A write-up and Local Privilege Escalation Proof-of-Concept of an OOB read and write vulnerability in the Linux Kernel.
You can find the write-up of this vulnerability on my blog and you can find my introduction to nf_tables here as well.
The exploit provided in this repository should not be expected to run successfully on vulnerable kernel versions out of the box. There are many offsets that would differ between kernel builds as well as of course differing ROP gadgets.
Sometimes even the way the vulnerability is exploited might have to be changed due to differences between kernel builds. An example is another write-up of this vulnerability by David Bouman (@pqlqpql) that you can find here where he exploits the vulnerability using UDP packets - targetting the stack when a UDP packet is being handled - which couldn't have been done on my kernel build due to significant differences in the stack layout. Instead I used a method targetting the stack when a TCP ACK packet is being handled.
If you have the desire to test it out on your end I would recommend reading my write-up and follow the path of finding out the offsets, what hooks to use, etc.
The exact kernel version from which I built the kernel that I was targetting in the write-up was 5.12.0, commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717.
To build the exploit you need the libraries libmnl and libnftnl as well as the POSIX thread (pthread) library.
Building it then is as simple as
gcc -lmnl -lnftnl -lpthread exploit.c -o exploit
The vulnerability arises from nft_validate_register_store introduced in commit 345023b0db315648ccc3c1a36aee88304a8b4d91 in version 5.12 and is patched in commit 6e1acfa387b9ff82cfc7db8cc3b6959221a95851 in version 5.17.
This Proof-of-Concept and the write-up of the vulnerability are for educational purposes only. I am not legally responsible for any way this code might get used.