c3r34lk1ll3r/CVE-2017-11176

Code execution for CVE-2017-11176

CVE-2017-11176

Proof of concept for CVE-2017-11176 for code execution.

Vulnerability

The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.

Reference

• https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html
• https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part2.html
• https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part3.html
• https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part4.html

Check out these posts, I learned a lot from that.

Limitation

• SMAP is disabled
• KASLR is disabled
• SLAB allocator is exploited
• There are a lot of hardcoded address and offset.

Others file

• heap.c: this is used to discovery the target cache
• *.stp: these files are used for System Tap to debug. Also offset.stap print out the structure offset
• gdb.script: gdb script for debugging. This will trigger the breakpoint if RAX is in userspace. Note that we will insert the second breakpoint after we hit the first one in order to avoid performance issue (wake_up is called a lot of times).