Code execution for CVE-2017-11176# CVE-2017-11176
Proof of concept for CVE-2017-11176 for code execution.
## Vulnerability
The mq_notify function in the Linux kernel through 4.11.9 does not set the sock pointer to NULL upon entry into the retry logic. During a user-space close of a Netlink socket, it allows attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact.
## Reference
- [https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html](https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html)
- [https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part2.html](https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part2.html)
- [https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part3.html](https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part3.html)
- [https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part4.html](https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part4.html)
Check out these posts, I learned a lot from that.
## Limitation
- `SMAP` is disabled
- `KASLR` is disabled
- `SLAB` allocator is exploited
- There are a lot of hardcoded address and offset.
## Others file
- `heap.c`: this is used to discovery the target cache
- `*.stp`: these files are used for `System Tap` to debug. Also `offset.stap` print out the structure offset
- `gdb.script`: `gdb` script for debugging. This will trigger the breakpoint if `RAX` is in userspace. Note that we will insert the second breakpoint after we hit the first one in order to avoid performance issue (`wake_up` is called a lot of times).
[4.0K] /data/pocs/3637592a186fc6890944671a2ea39aa79248abc0
├── [2.2K] const.h
├── [3.4K] exp_stap.stp
├── [ 115] gdb.script
├── [ 419] heap.c
├── [ 34K] LICENSE
├── [ 28K] main.c
├── [ 179] Makefile
├── [7.3K] my_stap.stp
├── [1.1K] offset.stap
└── [1.6K] README.md
0 directories, 10 files