Cracking into a Centos 5.5 Server using the Dirty Cow Linux kernel bug

In this video I will be showing you how to break into a Centos 5.5 system, by taking advantage of a kernel bug that is present in it's kernel. This is not something that I would normally do, but I ended up in a situation where I did not know the root password, for a server that I had been asked to look after. I had the email account for the previous admin, but could not find any emails relating to the root password for the server. This then left me with two options, which were to either call the support for the ISP, or to find a way of breaking into it. I first thought about using the Shellshock bug in Bash, but found that this patch had already been applied and it was not a kernel or SUID binary exploit, so there was not much chance of getting root with it. I then had another quick look and then found the Dirty Cow exploit, which was a kernel bug, so it therefore was a good one to use for getting root. To get it to work, the server will either need to have gcc installed, or the attack file will have to be compiled on another machine, then copied over to the machine that is going to be attacked. You also need to be able to run a shell on the machine, because it is not a remote vulnerability, so the machine is safe if the admin has disabled shell access. You can look at the below link:

https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs

to find a list of the various attack programs that have been created, but the one that I used is at this site:

https://github.com/Biprodeep/dirtycow

which is a fork of the below code:

https://github.com/FireFart/dirtycow

First you have to either download the dirty.c file or you can copy the code directly from the Github raw page of the .c file and then past it into a text editor. You can then edit the file to change the user who will be added to the /etc/passwd file as the user with UID 0.
Once the file is edited, it is then time for it to be compiled with gcc like below:

gcc -pthread dirty.c -o dirty -lcrypt

If you have compiled the file on a different machine from the one that it is to be run on, then you have to copy the resulting binary over to the machine that is going to be attacked. If the target machine already has gcc on it, then you can just directly run the binary after you have compiled it. You can either run the binary directly like below:

./dirty

which will then present a prompt into which you can type the password, or you can run it like below:

./dirty password

which will then put the password that you have specified into the bottom of the /etc/passwd file, along with the username that was specified in the dirty.c file. You then have to enter the below command, because someone did mention that their machine would crash if it was not specified:

echo 0 > /proc/sys/vm/dirty_writeback_centisecs

You should now be able to su to the user that you specified in the dirty.c file and this should give you a root prompt.

A Centos 5.11 install ISO is available at the below link:

http://mirror.nsc.liu.se/centos-store/5.11/isos/x86_64/CentOS-5.11-x86_64-bin-DVD-1of2.iso

You also have to edit the repo file at:
/etc/yum.repos.d/CentOS-Base.repo
then replace:
mirror.centos.org/centos/$releasever
with:
vault.centos.org/5.11