This repo contains demo exploits for CVE-2022-0185. There are two versions here.

Overview

CVE-2022-0185

This repo contains demo exploits for CVE-2022-0185. There are two versions here.

The non-kctf version (fuse version) specifically targets Ubuntu with kernel version 5.11.0-44. It does not directly return a root shell, but makes /bin/bash suid, which will lead to trivial privilege escalation. Adjusting the single_start and modprobe_path offsets should allow it to work on most other Ubuntu versions that have kernel version 5.7 or higher; for versions between 5.1 and 5.7, the spray will need to be improved as in the kctf version. The exploitation strategy relies on FUSE and SYSVIPC elastic objects to achieve arbitrary write.

The kctf version achieves RCE as the root user in the root namespace, but has at most 50% reliability - it is targeted towards Kubernetes 1.22 (1.22.3-gke.700). This exploitation strategy relies on pipes and SYSVIPC elastic objects to trigger a stack pivot and execute a ROP chain in kernelspace.

demo against Ubuntu with kernel version 5.13.0-25

demo against Google kCTF Infrastructure

exploitation writeup

Issues
  • Timeline for aarch exploit.

    Timeline for aarch exploit.

    I am wondering if an aarch exploit is possible using this underflow. exploit_kctf.c and exploit_fuse.c contain inline assembly witch would need to be ported but some other changes might be needed.

    opened by 10maurycy10 1
  • Add automatic targeting for Ubuntu 5.11 / 5.13 kernels

    Add automatic targeting for Ubuntu 5.11 / 5.13 kernels

    If you want.

    Adds automatic targeting and a bunch of offsets for Ubuntu 5.11 / 5.13 generic kernels.

    All offsets tested on Ubuntu 14.02 LTS. Some also tested on 14.04.1 and 14.04.2.

    opened by bcoles 0
  • Has the use been successful?

    Has the use been successful?

    Linux version 4.19.91-20211117175159.ff8219c.al7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)) #1 SMP Wed Nov 17 09:57:56 UTC 2021

    [*] Spraying kmalloc-32 [*] Opening ext4 filesystem fsopen: Remember to unshare

    opened by laowang1026 2
  • No access to root

    No access to root

    Linux c 5.11.0-44-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

    command: make fuse

    [*] Exploit success! /bin/bash is SUID now! [+] Popping shell -p: /root/.bash_profile: Permission denied

    No access to root

    opened by mortals-tx 2
  • Multiple warning

    Multiple warning

    Hi,

    I am getting issues while doing make fuse or kctf.

    make fuse gcc -no-pie -static exploit_fuse.c fakefuse.c util.c -I./libfuse libfuse3.a -o exploit -masm=intel -pthread exploit_fuse.c: In function ‘modprobe_hax’: exploit_fuse.c:227:5: warning: null argument where non-null required (argument 2) [-Wnonnull] 227 | execve(modprobe_trigger, NULL, NULL); | ^~~~~~ strip exploit make kctf gcc -no-pie -static exploit_kctf.c util.c -o exploit -masm=intel -pthread exploit_kctf.c:379:24: warning: return type defaults to ‘int’ [-Wimplicit-int] 379 | __attribute__((naked)) win() | ^~~ exploit_kctf.c: In function ‘main’: exploit_kctf.c:621:25: warning: format ‘%p’ expects argument of type ‘void *’, but argument 2 has type ‘uint64_t’ {aka ‘long unsigned int’} [-Wformat=] 621 | printf("[*] kbase: %p\n", kbase); | ~^ ~~~~~ | | | | | uint64_t {aka long unsigned int} | void * | %ld exploit_kctf.c:640:42: warning: format ‘%llx’ expects argument of type ‘long long unsigned int’, but argument 2 has type ‘uint64_t’ {aka ‘long unsigned int’} [-Wformat=] 640 | printf("[*] kmalloc 1024 chunk: 0x%llx\n", kmalloc_1024); | ~~~^ ~~~~~~~~~~~~ | | | | | uint64_t {aka long unsigned int} | long long unsigned int | %lx exploit_kctf.c:641:41: warning: format ‘%llx’ expects argument of type ‘long long unsigned int’, but argument 2 has type ‘uint64_t’ {aka ‘long unsigned int’} [-Wformat=] 641 | printf("[*] kmalloc 512 chunk: 0x%llx\n", kmalloc_512); | ~~~^ ~~~~~~~~~~~ | | | | | uint64_t {aka long unsigned int} | long long unsigned int | %lx strip exploit

    After getting the exploit with warnings, it is not exploiting the kernel. Could you please help me with that?

    Thanks in advance; looking forward to quick fixes.

    opened by anonymousgalaxylord 2
Owner
Crusaders of Rust CTF Team
Crusaders of Rust CTF Team
Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a handy trick.

Proof-of-Concept Not related to software bugs and exploits; this repo contains snippets of code that demonstrate some interesting functionality or a h

Alisa Esage 31 May 29, 2022
A beginner friendly repo in the world of open source. Contribute here to add here project in any languages.

Hacktober Fest 2021 Heyy There (●'◡'●) Here you can contribute to opensource project in any valid language and project. Just follow the contribution g

Anonymous-inception 6 May 24, 2022
A personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to be used in conjunction with these exploits.

This repository contains a personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to

null 76 Jun 22, 2022
Some hypervisor research notes. There is also a useful exploit template that you can use to verify / falsify any assumptions you may make while auditing code, and for exploit development.

Introduction Over the past few weeks, I've been doing some hypervisor research here and there, with most of my focus being on PCI device emulation cod

Faith 122 Jun 20, 2022
The pico can be used to program other devices. Raspberry pi made such an effort. However there is no board yet, that is open-source and can be used with OpenOCD as a general-purpose programmer

pico-probe-programmer The pico can be used to program other devices. Raspberry pi made such an effort. However there is no board yet, that is open-sou

martijn 20 Jan 27, 2022
Now I shall sing the second kingdom there where the soul of man is cleansed, made worthy to ascend to Heaven.

Inferno® is a distributed operating system, originally developed at Bell Labs, but now developed and maintained by Vita Nuova® as Free Software. Appli

null 2 Jan 28, 2022
There are several guides for kernel developers and users

There are several guides for kernel developers and users

Developer From Jokela 2 Dec 25, 2021
Here it is! SRB2 Final Demo 1.09 (in development) source code!

Here it is! SRB2 Final Demo 1.09 (in development) source code!

Sonic Robo Blast: 20 Years Ago 1 Jan 23, 2022
A demonstration PoC for CVE-2022-21877 (storage spaces controller memory leak)

POC CVE-2022-21877 This repository contains a POC for the CVE-2022-21877, found by Quang Linh, working at STAR Labs. This is an information leak found

null 4 Mar 8, 2022
Exploit for Dirty-Pipe (CVE-2022-0847)

Dirty-Pipe (PoC) What is it? Dirty-Pipe is a vulnerability which allows us to overwrite files even if they have read-only permissions. This vulnerabil

Nekox 6 Apr 8, 2022
Two programs to find the LCM of two positive integers.

LCM-finders LCM-finders? LCM-finders is the repo for my LCM finder projects. I made this program in two similar languages. ?? Note: Two languages mean

Chandula Janith 1 Apr 15, 2022
Two mice, two cursors

Mouse multiplexer This is Arduino code that makes it possible to have two mouse cursors when connecting two USB mice to the same machine. It works on

Jacek Fedoryński 11 Jun 20, 2022
The repo for all content related to Bootcamp 2022.

Bootcamp 2022 Welcome to the CSERL Systems Bootcamp, Summer 2022. CSERL: www.cse.iitb.ac.in/cserl This repository has detailed listing of weekly exerc

CSERL@IITB 31 Jun 22, 2022
Demo exploit code for CVE-2020-27904, a tfp0 bug.

xattr-oob-swap CVE-2020-27904: a tfp0 bug for macOS 10.15.x and below. Demo exploit code for my talk at BlackHat ASIA 2021. The vulnerability has been

null 66 Jun 14, 2022
Exploits the Wii U's bluetooth stack to gain IOSU kernel access via bluetooth.

BluuBomb Exploits the Wii U's bluetooth stack to gain IOSU kernel access via bluetooth. For a more detailed write-up see WRITEUP.md. Not to be confuse

null 92 Jun 24, 2022
Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider

Sealighter-TI Combining Sealighter with unpatched exploits and PPLDump to run the Microsoft-Windows-Threat-Intelligence ETW Provider without a signed

pat_h/to/file 39 May 1, 2022
A updated linora source with special exploits, always be updated to latest update

Fortnite-Bulletp-Internal A working vehicle Bullettp internal, will be always updated to latest fn update! my old github got termed LMAO If i see you

NotSimcraftLOL 28 Jun 11, 2022
This repository contains an exploit of CVE-2021-4034, a local privilege escalation in pkexec

pwnkit (CVE-2021-4034) Privilege Escalation exploit sample This repository contains an exploit of CVE-2021-4034, a local privilege escalation in pkexe

Peter Gottesman 27 Jun 11, 2022
Servo library with stm developed by the Liek Software Team. We are working on new versions.

Liek-Servo-Library Liek Servo Library is a library that makes it easy for you to drive servo motors with STM32F10x series cards. The library is still

null 14 Jan 13, 2022