radare2 IO plugin that uses the Linux's dirtycow vulnerability to allow the user to modify files owned by other users by messing up the Copy-On-Write cache.
This plugin works on all linux kernels from 2007 (>= 2.6.22) until 2016 (< 4.8.3).
For more details about this exploit checkout https://dirtycow.ninja
Written by Sergi Alvarez [email protected] at NowSecure
This plugin and the cowpy tool are distributed under the terms of the LGPL, Copyright NowSecure 2016.
The easiest way to install this r2 plugin is by using r2pm like this:
$ r2pm -i dirtycow
The repository contains also a program named cowpy
that will copy
the contents of one file into another one. Bear in mind that dirtycow
can't resize files, so you will not be able to write more bytes than
the ones in the destination file and your contents should be self
contained and properly terminated by an exit 0 if it's a script.
In order to crosscompile it is required to setup the android environment
with the sys/android-shell.sh
script of radare2
. Typing make
will
be enough to get cowpy
compiled.
Crosscompiling the r2 plugin requires to have r2 crosscompiled available in the system, so, to simplify, it is better to just build this repository inside Termux.
Eventually it may be committed into the termux packages.
To compile it, just run build.sh
from inside a Termux shell in your Android device. You can also crosscompile it using the NDK, or just build it natively on your favourite Linux distro using make
.
After that, r2 may list the new plugin:
$ r2 -L | grep cow
And we can use it like this to patch any system bin.
$ r2 dcow:///system/bin/sh
--pancake