关联漏洞
标题:
Linux kernel 资源管理错误漏洞
(CVE-2024-1086)
描述:Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在安全漏洞,该漏洞源于netfilter: nf_tables 组件中存在释放后重用,nf_hook_slow() 函数可能会导致双重释放,攻击者利用该漏洞导致本地权限提升。
描述
Educational, non-functional Linux kernel exploit template for CVE-2024-1086 — lab-only security research and teaching (use in controlled VMs only).
介绍
# 🔒 CVE-2024-1086 Exploit Project
[](https://github.com/karim4353/CVE-2024-1086-Exploit/actions)
[](https://opensource.org/licenses/MIT)
[](https://github.com/karim4353/CVE-2024-1086-Exploit/wiki)
**🛡️ Polished educational Linux kernel exploit for security research**
This project provides a robust, non-functional template for studying CVE-2024-1086, a use-after-free vulnerability in the Linux kernel's `netfilter: nf_tables` component, enabling local privilege escalation. Designed for security researchers and students, it combines a C exploit template with an enhanced Java wrapper for reliable diagnostics, configuration, and execution, intended for use in a **controlled lab environment only** (e.g., a VM with a vulnerable kernel).
**⚠️ Warning**: The C code is non-functional, using placeholder values, and requires significant modification to work. Unauthorized use on production systems or without permission is illegal and unethical. Use responsibly to advance kernel security knowledge.
## 🔍 Key Features
- **🧠 Robust System Diagnostics**: Comprehensive checks for kernel version, user namespaces, and `nf_tables` module
- **📜 Flexible Configuration**: JSON-based settings for exploit parameters, log levels, and timeouts
- **📝 Enhanced Logging**: Timestamped, verbose logs to file and console for detailed analysis
- **💻 Intuitive CLI**: Supports `--check`, `--run`, `--dry-run`, `--payload`, and `--config` options
- **🔐 Safe Exploit Template**: Non-functional C code for secure educational study of `nf_tables` exploits
- **🔗 Reliable Integration**: Seamless Java-C interaction with timeout handling and error recovery
- **🧪 Test Suite**: Includes Java and C tests for validation in lab environments
- **🛡️ Ethical Design**: Strict lab-only restrictions and ethical guidelines
## 🏰 Architecture Overview
```
┌─────────────────────┐ ┌─────────────────────┐ ┌─────────────────────┐
│ 🔍 Java Diagnostics │───▶│ 💻 Exploit Runner │───▶│ 🔐 C Exploit Template│
└─────────────────────┘ └─────────────────────┘ └─────────────────────┘
│ │ │
▼ ▼ ▼
┌─────────────────────┐ ┌─────────────────────┐ ┌─────────────────────┐
│ 🔒 System Validation│───▶│ 📝 Logging Engine │───▶│ 🛡️ Kernel Netlink │
└─────────────────────┘ └─────────────────────┘ └─────────────────────┘
│ │
▼ ▼
┌─────────────────────┐ ┌─────────────────────┐
│ 🧪 Test Suite │ │ 📜 Config Management│
└─────────────────────┘ └─────────────────────┘
```
The project integrates a Java wrapper for secure diagnostics, logging, and configuration with a C exploit template simulating kernel interaction via Netlink sockets, supported by a test suite for validation.
## 💻 Quick Start
### Prerequisites
Ensure you have the following tools installed:
- **🔧 GCC** (version 9.0+, `sudo apt install build-essential`)
- **☕ Java Development Kit (JDK)** (version 11+, `sudo apt install openjdk-11-jdk`)
- **🛠️ Make** (for building C code)
- **📜 JSON Library**: `org.json:json:20230227` (via Maven or JAR)
- **📦 Apache Commons CLI**: `commons-cli:commons-cli:1.5.0` (via Maven or JAR)
- **🧪 JUnit** (version 5.8+, for testing)
- **🌐 Git** (for version control)
**Operating System:**
- Linux (e.g., Ubuntu 22.04) or Android with a vulnerable kernel (5.14 to 6.6, unpatched, < 5.15.148, 6.1.76, 6.6.15)
- Unprivileged user namespaces enabled (`CONFIG_USER_NS=y`)
- `nf_tables` module enabled (`CONFIG_NF_TABLES=y`)
**Lab Environment:**
- VirtualBox/VMware VM with Ubuntu 22.04 (kernel 5.15.x < 5.15.148)
- Android emulator with a vulnerable kernel
### Installation
1. **Clone the Repository**
```bash
git clone https://github.com/karim4353/CVE-2024-1086-Exploit.git
cd CVE-2024-1086-Exploit
```
2. **Install Dependencies**
```bash
sudo apt update
sudo apt install build-essential openjdk-11-jdk
# Download libraries or add to Maven
wget https://repo1.maven.org/maven2/org/json/json/20230227/json-20230227.jar
wget https://repo1.maven.org/maven2/commons-cli/commons-cli/1.5.0/commons-cli-1.5.0.jar
```
3. **Build the C Exploit**
```bash
make
```
4. **Run the Java Wrapper**
```bash
javac -cp ".:json-20230227.jar:commons-cli-1.5.0.jar" -d . src/main/java/com/example/cve20241086/ExploitRunner.java
java -cp ".:json-20230227.jar:commons-cli-1.5.0.jar" com.example.cve20241086.ExploitRunner --run
```
Options: `--check`, `--run`, `--dry-run`, `--payload <path>`, `--config <file>`, `--help`
5. **Run Tests**
```bash
./tests/run_tests.sh
```
For detailed setup, see [Setup Guide](https://github.com/karim4353/CVE-2024-1086-Exploit/wiki/Setup).
## 📂 Project Structure
```
CVE-2024-1086-Exploit/
├── src/
│ ├── main/
│ │ ├── c/
│ │ │ └── exploit.c # 🔐 C exploit template
│ │ ├── java/
│ │ │ └── com/example/cve20241086/
│ │ │ └── ExploitRunner.java # 🔍 Java wrapper
│ │ └── resources/
│ │ └── config.json # 📜 Exploit configuration
│ └── test/
│ ├── c/
│ │ └── test_exploit.c # 🧪 C test cases
│ └── java/
│ └── com/example/cve20241086/
│ └── ExploitRunnerTest.java # 🧪 Java test cases
├── Makefile # 🛠️ Build script
├── README.md # 📝 This file
├── CONTRIBUTING.md # 🤝 Contribution guidelines
├── LICENSE # 📄 MIT license
└── tests/
└── run_tests.sh # 🧪 Test runner script
```
## 🔬 Testing
Test the project in a secure lab environment:
```bash
# Check system vulnerability
java -cp ".:json-20230227.jar:commons-cli-1.5.0.jar" com.example.cve20241086.ExploitRunner --check
# Run exploit (non-functional)
java -cp ".:json-20230227.jar:commons-cli-1.5.0.jar" com.example.cve20241086.ExploitRunner --run
# Run tests
./tests/run_tests.sh
# Clean build artifacts
make clean
```
## 🤝 Contributing
We welcome contributions to enhance this educational project! See [Contributing Guidelines](CONTRIBUTING.md) for details on:
- Code style and standards
- Testing requirements
- Pull request process
- Ethical guidelines
## 📚 Documentation
- [Architecture Overview](https://github.com/karim4353/CVE-2024-1086-Exploit/wiki/Architecture) - System design
- [Setup Guide](https://github.com/karim4353/CVE-2024-1086-Exploit/wiki/Setup) - Installation and configuration
- [Contributing Guide](CONTRIBUTING.md) - How to contribute
- [FAQ](https://github.com/karim4353/CVE-2024-1086-Exploit/wiki/FAQ) - Common issues and solutions
## 🔑 Use Cases
- **🔍 Kernel Exploit Research**: Study use-after-free vulnerabilities in `nf_tables`
- **🧑🎓 Security Education**: Teach Linux kernel security and exploit development
- **🛡️ Penetration Testing Labs**: Simulate privilege escalation in controlled environments
- **🔐 System Hardening**: Test mitigations like KASLR, SELinux, and namespace restrictions
## 🏆 Performance Benchmarks
- **🔍 System Check Latency**: <300ms for kernel and module checks
- **💻 Exploit Execution**: <1s for non-functional template (real PoC ~3-5s)
- **📊 Memory Footprint**: <10MB RAM for Java wrapper, <1MB for C exploit
- **📝 Log Output**: <50ms write time to `exploit_log.txt`
## 🔧 System Requirements
| Component | Minimum | Recommended |
|-----------|---------|-------------|
| Kernel Version | 5.14 | 5.15.x < 5.15.148 |
| RAM | 512MB | 1GB+ |
| CPU | 1GHz | 2GHz+ |
| Disk Space | 100MB | 500MB+ |
| Java Version | JDK 11 | JDK 17 |
## 🛠️ Configuration
Configure via `src/main/resources/config.json`:
```json
{
"exploitBinary": "./exploit",
"targetKernel": "5.15",
"payloadPath": "/tmp/payload.sh",
"logLevel": "DEBUG",
"timeoutSeconds": "30"
}
```
See [Configuration Guide](https://github.com/karim4353/CVE-2024-1086-Exploit/wiki/Configuration).
## 🐞 Troubleshooting
**Common Issues:**
- **🔧 Build Failures**: Verify GCC/JDK versions; run `make clean && make`.
- **⚠️ Exploit Fails**: Ensure `sysctl -w kernel.unprivileged_userns_clone=1` and `lsmod | grep nf_tables`.
- **☕ Java Errors**: Check `json-20230227.jar` and `commons-cli-1.5.0.jar` in classpath.
- **🔐 Permission Issues**: Run as non-root with namespace access.
See [FAQ](https://github.com/karim4353/CVE-2024-1086-Exploit/wiki/FAQ) or [open an issue](https://github.com/karim4353/CVE-2024-1086-Exploit/issues).
## 📄 License
Licensed under the MIT License - see [LICENSE](LICENSE).
## 🙏 Acknowledgments
- **Notselwyn** for the original CVE-2024-1086 PoC
- **CrowdStrike** and **NSFOCUS** for vulnerability analysis
- **Linux Kernel Community** for patch development
- **Open-Source Security Community** for educational resources
## 📞 Support
- **📚 Documentation**: [Project Wiki](https://github.com/karim4353/CVE-2024-1086-Exploit/wiki)
- **🐞 Issues**: [GitHub Issues](https://github.com/karim4353/CVE-2024-1086-Exploit/issues)
- **💬 Discussions**: [GitHub Discussions](https://github.com/karim4353/CVE-2024-1086-Exploit/discussions)
---
*🛡️ Built with ❤️ for the security research community*
文件快照
[4.0K] /data/pocs/ccebd4ca92e986bc8bc0b5ccc258b54d381bd877
├── [4.7K] CONTRIBUTING.md
├── [1.0K] LICENSE
├── [ 297] Makefile
├── [ 10K] README.md
├── [4.0K] src
│ ├── [4.0K] main
│ │ ├── [4.0K] c
│ │ │ └── [4.8K] exploit.c
│ │ ├── [4.0K] java
│ │ │ └── [4.0K] com
│ │ │ └── [4.0K] example
│ │ │ └── [4.0K] cve20241086
│ │ │ └── [ 13K] ExploitRunner.java
│ │ └── [4.0K] resources
│ │ └── [ 145] config.json
│ └── [4.0K] test
│ ├── [4.0K] c
│ │ └── [1.3K] test_exploit.c
│ └── [4.0K] java
│ └── [4.0K] com
│ └── [4.0K] example
│ └── [4.0K] cve20241086
│ └── [1.4K] ExploitRunnerTest.java
└── [4.0K] tests
└── [ 711] run_tests.sh
15 directories, 10 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。