Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Changes for ARM #5

Open
habibi2115 opened this issue Oct 4, 2022 · 5 comments
Open

Changes for ARM #5

habibi2115 opened this issue Oct 4, 2022 · 5 comments

Comments

@habibi2115
Copy link

Hi, I am testing this poc on ARM .But exploit was unable to find overlap id . so that changes are required to make it run on ARM(pi)

@Markakd
Copy link
Owner

Markakd commented Oct 4, 2022

You might need to adjust the value of middle and end variables in line 846.

@habibi2115
Copy link
Author

I am getting this error while compiling for ARM what is the best possible solution ?

ubuntu@ubuntu:~$ make
cc -O0 exp_file_credential.c -lpthread -o exp_file_credential
exp_file_credential.c:59:10: fatal error: x86intrin.h: No such file or directory
59 | #include <x86intrin.h>
| ^~~~~~~~~~~~~
compilation terminated.
make: *** [Makefile:2: file] Error 1

@teccheck
Copy link

teccheck commented Oct 13, 2022

Your compiler tries to load the file x86intrin.h which, as the name suggests, is a file specific to x86 systems. Maybe you can try to comment out the line #include <x86intrin.h> like this:

// #include <x86intrin.h>

However I can't guarantee this will work. Good luck ;)

@habibi2115
Copy link
Author

ah thank you for your response I have done commeting the header file but the exploit doesnt work then .... when we can expect the writeup of this exploit ? @Markakd

@clingfei
Copy link

I believe that the current exp is impractical on ARM.
On arm64, Linux 5.10, there is no kmalloc-192, then the first free of route4_filter and actions will give back their pages to kmalloc-256. Therefore, when allocing new files, will use the previously freed route4_filter, and corrupt the handle field. Therefore, in the second free, when calling route4_get to get the route4_filter, the f->handle will never equal to handle then only return NULL. Then in the route4_change, fold is NULL, route4_delete_filter_work will not be called so the second free will not be successful.
I also noticed that file->oflags is overlapped with route4_filter->handle, so maybe there are some tricks can set handle to zero in the first free. But, route4_filter->exts is also corrupted, which will cause oops in the second free. Therefore the latter exploit will be impossible.
Maybe you have other tricks to bypass it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants