Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-0847 PoC — Linux kernel 安全漏洞

Source
https://github.com/crusoe112/DirtyPipePython
Associated Vulnerability
Title:Linux kernel 安全漏洞 (CVE-2022-0847)
Description:A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.
Description
A Python-based DirtyPipe (CVE-2022-0847) POC to pop a root shell
Readme
# dirty.py

## Description
This is an exploit for the Linux kernel vulnerability [CVE-2022-0847](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847) (DirtyPipe) discovered by [Max Kellerman](https://dirtypipe.cm4all.com/).

This code combines two existing DirtyPipe POC's into one:
- [febinrev](https://github.com/febinrev/dirtypipez-exploit)
	- Overwrites sudo binary to directly pop a root shell
- [eremus-dev](https://github.com/eremus-dev/Dirty-Pipe-sudo-poc)
	- A direct copy of Kellerman's POC into Python

This code checks if:
  - /etc/passwd can be overwritten to get a root shell
  - The sudo binary can be overwritten to get a root shell
  - The su binary can be overwritten to get a root shell
  - The current user can be added to the sudo group in /etc/group

It then executes the first option that is possible in that order and drops the user directly into a root shell.

For an excellent explanation of the vulnerability itself, see [Kellerman's writeup](https://dirtypipe.cm4all.com/).

## Getting Started

Requires python 10.X for the use of os.splice

## Usage
```console
usage: dirty.py [-h] [--target {passwd,group,sudo,su}]

Use dirty pipe vulnerability to pop root shell

options:
  -h, --help            show this help message and exit
  --target {passwd,group,sudo,su}
                        The target read-only file to overwrite
```

### Examples
#### Try all targets until one works
```console
vulnerable@kali:~$ python dirty.py
```
#### Try a specific target
```console
vulnerable@kali:~$ python dirty.py --target passwd
```

## Cleanup

The script may write several files to /tmp: 
 - /tmp/backup_sudo
 - /tmp/backup_su
 - /tmp/passwd
 - /tmp/sh
 - /tmp/group

The generated files should be removed after execution, but may require root access to do so.

##  Dealing with errors

This exploit will overwrite a page of the file that resides in the page cache. It is unlikely to corrupt the actual file. If there is corruption or an error, you likely just need to wait until the page is overwritten in the cache, or restart your computer to fix any problems. That being said, I bear no responsibility for damage done by this code, so please read carefully and hack responsibly. Be sure to check out Max Kellerman's writeup at cm4all.com as well.

## Acknowledgements

- [Max Kellerman](https://dirtypipe.cm4all.com/)
- [febinrev](https://github.com/febinrev/dirtypipez-exploit)
- [eremus-dev](https://github.com/eremus-dev/Dirty-Pipe-sudo-poc)
File Snapshot

 [4.0K]  /data/pocs/bc2861c4ada75fa031c03ff68fe40f3c0d930365
├── [ 14K]  dirty.py
├── [1.2K]  LICENSE
└── [2.4K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →