cve-2017-11176 icon indicating copy to clipboard operation
cve-2017-11176 copied to clipboard
verified publisher icon lexfo

exploited failed

Open myscTZY opened this issue 7 years ago • 2 comments

Hello, lexfo. I'm reading your blog step-by-step 1/4. When I executed the exploit compiled by cve-2017-11176.c, it outputted:

...
[-] magic PID does not match!
[-] failed to check realloc success status!
[-] reallocation failed!
[-] exploit failed!
[ ] press key to continue

I'm sure that I have operated according to the blog step-by-step 1/4 and SLAB/SMEP/SMAP/KASLR status is suitable. I'm consufed about why it failed, can you give me some suggestions?Thank you.

myscTZY avatar Oct 15 '18 07:10 myscTZY

Hi,

As the output message states, the reallocation and more specifically the "reallocation checker" has failed.

There are three reasons why it could have failed:

  1. Your NLK_PID_OFFSET and/or NLK_GROUPS_OFFSET are wrong (this is very target specific so don't expect to be the same than ours), and so, the reallocation checker will fail.
  2. The "struct netlink_sock" is not in the "kmalloc-1024" cache, in that case you need to edit the KMALLOC_TARGET value (and other related code) accordingly. It can be in "kmalloc-512" or "kmalloc-2048".
  3. The re-allocation actually failed because another thread steal it. You can't do much thing here. You can try to increase the number of NB_REALLOC_THREADS and see if it improve the success rate. This is the most "critical path" in the exploit and where it can fail. You should have a comfortable >95% success rate though.

If you running the exploit on a virtual machine with almost no activity, there is a low probability that you loose the reallocation race (i.e. 3)).

So, chances are that there is something wrong with either 1. or 2..

First, make sure that you know the right kmemcache (2)), and then completely fills the reallocation buffer with "0xAA", edit the reallocation checker to see if you see those "0xAA". Once you get it, get the correct offsets so 1. works.

All of this is covered in details in part 3/4.

Good luck!

lexfouser avatar Oct 18 '18 09:10 lexfouser

I'm sorry it's taken me so long to get back to you. Thanks for your help. Depending on your hints, I have attempted to modify cve-2017-11176.c several times and exploited failed. After I finish something, I'll read and study 2/4, 3/4 and 4/4. Have a nice day!

myscTZY avatar Nov 12 '18 07:11 myscTZY