yuriicrimson / exploitgsm Goto Github PK
View Code? Open in Web Editor NEWExploit for 6.4 - 6.5 kernels and another exploit for 5.15 - 6.5
License: MIT License
Exploit for 6.4 - 6.5 kernels and another exploit for 5.15 - 6.5
License: MIT License
Hey,
with your latest commits, the ExploitGSM6_5 compiles under Ubuntu 22.04 successfully. The exploit was successful with kernel package version 6.5.0-25 on my machine:
begin try leak startup_xen!
startup_xen leaked address -> ffffffffbc6933c0
text leaked address -> ffffffffba000000
lockdep_map_size -> 32
spinlock_t_size -> 4
mutex_size -> 32
tty port -> 376
tty buffhead -> 136
dead -> 524
waiting setconf dlci thread
Wait 3 sec for ending kernel work execution
We get root, spawn shell
To run a command as administrator (user "root"), use "sudo ".
See "man sudo_root" for details.
root@machine:/root# uname -a
Linux machine 6.5.0-25-generic #25~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Feb 20 16:09:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
The latest kernel package is 6.5.0-27 with Ubuntu 22.04 HWE version. If you adjust main.c to match kernel package version 6.5.0-27 the exploit can be executed. However, it just fails. Is the exploit limited to ubuntu 6.5.0-25 package and 6.5.0-27 is safe?
hello I have multiples proxmox nodes running on 6.5.13-1-pve, 6.5.13-3-pve, 6.5.13-5-pve
Am I vulnerable to this exploit ?
If you're interested in the process, it is documented in kernel and you can see it here:
https://lwn.net/ml/linux-kernel/2024021314-unwelcome-shrill-690e@gregkh/
https://github.com/jmpe4x/GSM_Linux_Kernel_LPE_Nday_Exploit/tree/main
This was pushed 3 weeks ago and the exploit is bar from a few lines identical. The writeup (after translation to english) is also a close copy of https://jmpeax.dev/The-tale-of-a-GSM-Kernel-LPE.html.
On at least stock Debian 12 and Ubuntu 22/23, the kallsym table only emits zero address values when called as unprivileged user. The easiest way to circumvent this is to run the OffsetGenerator as root. Since this needs to be called only once per kernel version (right?), this is not a huge issue - further versions of the PoC will most likely have a larger list of kernels/distros.
I'm not sure if this should be documented though.
亲爱的资源库所有者
我是 Linux 系统远程代码执行(RCE)漏洞的原作者和所有者,在未经我同意或不知情的情况下,该漏洞在本资源库中被公开披露,我特此致函给您。
这种未经授权的披露不仅侵犯了我作为原作者的权利,而且对全世界 Linux 系统的安全构成了重大威胁。我要求你立即删除这个版本库和任何相关的分叉。
此外,我坚持要求你就这一严重破坏安全和侵犯知识产权的行为向北京当局自首。不遵守这一要求将导致严重的法律后果。
我希望你立即就此事给予合作。
It especcially doesnt like the #define s of lines 154-156 and refuses to compile with them
error during make.
error: field ‘config’ has incomplete type
228 | struct gsm_dlci_config config;
| ^~~~~~
In file included from /usr/include/x86_64-linux-gnu/asm/ioctl.h:1,
from /usr/include/linux/ioctl.h:5,
from /usr/include/linux/gsmmux.h:6,
from /home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c:7:
/home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c: In function ‘thread_setconf_dlci’:
/home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c:54:46: error: invalid application of ‘sizeof’ to incomplete type ‘struct gsm_dlci_config’
54 | #define GSMIOC_SETCONF_DLCI _IOW('G', 8, struct gsm_dlci_config)
| ^~~~~~
/home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c:1137:42: note: in expansion of macro ‘GSMIOC_SETCONF_DLCI’
1137 | args->retval = ioctl(args->fd_input, GSMIOC_SETCONF_DLCI, &args->config);
| ^~~~~~~~~~~~~~~~~~~
/home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c: In function ‘thread_getconf_dlci’:
/home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c:53:47: error: invalid application of ‘sizeof’ to incomplete type ‘struct gsm_dlci_config’
53 | #define GSMIOC_GETCONF_DLCI _IOWR('G', 7, struct gsm_dlci_config)
| ^~~~~~
/home/kronosplay/Desktop/ExploitGSM/ExploitGSM_6_5/main.c:1146:42: note: in expansion of macro ‘GSMIOC_GETCONF_DLCI’
1146 | args->retval = ioctl(args->fd_input, GSMIOC_GETCONF_DLCI, &args->config);
| ^~~~~~~~~~~~~~~~~~~
gmake[2]: *** [CMakeFiles/ExploitGSM.dir/build.make:76: CMakeFiles/ExploitGSM.dir/main.c.o] Error 1
gmake[1]: *** [CMakeFiles/Makefile2:83: CMakeFiles/ExploitGSM.dir/all] Error 2
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.