Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-46813 PoC — Linux kernel 安全漏洞

Source
https://github.com/Freax13/cve-2023-46813-poc
Associated Vulnerability
Title:Linux kernel 安全漏洞 (CVE-2023-46813)
Description:An issue was discovered in the Linux kernel before 6.5.9, exploitable by local users with userspace access to MMIO registers. Incorrect access checking in the #VC handler and instruction emulation of the SEV-ES emulation of MMIO accesses could lead to arbitrary write access to kernel memory (and thus privilege escalation). This depends on a race condition through which userspace can replace an instruction before the #VC handler reads it.
Readme
# CVE-2023-46813 PoC

1. Apply the patches in the `host-patches` folder to the Linux host and QEMU.
2. Start an SEV-SNP VM.
3. Run the code in this repo and wait for the message "waiting for the hypervisor to change memory to MMIO".
4. Spam the `attack` command in QEMU several times.
5. Once the exploit detects that the type of some of its memory has been changed to MMIO it will use the vulnerability to swap out its credentials with those of the init tasks.

Successful exploitation will look like this:

![](./screenshot.png)

The exploit doesn't rely on any absolute kernel offsets but relies on the relative offsets of fields in the `struct task_struct` type. You might have to adjust those.
File Snapshot

 [4.0K]  /data/pocs/0d69360643e8e430d217b02efd21f1922ed72cac
├── [2.2K]  Cargo.lock
├── [ 242]  Cargo.toml
├── [4.0K]  host-patches
│   ├── [4.0K]  linux
│   │   └── [3.8K]  0001-add-KVM_ATTACK-ioctl.patch
│   └── [4.0K]  qemu
│       └── [4.3K]  0001-add-attack-command.patch
├── [ 699]  README.md
├── [ 45K]  screenshot.png
└── [4.0K]  src
    └── [ 13K]  main.rs

4 directories, 7 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →