Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/c3r34lk1ll3r/CVE-2017-11176

Code execution for CVE-2017-11176
https://github.com/c3r34lk1ll3r/CVE-2017-11176

cve-2017-11176 exploitation kernel-exploit

Last synced: 15 days ago
JSON representation

Code execution for CVE-2017-11176

Host: GitHub
URL: https://github.com/c3r34lk1ll3r/CVE-2017-11176
Owner: c3r34lk1ll3r
License: gpl-3.0
Created: 2020-04-10T12:44:05.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2020-04-10T13:11:03.000Z (over 4 years ago)
Last Synced: 2024-07-31T14:01:03.657Z (4 months ago)
Topics: cve-2017-11176, exploitation, kernel-exploit
Language: C
Size: 30.3 KB
Stars: 1
Watchers: 2
Forks: 2
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# CVE-2017-11176

Proof of concept for CVE-2017-11176 for code execution.

## Vulnerability
The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.

## Reference
- [https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html](https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html)
- [https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part2.html](https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part2.html)
- [https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part3.html](https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part3.html)
- [https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part4.html](https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part4.html)

Check out these posts, I learned a lot from that.

## Limitation
- `SMAP` is disabled
- `KASLR` is disabled
- `SLAB` allocator is exploited
- There are a lot of hardcoded address and offset.

## Others file
- `heap.c`: this is used to discovery the target cache
- `*.stp`: these files are used for `System Tap` to debug. Also `offset.stap` print out the structure offset
- `gdb.script`: `gdb` script for debugging. This will trigger the breakpoint if `RAX` is in userspace. Note that we will insert the second breakpoint after we hit the first one in order to avoid performance issue (`wake_up` is called a lot of times).