nullderef exploit does not work on my Qemu VM

[mudongliang]

The UAF exploit is successfully launched on my Qemu VM and I see the uid changes to 0.

But for the second exploit, after applying the trick at [1], the NULL memory area is still not writable and then Segmentation fault occurs.

drill@syzkaller:~$ ./drill_exploit_nullderef 
begin as: uid=1000, euid=1000
payload address: 0x55b911775349
[+] /proc/$PPID/maps:
00010000-00011000 rw-p 00000000 00:00 0 
Segmentation fault

My configuration

Kernel version: 5.8.9
Command line: pti=off oops=panic ftrace_dump_on_oops nokaslr
Normal user: uid=1000, euid=1000

If you need any more information, please let me know.

[a13xp0p0v]

Hi @mudongliang,

I think it doesn't work because your kernel has a fix for this vulnerability.
Please check https://bugs.chromium.org/p/project-zero/issues/detail?id=1792&desc=2 for more details.

Best regards,
Alexander

[mudongliang]

Thanks very much. It is fixed in 5.0.0-rc8. I will try an old version and test it again.
BTW, do you know some other simple exploits(maybe toy) for Linux kernel? I want to learn some exploitation techniques for Linux kernel.

[a13xp0p0v]

I want to learn some exploitation techniques for Linux kernel.

I would recommend checking https://www.root-me.org/en/Challenges/App-System/

Also feel free to send pull requests with new exploits to this repository!