Changes for ARM

[habibi2115]

Hi, I am testing this poc on ARM .But exploit was unable to find overlap id . so that changes are required to make it run on ARM(pi)

[Markakd]

You might need to adjust the value of middle and end variables in line 846.

[habibi2115]

I am getting this error while compiling for ARM what is the best possible solution ?

ubuntu@ubuntu:~$ make cc -O0 exp_file_credential.c -lpthread -o exp_file_credential exp_file_credential.c:59:10: fatal error: x86intrin.h: No such file or directory 59 | #include <x86intrin.h> | ^~~~~~~~~~~~~ compilation terminated. make: *** [Makefile:2: file] Error 1

[teccheck]

Your compiler tries to load the file x86intrin.h which, as the name suggests, is a file specific to x86 systems. Maybe you can try to comment out the line #include <x86intrin.h> like this:

// #include <x86intrin.h>

However I can't guarantee this will work. Good luck ;)

[habibi2115]

ah thank you for your response I have done commeting the header file but the exploit doesnt work then .... when we can expect the writeup of this exploit ? @Markakd

[clingfei]

I believe that the current exp is impractical on ARM. On arm64, Linux 5.10, there is no kmalloc-192, then the first free of route4_filter and actions will give back their pages to kmalloc-256. Therefore, when allocing new files, will use the previously freed route4_filter, and corrupt the handle field. Therefore, in the second free, when calling route4_get to get the route4_filter, the f->handle will never equal to handle then only return NULL. Then in the route4_change, fold is NULL, route4_delete_filter_work will not be called so the second free will not be successful. I also noticed that file->oflags is overlapped with route4_filter->handle, so maybe there are some tricks can set handle to zero in the first free. But, route4_filter->exts is also corrupted, which will cause oops in the second free. Therefore the latter exploit will be impossible. Maybe you have other tricks to bypass it?