POC详情: 9a3f061531f76cd10de27f5336386f55a2582fe9

来源
关联漏洞
标题: Linux kernel 安全漏洞 (CVE-2024-0582)
描述:Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于存在内存泄漏问题,允许本地用户导致崩溃或提升权限。
描述
A data-only attack based on CVE-2024-0582
介绍
# CVE-2024-0582
A data-only attack based on CVE-2024-0582

## Description
The exploit follows the strategy in [this blog post](https://blog.exodusintel.com/2024/03/27/mind-the-patch-gap-exploiting-an-io_uring-vulnerability-in-ubuntu/), except that I didn't use a child process to open files.

I found some exploits on GitHub follows the strategy in [this write-up](https://anatomic.rip/cve-2023-2598/). 

After I reproduced the exploit with socket-based control flow hijacking, I tried to implement the exploit with a data-only attack, which seems not open-sourced yet.

## Try Claude
I fed the two write-ups above and [https://github.com/ysanatomic/io_uring_LPE-CVE-2024-0582/blob/main/exploit.c](https://github.com/ysanatomic/io_uring_LPE-CVE-2024-0582/blob/main/exploit.c) into Claude and said:

```
Could you modify the code to fit in the data-only attack? It means open file instead of sock, seek ext4_file_operations instead of egg, delete the control flow hijack and modify the file permission.
```

This generated a code with a child process. But I think it's hard to debug if I use a child process. So I said:

```
Why not open file in the process, not using a child?
```

Then it generated almost the existing code.

Then I:
1. Adjusted the backdoor string for easier understanding.
2. Adjusted the file mode flags based on the source code. What Claude generated is wrong.
3. Increased the number of fd to spray more file struct, since it's much shorter than sock struct.

## Usage
1. Verify the `ext4_fops_offset`.
2. Verify the file mode flags.
3. Perhaps increase the number of fd to spray more file struct.
4. Compile and run.
```bash
gcc exploit.c -o exploit -luring
./exploit
```
5. Check the backdoor user. Or simply logout and then login with the backdoor user.
```bash
sudo cat /etc/passwd # If you can use sudo
```
文件快照

[4.0K] /data/pocs/9a3f061531f76cd10de27f5336386f55a2582fe9 ├── [6.5K] dataonly.c └── [1.8K] README.md 0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。