Skip to content

c3r34lk1ll3r/CVE-2017-11176

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

const.h

const.h

 
 

exp_stap.stp

exp_stap.stp

 
 

gdb.script

gdb.script

 
 

heap.c

heap.c

 
 

main.c

main.c

 
 

my_stap.stp

my_stap.stp

 
 

offset.stap

offset.stap

 
 

Repository files navigation

CVE-2017-11176

Proof of concept for CVE-2017-11176 for code execution.

Vulnerability

The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.

Reference

Check out these posts, I learned a lot from that.

Limitation

  • SMAP is disabled
  • KASLR is disabled
  • SLAB allocator is exploited
  • There are a lot of hardcoded address and offset.

Others file

  • heap.c: this is used to discovery the target cache
  • *.stp: these files are used for System Tap to debug. Also offset.stap print out the structure offset
  • gdb.script: gdb script for debugging. This will trigger the breakpoint if RAX is in userspace. Note that we will insert the second breakpoint after we hit the first one in order to avoid performance issue (wake_up is called a lot of times).

About

Code execution for CVE-2017-11176

Topics

exploitation kernel-exploit cve-2017-11176

Resources

Readme

License

GPL-3.0 license
Activity

Stars

1 star

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages