Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2024-0582 PoC — Kernel: io_uring: page use-after-free vulnerability via buffer ring mmap

Source
https://github.com/kuzeyardabulut/CVE-2024-0582
Associated Vulnerability
Title:Kernel: io_uring: page use-after-free vulnerability via buffer ring mmap (CVE-2024-0582)
Description:A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then frees it. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Description
A data-only exploit for CVE-2024-0582
Readme
# CVE-2024-0582 Exploit (PoC)

This repository provides a Proof-of-Concept (PoC) exploit for **CVE-2024-0582**, featuring both **Dirty Cred** and **Dirty Pagetable** attack methods to gain root privilege.

## Description

- **Based on Google Project Zero’s PoC:** This exploits stands out from other PoCs on GitHub because it is heavily based on the PoC described in [a Google Project Zero](https://project-zero.issues.chromium.org/issues/42451653) issue. 
 
- **Additional References:** This exploit drew upon insights from the [Exodus Intelligence blog post](https://blog.exodusintel.com/2024/03/27/mind-the-patch-gap-exploiting-an-io_uring-vulnerability-in-ubuntu/) and [ptrYudai's blog post](https://ptr-yudai.hatenablog.com/entry/2023/12/08/093606).
- **Bug Overview:** *CVE-2024-0582* is rooted in a flaw within the `io_uring` subsystem, allowing unintended access to freed memory pages. 

### Current Exploit Method

1. **Dirty Cred**  
   - Uses an `io_uring` **register/unregister** sequence to trigger Page Use-After-Free.  
   - Grants write access to `/etc/passwd`.  
   - Injects a rogue user entry into `/etc/passwd`.

2. **Dirty Page Method**  
    - Uses an `io_uring` **register/unregister** sequence to trigger *Page Use-After-Free*.  
    - Gain write access to Page Table
    - Injects shellcode to `pivot_root` syscall.

## Adjust the Offset Values  
   Before building, ensure that you have configured the correct offset values for each exploit. Refer to the documentation in:
   - [Dirty Cred](dirty_cred/README.md#determining-the-correct-offset-values)
   - [Dirty Pagetable](dirty_page_table/README.md#determining-the-correct-offset-values)
   
   These offsets may vary depending on your kernel version and environment.

## Disclaimer
This repository and all its contents are for educational and research purposes only. Do not use this exploit on systems you do not own or have explicit permission to test. The author(s) assume no liability for any misuse or damage caused by this material.
File Snapshot

 [4.0K]  /data/pocs/3f0e43fd91caaf066b2679456913ac7054f20b93
├── [4.0K]  dirty_cred
│   ├── [4.0K]  c
│   │   ├── [8.5K]  exploit.c
│   │   └── [1.1K]  Makefile
│   ├── [2.0K]  README.md
│   └── [4.0K]  rust
│       ├── [ 118]  Cargo.toml
│       ├── [1.1K]  Makefile
│       └── [4.0K]  src
│           ├── [5.5K]  main.rs
│           └── [5.9K]  utils.rs
├── [4.0K]  dirty_page_table
│   ├── [4.0K]  c
│   │   ├── [ 10K]  exploit.c
│   │   └── [1.1K]  Makefile
│   └── [5.2K]  README.md
├── [ 273]  KERNEL_COMMIT_INFO
├── [138K]  kernel.conf
├── [1.0K]  LICENSE
├── [2.0K]  README.md
└── [1.2K]  run_qemu.sh

6 directories, 15 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →