomes include: (1) overwrite /etc/passwd to create/replace a UID 0 user (scripts/dirty.c), (2) overwrite /etc/crontab to schedule creation of a SUID bash copy at /home/zaz/rootshell (bonus/scripts/dirty_crontab.c), (3) overwrite a SUID binary (/usr/bin/traceroute6.iputils) with an embedded setuid bash-exec ELF to pop a root shell (bonus/scripts/dirtyc0w_suid_shell.c), and (4) overwrite a local SUID target binary (/home/zaz/exploit_me) with embedded ELF payloads that execute privileged commands when run: restart cron (dirty_crontab_reload.c), add user to sudo group (dirty_usermod.c), add NOPASSWD sudoers include (dirtyc0w_sudoers.c), and establish root SSH persistence by appending an attacker key and modifying sshd_config then restarting ssh (dirtyc0w_ssh.c). Repository structure: - README.md: high-level description of the boot2root project and topics covered. - writeup1.md: main attack chain narrative (network discovery, web exploitation, and a local SUID buffer overflow/ret2libc on /home/zaz/exploit_me). Contains IPs/ports/URLs used during the exercise. - writeup2.md + bonus/writeup3-7.md: alternative privilege escalation paths focusing on Dirty COW variants and persistence. - scripts/: dirty.c (Dirty COW /etc/passwd overwrite) plus small Python helpers (concatenate_fun.py to reconstruct a C file from pcap fragments; run_turtle.py to render drawing instructions). - bonus/scripts/: multiple Dirty COW variants with hardcoded target paths and embedded msfvenom-generated linux/x86/exec ELF payload bytes. No C2 infrastructure is present; the code is local-only. Network endpoints appear only in markdown writeups as part of the CTF walkthrough.

Repository contains a single C exploit (dirty.c) plus a README. It is an operational local privilege escalation exploit for Dirty COW (CVE-2016-5195) using the classic 'pokemon' technique: it mmaps /etc/passwd read-only/private, spawns a thread that repeatedly calls madvise(MADV_DONTNEED) on the mapping, and in a traced child/parent setup uses ptrace(PTRACE_POKETEXT) in tight loops to race-write attacker-controlled bytes into the mapped file. The exploit first copies /etc/passwd to /tmp/passwd.bak, then generates a full passwd line for a root-equivalent account (UID/GID 0) with configurable fields (defaults: username 'toor', info 'pwned', home '/root', shell '/bin/bash') and a password hash computed via crypt() with salt 'toor'. After success, the system should allow 'su toor' or SSH login as 'toor' with the chosen password. No network C2 or remote endpoints are present; all observable targets are local filesystem paths. README provides affected kernel ranges, compilation command (gcc -pthread dirty.c -o dirty -lcrypt), usage, and restoration instructions (mv /tmp/passwd.bak /etc/passwd).

This repository demonstrates a local privilege escalation exploit for the Dirty COW vulnerability (CVE-2016-5195) on Ubuntu 16.04.1 with a vulnerable Linux kernel (4.4.0-31-generic). The main exploit is implemented in C (exploit/dirtycow_passwd.c) and works by exploiting a race condition in the Linux kernel's memory management to overwrite the root user's password hash in /etc/passwd. The payload sets the root password to 'dirtyCowFun', allowing the attacker to gain root access via 'su root'. The README provides step-by-step instructions for compiling, transferring, and executing the exploit, as well as verifying root access and capturing a flag from /root/flag.txt. The exploit requires local access to the target system and does not involve network communication. The repository contains two files: a README with detailed instructions and a single C source file implementing the exploit.

This repository contains an educational proof-of-concept (PoC) exploit for the Dirty COW vulnerability (CVE-2016-5195) in the Linux kernel. The main exploit code is in 'main.c', which implements the race condition between madvise and writing to /proc/self/mem (or, as a fallback, using ptrace) to overwrite the contents of a file mapped with MAP_PRIVATE. The exploit is highly configurable, allowing the user to specify the target file, payload (text or binary), number of iterations, number of parallel processes, and other options. It supports both the classic /proc/self/mem method and a ptrace-based method for systems where /proc/self/mem is restricted. The exploit provides detailed logging, SHA-256 hash verification of file changes, and creates a backup of the target file before modification. The README.md is extensive, providing background on the vulnerability, safe testing instructions, usage examples, and troubleshooting tips. The exploit is intended for educational and research purposes only and is not weaponized. The only code file is 'main.c', which is the entry point and contains all exploit logic. No network endpoints are present; all attack vectors are local file-based. The repository is well-structured for educational use, with clear separation of code, documentation, and licensing.

This repository contains a single C exploit (CVE-2016-5195.c) targeting the Dirty COW vulnerability (CVE-2016-5195) in the Linux kernel. The exploit leverages a race condition in the kernel's memory management to overwrite the /etc/passwd file, injecting a new root user entry with no password. The code uses two threads: one repeatedly calls madvise() to invalidate the memory mapping, while the other writes the malicious data to /proc/self/mem at the mapped location of /etc/passwd. If successful, this allows the attacker to escalate privileges to root by switching users. The repository is minimal, containing only the exploit code, a .gitignore, and a license file. No network or remote attack vectors are present; this is a local privilege escalation exploit requiring local access to the vulnerable system.

This repository is a C#/.NET-based 'one-click root' tool targeting PlayStation Certified and similar old Android devices, leveraging the Dirty COW (CVE-2016-5195) vulnerability. The structure includes a C# application (main logic in Program.cs, AdbHelper.cs, CmdHelper.cs) and native C code (dirtycow.c, dcow.c, run-as.c) for the actual exploit payloads. The tool automates the process of uploading exploit binaries to the device via ADB, overwriting the SUID binary /system/bin/run-as to gain a root shell, installing a persistent 'su' binary and SuperSU APK, and cleaning up after exploitation. The exploit is operational and provides persistent root access if successful. The repository is well-structured, with clear separation between the C# orchestration code and the native exploit payloads. It is not part of a larger exploit framework, but is a standalone tool focused on exploiting CVE-2016-5195 on specific Android devices.

This repository contains a local privilege escalation exploit for the Dirty COW vulnerability (CVE-2016-5195) in the Linux kernel. The main file, 'dirty.c', is a C program that exploits a race condition in the kernel's memory management to overwrite the /etc/passwd file, creating a new root-level user ('toor') with a password supplied by the attacker. The exploit first backs up the original /etc/passwd to /tmp/passwd.bak, then uses the Dirty COW technique to inject a new passwd line for the 'toor' user with UID 0 (root). After successful exploitation, the attacker can log in as 'toor' with the chosen password, gaining root access. The README.md provides compilation and usage instructions, as well as a warning to restore the original /etc/passwd after use. The exploit is operational and requires local access to a vulnerable Linux system. Key fingerprintable endpoints include the /etc/passwd and /tmp/passwd.bak files.

This repository contains a local privilege escalation exploit for the Dirty COW vulnerability (CVE-2016-5195) in the Linux kernel. The main file, 'dirty.c', is a C program that exploits a race condition in the kernel's memory subsystem to overwrite the /etc/passwd file, specifically replacing the root user's password hash with one chosen by the attacker. The exploit first backs up the original /etc/passwd to /tmp/passwd.bak, then prompts the user for a new password (or accepts it as a command-line argument), generates a password hash, and constructs a new passwd line for the root user. Using a combination of madvise and ptrace, it overwrites the root entry in /etc/passwd. After successful exploitation, the attacker can log in as root using the chosen password. The repository also includes a README.md with compilation instructions and references. The exploit is operational and provides a working local privilege escalation method on vulnerable Linux systems.

This repository is a proof-of-concept (PoC) exploit for CVE-2016-5195, also known as Dirty COW, targeting the Linux kernel. The main exploit is implemented in '0xdeadbeef.c', which uses ptrace to patch the vDSO (virtual dynamic shared object) of the running process, rather than modifying filesystem binaries. This approach allows the exploit to bypass SELinux, avoid the need for setuid binaries, and potentially escape containers. The payload, written in x86_64 assembly ('payload.s'), is injected into the vDSO and is executed whenever a process calls clock_gettime(). If the process is running as root and in a container, and if the marker file '/tmp/.x' does not exist, the payload creates this file, forks, and the child process spawns a reverse shell to a configurable IP and port (default 127.0.0.1:1234). The repository also includes tools for dumping and testing vDSO payloads. The exploit is operational, providing a working reverse shell payload, and is intended for local privilege escalation and potential container escape on vulnerable Linux systems.

This repository contains a working exploit for CVE-2016-5195 (Dirty COW) targeting 64-bit Android 6.0.1 (Marshmallow) and possibly 7.0 (Nougat) devices. The exploit is implemented in C (exploit.c) and ARM64 assembly (payload.s). The exploit works by patching the kernel's vDSO memory region to inject a custom payload that, when triggered, provides a root shell either locally or via a reverse TCP connection to a user-specified IP and port. The payload is memory-only, does not persist on the filesystem, and cleans up after execution, making it reversible and less detectable. The exploit also attempts to bypass SELinux restrictions, though a patched sepolicy and possibly a modified boot image are required for full effect. The Makefile is set up for cross-compilation using the Android NDK toolchain. The README provides detailed usage instructions, prerequisites, and troubleshooting tips. Notable fingerprintable endpoints include the marker file '/data/local/tmp/.x', the shell path '/system/bin/sh', and the reverse shell connection parameters. The exploit is operational and provides a reliable temporary root shell on vulnerable devices.

This repository contains a proof-of-concept (PoC) local privilege escalation exploit for Android devices, targeting the Dirty COW vulnerability (CVE-2016-5195). The main exploit code is in 'cowroot.c', which uses the Dirty COW race condition to patch the getuid() and geteuid() functions in the in-memory libc.so library, causing them to always return 0 (root). This bypasses privilege checks on affected systems. The exploit is specifically tailored for 32-bit Android devices, with particular effectiveness on Cyanogenmod builds where both getuid() and geteuid() are patched and a 'su' binary is present. The Makefile and Android.mk provide build instructions for compiling the exploit for Android using the NDK. The exploit does not write to the filesystem, operating entirely in memory, and attempts to execute 'su' to obtain a root shell after patching. The repository is a single-file C exploit with supporting build scripts, and is not part of a larger framework.

This repository contains three C programs exploiting the Dirty COW (CVE-2016-5195) vulnerability in the Linux kernel. The structure is as follows: - poc.c: A proof-of-concept that allows arbitrary file overwrite by exploiting a race condition in the kernel's copy-on-write mechanism. It takes a destination file and a fake file as arguments and attempts to overwrite the destination with the contents of the fake file. - root_newuser.c: An exploit that adds a new root user to /etc/passwd by overwriting the file with a crafted entry, using attacker-supplied username and password. This grants root access to the attacker. - root_suid.c: An exploit that overwrites the SUID binary /usr/bin/passwd with a shell-spawning ELF payload, allowing the attacker to obtain a root shell by executing the modified binary. All exploits use the same underlying technique: mapping the target file into memory, then using a combination of madvise and writing to /proc/self/mem to trigger the race condition and overwrite the file. The attack vector is local, requiring the attacker to execute code on the target system. The main fingerprintable endpoints are the files /etc/passwd, /usr/bin/passwd, and /proc/self/mem. The repository is operational, providing working exploits and payloads for privilege escalation on vulnerable Linux systems.

This repository contains a local privilege escalation exploit for the Linux kernel vulnerability CVE-2016-5195, also known as Dirty COW. The exploit is implemented in C++ (dcow.cpp), with a legacy C++ version for older compilers (legacy/dcow.cpp), and a Go (with CGO) version (golang/src/expl/expl.go and golang/src/main/main.go). The exploit works by leveraging a race condition in the kernel's memory management to overwrite the /etc/passwd file, setting the root password to a known value ('dirtyCowFun'). Upon successful exploitation, the attacker can gain root access either by logging in with the new password or by spawning a root shell directly. The exploit also creates a backup of the original /etc/passwd file, which can be restored. The repository includes makefiles for building the exploit, documentation, and changelogs. The attack vector is local, requiring execution on a vulnerable Linux system as an unprivileged user. The exploit targets a range of Linux distributions and kernel versions known to be vulnerable to Dirty COW.

This repository is a proof-of-concept exploit for CVE-2016-5195 (Dirty COW) targeting Android devices. The structure includes C source files for the exploit logic (dirtycow.c, dcow.c), a payload binary (run-as.c), build scripts (Android.mk, Makefile), a test script (test.sh), and documentation (README.md). The exploit works by compiling the binaries, pushing them to a connected Android device via ADB, and using the Dirty COW vulnerability to overwrite the system 'run-as' binary with a custom payload. This payload, when executed, sets the process UID and GID to 0 (root) and spawns a root shell, effectively granting root access to the attacker. The exploit does not attempt to disable SELinux or install a persistent superuser, focusing solely on demonstrating privilege escalation. The Makefile and scripts automate the build and deployment process. The main attack vector is local privilege escalation, requiring local code execution on the device. Key fingerprintable endpoints include the system 'run-as' binary, temporary file locations in /data/local/tmp, and the use of /proc/self/mem for memory manipulation. The exploit is a functional proof-of-concept and not a weaponized or persistent root solution.

This repository contains a proof-of-concept local privilege escalation exploit for the Linux 'Dirty COW' vulnerability (CVE-2016-5195). The main file, 'dirty.c', is a C program that exploits a race condition in the Linux kernel's memory management to overwrite the /etc/passwd file, creating a new root user ('firefart') with a password supplied by the attacker. The exploit first backs up the original /etc/passwd to /tmp/passwd.bak, then uses a combination of madvise and ptrace to overwrite the root user's entry. After successful exploitation, the attacker can log in as the new root user. The README provides compilation and usage instructions. The exploit requires local access to the target system and is effective only on vulnerable Linux kernels. No network endpoints are involved; all actions are performed locally on the filesystem.

This repository contains a Crystal language implementation of the Dirty COW (CVE-2016-5195) local privilege escalation exploit for Linux. The main exploit logic is in 'src/dirtycow.cr', which parses command-line arguments to specify a target file, a string to write, and an offset. It then uses a race condition between memory advice (madvise) and writing to /proc/self/mem to overwrite the contents of the specified file, even if it is root-owned. This can be used to escalate privileges if a sensitive file (such as /etc/passwd) is targeted. The repository is structured simply, with one main code file, a README, and configuration files. No network endpoints are present; the attack vector is purely local. The exploit is a proof-of-concept and does not include advanced payloads or automation for privilege escalation beyond the file overwrite capability.

This repository contains a local privilege escalation exploit for the Linux kernel vulnerability CVE-2016-5195, known as Dirty COW. The main exploit code is in 'root-dirtyc0w.c', which demonstrates how to exploit a race condition in the kernel's copy-on-write mechanism to overwrite a SUID binary (default: /bin/ping) with a shell-spawning payload. The exploit first backs up the original SUID binary to /tmp/suid_binary, then uses multiple threads to race the kernel and overwrite the target binary with an ELF payload generated by msfvenom. Once the overwrite is successful, the exploit executes the modified SUID binary to obtain a root shell. The repository also includes a makefile for building the exploit and a README.md with background information. The exploit is operational and provides a working local root shell on vulnerable systems.

This repository contains multiple proof-of-concept (PoC) exploits for the Dirty COW vulnerability (CVE-2016-5195) in the Linux kernel. The main components are: 1. Classic Dirty COW Exploit (dirtycow.c): - A C program that exploits the race condition in the Linux kernel's copy-on-write mechanism to overwrite read-only files. The user supplies the target file and the content to write. This is a local privilege escalation exploit. 2. vDSO-based Dirty COW Exploit (dirtycow-vdso/dirtycow-vdso/0xdeadbeef.c): - A more advanced PoC that patches the vDSO (virtual dynamic shared object) in memory using ptrace, allowing the injection of a custom payload (payload.s) into the vDSO. The payload is executed when a process calls clock_gettime(). - The payload checks if it is running as root and inside a container, creates a marker file (/tmp/.x), forks, and then establishes a reverse TCP shell to a configurable IP and port (default 127.0.0.1:1234). - This method can be used for container escapes and privilege escalation, and is more stealthy than the classic method as it does not require modifying setuid binaries or the filesystem. 3. Supporting files: - Assembly payload (payload.s), Makefiles for building the exploits, and tools for dumping and testing vDSO payloads. - Dockerfile and docker-compose.yml for setting up a vulnerable environment for testing the exploit. The repository is well-structured for research and demonstration of Dirty COW exploitation, including both traditional and advanced vDSO-based techniques. The main attack vectors are local privilege escalation and container escape, with the ability to establish a reverse shell to an attacker-controlled endpoint. The exploit is operational and includes a working payload, but may require adaptation for different Linux versions or environments.

This repository is a proof-of-concept exploit for CVE-2016-5195 (Dirty COW) on Android devices. It contains C source code for two binaries: 'dcow' (the main exploit) and 'run-as' (used for privilege escalation and spawning a root shell). The Makefile and Android.mk facilitate building the binaries for Android using the NDK. The 'test.sh' script sets up test files to demonstrate the exploit's ability to overwrite read-only files. The exploit works by leveraging the Dirty COW vulnerability to overwrite protected files, which can be used to replace system binaries or configuration files, ultimately leading to root access. The repository is operational and provides a working exploit with demonstration scripts, targeting Android devices vulnerable to Dirty COW. No network endpoints are involved; the attack vector is local, requiring code execution on the target device.