News Ticker

Copy-on-write (COW) Exploit (CVE-2016-5195) Live Demo

By Unknown - Saturday, 5 November 2016 No Comments
According to "Linus Torvalds" This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago in commit 4ceb5db9757a ("Fix get_user_pages() race for write access") but that was then undone due to problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
What is Copy-on-write (COW)?
A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system." (RH)
How to use this Exploit?
please watch above video for live demo.
Exploit1: Write content on real only permission on file owned by root
Download the exploit code using wget:
First Exploit Code: Click Here
Compile This Code Using:
gcc -pthread dirtyc0w.c -o ud64_exploit
Now Run This Exploit:
./ud64_exploit root_file new_text_string
Exploit2:To Get Root by Local Privilege Escalation
Download the exploit code using wget:
Second Exploit Code: Click Here
Modify and use correct payload as per your test server (x86 or x64)!
by (un)commenting exploit code.

Compile This Code Using:
gcc -pthread cowroot.c -o ud64_exploit
Now Run This Exploit:
./ud64_exploit
check using:
whoami or id
Fix: Source
+/*
+ * FOLL_FORCE can write to even unwritable pte's, but only
+ * after we've gone through a COW cycle and they are dirty.
+ */
+static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
+{
+ return pte_write(pte) ||
+ ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
+}
+

Thanks for reading, please comment if you need any other exploit live demo. :)
./unknowndevice64

No Comment to " Copy-on-write (COW) Exploit (CVE-2016-5195) Live Demo "