Skip to content

c3r34lk1ll3r/CVE-2017-11176

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
const.h
const.h
 
 
exp_stap.stp
exp_stap.stp
 
 
gdb.script
gdb.script
 
 
heap.c
heap.c
 
 
main.c
main.c
 
 
my_stap.stp
my_stap.stp
 
 
offset.stap
offset.stap
 
 

Repository files navigation

CVE-2017-11176

Proof of concept for CVE-2017-11176 for code execution.

Vulnerability

The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.

Reference

Check out these posts, I learned a lot from that.

Limitation

  • SMAP is disabled
  • KASLR is disabled
  • SLAB allocator is exploited
  • There are a lot of hardcoded address and offset.

Others file

  • heap.c: this is used to discovery the target cache
  • *.stp: these files are used for System Tap to debug. Also offset.stap print out the structure offset
  • gdb.script: gdb script for debugging. This will trigger the breakpoint if RAX is in userspace. Note that we will insert the second breakpoint after we hit the first one in order to avoid performance issue (wake_up is called a lot of times).

About

Code execution for CVE-2017-11176

Topics

exploitation kernel-exploit cve-2017-11176

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages