crusaders-of-rust / cve-2022-0185 Goto Github PK

I am wondering if an aarch exploit is possible using this underflow. exploit_kctf.c and exploit_fuse.c contain inline assembly witch would need to be ported but some other changes might be needed.

Hi,

I am getting issues while doing make fuse or kctf.

make fuse
gcc -no-pie -static exploit_fuse.c fakefuse.c util.c -I./libfuse libfuse3.a -o exploit -masm=intel -pthread exploit_fuse.c: In function ‘modprobe_hax’: exploit_fuse.c:227:5: warning: null argument where non-null required (argument 2) [-Wnonnull] 227 | execve(modprobe_trigger, NULL, NULL); | ^~~~~~ strip exploit
make kctf
gcc -no-pie -static exploit_kctf.c util.c -o exploit -masm=intel -pthread exploit_kctf.c:379:24: warning: return type defaults to ‘int’ [-Wimplicit-int] 379 | __attribute__((naked)) win() | ^~~ exploit_kctf.c: In function ‘main’: exploit_kctf.c:621:25: warning: format ‘%p’ expects argument of type ‘void *’, but argument 2 has type ‘uint64_t’ {aka ‘long unsigned int’} [-Wformat=] 621 | printf("[*] kbase: %p\n", kbase); | ~^ ~~~~~ | | | | | uint64_t {aka long unsigned int} | void * | %ld exploit_kctf.c:640:42: warning: format ‘%llx’ expects argument of type ‘long long unsigned int’, but argument 2 has type ‘uint64_t’ {aka ‘long unsigned int’} [-Wformat=] 640 | printf("[*] kmalloc 1024 chunk: 0x%llx\n", kmalloc_1024); | ~~~^ ~~~~~~~~~~~~ | | | | | uint64_t {aka long unsigned int} | long long unsigned int | %lx exploit_kctf.c:641:41: warning: format ‘%llx’ expects argument of type ‘long long unsigned int’, but argument 2 has type ‘uint64_t’ {aka ‘long unsigned int’} [-Wformat=] 641 | printf("[*] kmalloc 512 chunk: 0x%llx\n", kmalloc_512); | ~~~^ ~~~~~~~~~~~ | | | | | uint64_t {aka long unsigned int} | long long unsigned int | %lx strip exploit

After getting the exploit with warnings, it is not exploiting the kernel.
Could you please help me with that?

Thanks in advance; looking forward to quick fixes.

Linux c 5.11.0-44-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

command: make fuse

[*] Exploit success! /bin/bash is SUID now!
[+] Popping shell
-p: /root/.bash_profile: Permission denied

No access to root

Linux version 4.19.91-20211117175159.ff8219c.al7.x86_64 (root@fbba8dd77f8f) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)) #1 SMP Wed Nov 17 09:57:56 UTC 2021

[*] Spraying kmalloc-32 [*] Opening ext4 filesystem fsopen: Remember to unshare