0ctffinal2021-kernote

ameetsaahu

kUAF-0x20 Hardened SLAB, ldt_struct aided to get arb r/w

Jul 10, 2022

85cc4d6 · Jul 10, 2022

Name	Name	Last commit message	Last commit date
parent directory ..
.gitignore	.gitignore	kUAF-0x20 Hardened SLAB, ldt_struct aided to get arb r/w	Jul 10, 2022
auth-exp.c	auth-exp.c	kUAF-0x20 Hardened SLAB, ldt_struct aided to get arb r/w	Jul 10, 2022
bzImage	bzImage	kUAF-0x20 Hardened SLAB, ldt_struct aided to get arb r/w	Jul 10, 2022
compress.sh	compress.sh	kUAF-0x20 Hardened SLAB, ldt_struct aided to get arb r/w	Jul 10, 2022
exploit.c	exploit.c	kUAF-0x20 Hardened SLAB, ldt_struct aided to get arb r/w	Jul 10, 2022
kernote.ko	kernote.ko	kUAF-0x20 Hardened SLAB, ldt_struct aided to get arb r/w	Jul 10, 2022
readme.md	readme.md	kUAF-0x20 Hardened SLAB, ldt_struct aided to get arb r/w	Jul 10, 2022
run.sh	run.sh	kUAF-0x20 Hardened SLAB, ldt_struct aided to get arb r/w	Jul 10, 2022

readme.md

Here are some kernel config options in case you need it

CONFIG_SLAB=y
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_SLAB_FREELIST_HARDENED=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_STATIC_USERMODEHELPER=y
CONFIG_STATIC_USERMODEHELPER_PATH=""

^-- Given with challenge.

UAF in 0x20 chunk (1st 8 byte write primitve, no read). Use ldt_struct to get leaks, arb. read/write access. A bit of race too?? smap+smep active + Hardened slab

mount ./initramfs.cpio.gz ./fs/

To restrict the process to run on specific CPU

cpu_set_t cpu_set;
CPU_ZERO(&cpu_set);
CPU_SET(0,&cpu_set);
ret=sched_setaffinity(0,sizeof(cpu_set),&cpu_set);

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Files

0ctffinal2021-kernote

0ctffinal2021-kernote

readme.md

Files

0ctffinal2021-kernote

Directory actions

More options

Directory actions

More options

Latest commit

History

0ctffinal2021-kernote

Folders and files

parent directory

readme.md