Closed zecoxao closed 1 month ago
So couple of things:
For this reason, I suggest:
For reference, this is a partial output I get after the race is triggered:
[INFO] [JarLoader] [main] Number of successful destructions: 2
...
[INFO] [JarLoader] [main] Spraying and praying
...
[INFO] [JarLoader] [main] Checking for shared memory object corruption
[INFO] [JarLoader] [main] Original descriptor of primary shared memory object: 41
[INFO] [JarLoader] [main] Lookup descriptor of primary shared memory object: 41
[INFO] [JarLoader] [main] Size of primary shared memory object: 0x2b000
[INFO] [JarLoader] [main] Calculated descriptor #43
[INFO] [JarLoader] [main] Got mismatch of descriptors!
[INFO] [JarLoader] [main] Checking succeeded, winner descriptor of shared memory object: 43
[INFO] [JarLoader] [main] Closing descriptor #42 of reclaim shared memory object #0
[INFO] [JarLoader] [main] Truncating shared memory object with descriptor #43
...
[INFO] [JarLoader] Got memory corruption after 223 iterations
[INFO] [JarLoader] Doing post-exploitation
[INFO] [Thread-135] [destroyer#0] Finishing loop
[INFO] [Thread-136] [destroyer#1] Finishing loop
[INFO] [Thread-137] [lookup] Finishing loop
...
[INFO] [JarLoader] Mapping memory of shared memory object with lookup descriptor #41
[INFO] [JarLoader] Mapped address of potential kernel stack: 0x21478c000. Size: 0x4000
[INFO] [JarLoader] Protecting mapped memory of potential kernel stack
[INFO] [JarLoader] Starting reclaim threads
[INFO] [JarLoader] Reclaim threads started
[INFO] [JarLoader] Checking if reclaimed memory belongs to controlled thread
[INFO] [JarLoader] Found marker pattern in kernel stack at 0x6bc
[INFO] [JarLoader] Classifying leaked kernel addresses
[INFO] [JarLoader] Determined reclaim job index: 2
[INFO] [JarLoader] Found reclaim thread 'reclaim#2' using 1 attempts
[INFO] [JarLoader] Found potential kernel thread address: 0xffffa2c373114ce0
[INFO] [JarLoader] [main] Resetting ready flag
[INFO] [JarLoader] Joining reclaim threads
[INFO] [Thread-141] [reclaim#3] Not target thread
...
[INFO] [Thread-140] [reclaim#2] I am lucky
...
[INFO] [Thread-140] [reclaim#2] Reading from read pipe #29
[INFO] [JarLoader] [main] Attempting to unlock pipe for kernel primitives
[INFO] [JarLoader] Writing to write pipe #30
[INFO] [JarLoader] Writing to write pipe #30 finished with result 4096
[INFO] [JarLoader] [main] Pipe for kernel primitives unlocked
[INFO] [JarLoader] [main] Waiting for command processor to start up
[INFO] [Thread-140] [reclaim#2] Reading from read pipe #29 finished with result 4096
[INFO] [Thread-140] [reclaim#2] Starting command processor loop
[INFO] [JarLoader] [main] Done waiting for command processor to start up
[INFO] [JarLoader] Leaked kernel thread name: reclaim#2
[INFO] [JarLoader] Kernel thread address is correct
thanks for the output. closing...
i see an infinite spam of threads on 7.61 and nothing happens, help!