CVE-2017-11176

Proof of concept for CVE-2017-11176 for code execution.

Vulnerability

The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.

Reference

https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html
https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part2.html
https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part3.html
https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part4.html

Check out these posts, I learned a lot from that.

Limitation

SMAP is disabled
KASLR is disabled
SLAB allocator is exploited
There are a lot of hardcoded address and offset.

Others file

heap.c: this is used to discovery the target cache
*.stp: these files are used for System Tap to debug. Also offset.stap print out the structure offset
gdb.script: gdb script for debugging. This will trigger the breakpoint if RAX is in userspace. Note that we will insert the second breakpoint after we hit the first one in order to avoid performance issue (wake_up is called a lot of times).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

CVE-2017-11176

Vulnerability

Reference

Limitation

Others file

Files

README.md

Latest commit

History

README.md

File metadata and controls

CVE-2017-11176

Vulnerability

Reference

Limitation

Others file