Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2016-0728 PoC — Linux kernel 安全漏洞

Source
https://github.com/sugarvillela/CVE
Associated Vulnerability
Title:Linux kernel 安全漏洞 (CVE-2016-0728)
Description:The join_session_keyring function in security/keys/process_keys.c in the Linux kernel before 4.4.1 mishandles object references in a certain error case, which allows local users to gain privileges or cause a denial of service (integer overflow and use-after-free) via crafted keyctl commands.
Description
A collection of code pertaining to CVE-2016-0728 (various authors)
Readme
# cve: A collection of code pertaining to CVE-2016-0728 (various authors)
* Excerpts from Linux, showing the evolution and fix of the bug
* Exploit code from Perception Point with added comments that explain what each line does.
* A short script that uses the leak to increment usage count, useful for determining whether the bug exists on your system.
* A version of the exploit that bypasses the syscall wrappers (for systems that don't implement the keycntl wrappers).
* The first emergency patch from January 2016
* The best way to duplicate this exploit is to find an affected version of a Linux build, Listed below. ISO's may contain back-ported patches, so you need to download the source code and compile it yourself.
* Running the exploit on a modern version of Ubuntu (edited to retain the bug) gave strange results.  I wrote test.c to track it, outputting to the keylog file. The program runs independently of the exploit, using nanosleep to control sample frequency. keylog is the output from running at 500 nanosecond period for about 1/2 second.
* Interpreting the keylog file:  The number on left is the iteration number.  It outputs a value when the slope changes. tState counts how many iterations since the slope last changed.  It is completely random and not worth studying.
* For this test there was unpredictable output and no integer overflow, which means the exploit fails on a modern version, edited or not. Instead, compile a version from the list.

# Affected Versions
* Red Hat Enterprise Linux 7
* CentOS Linux 7
* Scientific Linux 7
* Debian Linux stable 8.x (jessie)
* Debian Linux testing 9.x (stretch)
* SUSE Linux Enterprise Desktop 12
* SUSE Linux Enterprise Desktop 12 SP1
* SUSE Linux Enterprise Server 12
* SUSE Linux Enterprise Server 12 SP1
* SUSE Linux Enterprise Workstation Extension 12
* SUSE Linux Enterprise Workstation Extension 12 SP1
* Ubuntu Linux 14.04 LTS (Trusty Tahr)
* Ubuntu Linux 15.04 (Vivid Vervet)
* Ubuntu Linux 15.10 (Wily Werewolf)
* Opensuse Linux LEAP 42.x and version 13.x
* Oracle Linux 7
File Snapshot

 [4.0K]  /data/pocs/bf0308c022a14fc032dbbbb6e24fa5e1df842dc9
├── [4.2K]  andr.c
├── [2.4K]  bandaid.c
├── [8.4K]  evolution_of_bug.c
├── [8.6K]  expl.c
├── [5.5K]  keylog
├── [ 908]  leak.c
├── [2.0K]  README.md
└── [3.2K]  test.c

0 directories, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →