recurrence of dirtycow vulnerability

Posted by punzalan at 2020-03-14

Found 90sec login in these days to find the article. For convenience, this article has also been uploaded to a personal blog. It will also recommend the dirty cattle collected before. Put them in like exp.

Vulnerability Linux built-in system (copy on write) conditional contention hole can destroy personal memory mapping. After the hacker becomes a local user with low permission, he / she can read only the write permission of the memory map imported by this vulnerability and obtain extra root permission.


Ubuntu 14.04:

1) Add user: Please input sudo duer test password twice and turn the vehicle. Current user information view, terminal input ID, transfer. Sure. Previous user sudo permission.

Switch to the newly created test user, enter the ID and view it. Test user information, discovery There is no test user. Sudo permission.

The new terminal is opened. Please check the next switch test. You can see the test user information. The test user already has. Sudo permission. Execute. Use sudo Su and enter the password of test user to switch to the next. Root permission. Grasp real power and achieve success.

Vulnerability is the cause.

Liux time replication technology (copy on write)

Yes, create the same child processes as the Linux system, for () parent process. However, in the next few episodes, Exec System Calls and efficient thinking are introduced into Linux system. The "copy when filling in" technology means that only various parts of the process space change. Copy the contents of the parent process to the child process.


Linux compilation is exp, not on Android platform Using NDK to compile files is a good way to download. For example:

I want to download it. Unzip the Android NDK source code. Here is what I cured. So in my personal computer... The path of Android NDK is as follows: C:: users \ wangzt \ desktop \ Android NDK we only need to use the following path files: C: users \ desktop \ Android NDK \ Hello JNI interface \ new folder under the directory of RMAN Make two: and, as follows:

Lude $(build execute) application.mkapp ABI: = all compiled files:

3. Compile. Exp:

Move to the next directory on the command line CD: C: \ users \ wangzt \ desktop \ Android NDK \ execute Hello JNI \ app \ SRC \ main \ execute JNI command: D: after Android compiles successfully, the compiled platform can be found in the LIBS folder under the main fork. Exp:

Compile exp:

Android 4.4

ADB mobile phone connection (USB debugging when mobile phone is turned on):

View ADB connected devices:

Yes, the new file test dirtycow under the directory / system / bin / has permissions of 644

The dirycow file in the directory of exp phush tester / data / local / TMP / is a computer file (the translation selected here is good, POC. Through armeabi platform, arm64v8 test cannot be used. According to the structure of the tester you use, you can choose the corresponding platform.):

Modify. Exp permission:

Current user rights (shell):

Switch to the next root privilege. Write 123456 to the. Test dirty cow file, switch to general user authority (shell) after recording, and run exp with general user authority (the same door below):


Then look at the content of test dirty cow. The content of the file has been changed. Modify, the reproduction is successful.:

Android 6.0.1 (security patch phase: 2017, 2 months, 1 day)

Test system information:

Android 6.0.1 is off by default and hides developer settings. Please press the phone version number continuously. The number 5 can be set by the developer. Developers choose USB debugging.

Next we. Create a file in the / system / bin directory without the permissions available to ordinary users. The default / system list is read-only. So I need it. System

Note: there should be no space between commas before mount-o RW, remount / system.

The following operation procedures are similar to Android 4.4 system:

Switch to ADB root. Permission change of new test dirtycow file 644

OK. Execute exp permission:

Execute. Report exp error:

The pie security mechanism is introduced in 4.1, but the system version of Android l does not support executable file base, and pie compilation. So no errors will be reported. But Android authentication has been made public If it is not the default executable, it will be compiled in pie mode and cannot be executed. The solution is simple. Yes, under Android MK is flag. #STATIC LIBRARIES:libc#LOCAL CFLAGS+=-Iinclude/dir-DSOMEFLAGSCAL CFLAGS+=-PPIE Local ldflags + = - pie friend include $(build execute) application.mkapp ABI = all compilation. Exp:

Command windows to be compiled. Because I downloaded it, please enter the following command into the command line and compile it in the Android SDK \ NDK bundle folder.: D: \ Android SDK

After testing, the content of the document cannot be modified at will:

So the Android 6.0 system security patch will be in February 2017, and the hole has been repaired.

Android 6.0.1 R68 (security patch stage: 2016 age. September 6)

Needless to say, the same operation:

You can see that the contents of the. Test dirtyc0w file have changed. Modify, reappear successfully.

Android 5.1.1

Recovery process:

Write an exp test Android 6.0.1 and write it yourself


Solution: execute. Mount-o RW, remount / system create a new test directory permission change 644:

Write file test dirty 123456, execute. Exp Now we have found the contents of the test dirty document. The contents of the document have been changed. Modify, playback succeeded: