Questions about the exploitation of the CVE-2017-17053 #6
Description
Hello, I would like to ask you about the exploit of CVE-2017-17053.
I ran the exp for one night, but it still didn't stop, so I didn't analyze the exploit process through debugging.
I read the code of exp, and compared to PoC, the ccid_alloc function seems to play an important role. I guess it wants to reuse the ldt_struct structure by allocating sockets. But the size of ldt_struct is 0x10, and a heap chunk of size 0x40 will be allocated in sock_alloc, which seems to be unusable (Maybe I got it wrong). In addition, I have not seen the operation of writing malicious data to the chunk, so I want to know how the control flow is hijacked.
In summary, for CVE-2017-17053, I would like to ask:
- When will the ldt_struct structure be reused?
- When was the control flow hijacked?
Looking forward to your answer, thank you!