notselwyn / cve-2024-1086 Goto Github PK

Universal local privilege escalation Proof-of-Concept exploit for CVE-2024-1086, working on most Linux kernels between v5.14 and v6.6, including Debian, Ubuntu, and KernelCTF. The success rate is 99.4% in KernelCTF images.

Home Page: https://pwning.tech/nftables

License: MIT License

Makefile 0.07% C 97.83% Batchfile 2.04% Perl 0.06%

cve exploit lpe poc cve-2024-1086

cve-2024-1086's Introduction

[email protected]:~$ neofetch

                   .~vVeZNgQBBBQQg9Ze1v~.                   
              `^}%B@@@@@@@@@@@@@@@@@@@@@@8%}=`                 [email protected]
           -Lq#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#qr-              -----------------------
        .V0@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@0?.           OS: GNU/Linux
      _l#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#l`         Uptime: 2147483647 seconds
    `o@@@@@@@@v^r}P0@@@@@@@@@@@@@@@@@@@@ghlr<r@@@@@@@#o`       Packages: python3, gcc, node, nasm, 3 others...
   ;0@@@@@@@@0      .?szL?*;!!!!~*|]Vox_      P@@@@@@@@0.      Shell: /bin/zsh
  ?@@@@@@@@@@q                                z@@@@@@@@@#?     Editors: vim, vscode
 :@@@@@@@@@@@Q                                R@@@@@@@@@@@"    Crontab: code, exploit dev, linux src
_g@@@@@@@@@@2-                                `M@@@@@@@@@@0    Home: [email protected]:notselwyn
a@@@@@@@@@@2                                    v@@@@@@@@@@;    
#@@@@@@@@@@_                                     @@@@@@@@@@y   contact information
@@@@@@@@@@@.                                     @@@@@@@@@@%   -------------------
#@@@@@@@@@@r                                    :@@@@@@@@@@s   Website: pwning.tech
W@@@@@@@@@@Q`                                  _0@@@@@@@@@@*   Twitter: notselwyn
~#@@@@@@@@@@9!                                ,Q@@@@@@@@@@#    Github: notselwyn
 ;@@@@@@@@@@@@6^.                          `\p@@@@@@@@@@@@~    
  n@@@@@PlVd@@@@#6Vv~_`              `_!?zd#@@@@@@@@@@@@#n     compiling projects
   2#@@@#hr _Y#@@@@@@@#q`          `X#@@@@@@@@@@@@@@@@@#~      ------------------
    .d@@@@@D` .n6#@@@#V`             Q@@@@@@@@@@@@@@@@d.       CVE-2024-1086 PoC: ~/CVE-2024-1086
      x0@@@@0^   `__-                M@@@@@@@@@@@@@@0=         Other zerodays: ~/exploits
        =p#@@@#%Il]]L1,              M@@@@@@@@@@@#V=           Netkit ORB rootkit: ~/netkit
          `vR#@@@@@@@@?              M@@@@@@@@#Pv`             
              "Lf8@@@@v              q@@@#Qa?:                 
                  -!v|`              _?v!`

cve-2024-1086's People

Contributors

Stargazers

Watchers

Forkers

sankethj cepinheiro zaccari mauke askyeye csomepro dmore farrimwildaxe emdnaia nuki2u crackercat licae waraemon anton-arslanov samy4samy res10re zha0 zpxlz darkzorro79 hanhctf peadar pirenga epichoxha momika233 bluenoob rmadamson alexschrichte jeffaf maadhavowlak mosesrenegade mgstate dannymas vpaulv dkstar11q mmnoureldin redpack-kr n0-traces bejo6 whiteodin p0prxx jeffchan69 chunhualiu findcaduceus0 hsuacap0 ayiezola ajgappmark lexi-the-cute 0x616b legiangthanh silundan emrahkaya 0xpurpl3john lager1 dulatello08 im-hanzou ufo56 sibusiso-gumede klimentlambevski flamebathed 5l1v3r1 duaneking jeff-yc-wong keystroke95 sbdvhjrfw adeliktas madwind76 whitesharks 3049298988 zeoday fkbingbing ntkscnzv yiliufeng168 ssghost misterypoem ded9 saakovv febriian gmh5225 ox1111 ailabteam fulanah-binti-fulanah 5mi7th3mi6 sliverarmory bwry vaginessa xiyangge brainhub24 justjashu rezaulkabir 0xsojalsec tobey123 techris45 joel-egarcia cutepookie tucommenceapousser ofalwl hackerthinktank 0xmafty test1213145 aview17

cve-2024-1086's Issues

Failed to detect overwritten pte

I received a this error on several hosts when running the compiled exploit, can you advise what’s wrong?

sorry how to solve it ,

@:~/CVE-2024-1086$ ./exploit 
[*] creating user namespace (CLONE_NEWUSER)...
[*] creating network namespace (CLONE_NEWNET)...
[*] setting up UID namespace...
[*] configuring localhost in namespace...
[*] setting up nftables...
[+] running normal privesc
[*] waiting for the calm before the storm...
[*] sending double free buffer packet...
[*] spraying 16000 pte's...
[*] checking 16000 sprayed pte's for overlap...
[-] failed to detect overwritten pte: is more PTE spray needed? pmd: 00000000cafebabe
@:~/CVE-2024-1086$ uname -a
Linux poi 6.5.0-27-generic #28~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 15 10:51:06 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

failed to detect overwritten pte on 5.15.0-101-generic

./exploit
[*] creating user namespace (CLONE_NEWUSER)...
[*] creating network namespace (CLONE_NEWNET)...
[*] setting up UID namespace...
[*] configuring localhost in namespace...
[*] setting up nftables...
[+] running normal privesc
[*] waiting for the calm before the storm...
[*] sending double free buffer packet...
[*] spraying 16000 pte's...
[*] checking 16000 sprayed pte's for overlap...
[-] failed to detect overwritten pte: is more PTE spray needed? pmd: 00000000cafebabe

CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y
CONFIG_USER_NS=y
CONFIG_NF_TABLES=m

Crashing when trying to execute

I downloaded a binary from the release, and when trying to run, it gives me this error message:

Running on a Debian 12 VM with 6.1 kernel (which is supported by the exploit, as far as I understood):

What might be the issue?

Crash when trying to replicate

Trying to replicate the exploit in kernel 6.2.0, the terminal prints this and the pc freezes.
Any feedback on what may be wrong?

failed to detect overwritten

[-] failed to detect overwritten pte: is more PTE spray needed? pmd: 00000000cafebabe

is failed? So Not vuln?

Running the exploit causes kernel panic

Kernel panic after running on Ubuntu 22.04 LTS.
nftables and namespaces are setup correctly.
SSH console:
t@localhost:~$ uname -sr

Linux 5.15.0-94-generic

t@localhost:~$ ./exploit [*] creating user namespace (CLONE_NEWUSER)... [*] creating network namespace (CLONE_NEWNET)... [*] setting up UID namespace... [*] configuring localhost in namespace... [*] setting up nftables... [+] running normal privesc [*] waiting for the calm before the storm... [*] sending double free buffer packet... [*] spraying 16000 pte's...

Screen:

Windows WSL is affected

I wasn't sure how or if you'd like to add this to the README, but I noticed it on my own installation and figured it might be important for others.

PS C:\Windows\system32> wsl --version
...
Kernel version: 5.15.146.1-2

The Ubuntu 22.04 WSL installation on Windows is currently affected by this, and standard Windows update methods don't patch it either.

PS C:\Windows\system32> wsl --update
Checking for updates.
The most recent version of Windows Subsystem for Linux is already installed.

It appears that the only way to patch this is to install the pre-release version of WSL (which itself may have bugs, but it's probably better than having a known root exploit)

PS C:\Windows\system32> wsl --update --pre-release

My kernel now reads this after the pre-release install:

Kernel version: 5.15.150.1-2

Sudo group requirement?

Hello,
We have noticed that in your POC video that the user in question is in the sudo group. If this is a pre-requisite then can it be documented please?

Thank you.

Android?

Is it possible for this to run with Android's default kernel configuration? I'm wondering if it could help with rooting

shell session to be started and stopped

Even if running in a container or master, because you share the namespace of the host, this will still cause your rights session to be affected by the netfiler, which will cause the ssh or bounce shell session to be started and stopped
无论在在容器或者宿主机中运行，由于你共享了宿主机的namespace，这仍然会导致你的提权会话会受到netfiler的影响，这将导致ssh或者反弹shell中的会话会不断启停

Doesnt work on 5.4.0-164-generic #181-Ubuntu

kernel version: 5.4.0-164-generic #181-Ubuntu

(remote) ahope@nix01:/home/ahope$ ./exploit.1 
[*] creating user namespace (CLONE_NEWUSER)...
[*] creating network namespace (CLONE_NEWNET)...
[*] setting up UID namespace...
[*] configuring localhost in namespace...
[*] setting up nftables...
[+] running normal privesc
[*] waiting for the calm before the storm...
[*] sending double free buffer packet...
[*] spraying 16000 pte's...

[04:50:42] connection reset  
<box was down>

is nftables insecure

In the blog post, there is this paragraph: "This allows users to program complex firewall rules, because nftables has many atomic expressions which can be chained together in rules to filter packets. Additionally, it allows chains to be ran at different times in the packet processing code (i.e. before routing and after routing) which can be selected when creating a chain using flags like NF_INET_LOCAL_IN and NF_INET_POST_ROUTING. Due to this extremely customizable nature, nftables is known to be incredibly insecure. Hence, many vulnerabilities have been reported and have been fixed already."

Wait, nftables is insecure? I did some research on the internet and I do see more positive views of nftables than not. I'm using Linux and should I basically do a purge on that package?

Include required license notices for third-party code

The include directory contains third-party code without the required license notice.

libftnl is GPLv2+.
libmnl is LGPLv2.1+.
Linux has a few different licenses.

You should put the required license notices at the root of each copy's directory.