# CVE-2016-2384 proof-of-concept exploit demo

{% hint style="info" %}
**2022년 NHN Cloud&#x20;**<mark style="color:red;">**무료**</mark>**&#x20;교육일정** : <https://doc.skill.or.kr/2022-NHN-Cloud-Education>
{% endhint %}

## 제목 : CVE-2016-2384 proof-of-concept exploit demo

{% hint style="danger" %}
**주의 : 테스트 이외의 목적으로 발생 되는 문제점에 대해서는 프로그램을 사용하는 사용자가 책임을 지셔야 한다는 것을 알려 드립니다.**

**Disclaimer: I am not responsible for any damage done using this tool. This tool should only be used for educational purposes and for penetration testing.**
{% endhint %}

### 내용 :&#x20;

> 공격자가 시스템에 일반 사용자로 접근 하여 exploit 을 실행 하여 root 권한을 획득 하는 방법 입니다.
>
> github 에 소스코드가 올라가 있으나 테스트 용으로 사용하시기 바랍니다.&#x20;
>
> 해결방안으로는 최신버전의 보안 업데이트 수행 하시기 바랍니다.

### Description&#x20;

> Overview
>
> This post describes an exploitable vulnerability (CVE-2016-2384) in the usb-midi Linux kernel driver. The vulnerability is present only if the usb-midi module is enabled, but as far as I can see many modern distributions do this. The bug has been fixed upstream.<br>
>
> The vulnerability can be exploited in two ways:<br>
>
> Denial of service. Requires physical access (ability to plug in a malicious USB device). All the kernel versions seem to be vulnerable to this attack. I managed to cause a kernel panic on real machines with the following kernels: Ubuntu 14.04 (3.19.0-49-generic), Linux Mint 17.3 (3.19.0-32-generic), Fedora 22 (4.1.5-200.fe22.x86\_64) and CentOS 6 (2.6.32-584.12.2.e16.x86\_64).<br>
>
> Arbitrary code execution with ring 0 privileges (and therefore a privilege escalation). Requires both physical and local access (ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user). All the kernel versions starting from v3.0 seem to be vulnerable to this attack. I managed to gain root privileges on real machines with the following kernels: Ubuntu 14.04 (3.19.0-49-generic), Linux Mint 17.3 (3.19.0-32-generic) and Fedora 22 (4.1.5-200.fe22.x86\_64). All machines had SMEP turned on, but didn't have SMAP.
>
> A proof-of-concept exploit (poc.c, poc.py) is provided for both types of attacks. The provided exploit uses a Facedancer21 board to physically emulate the malicious USB device. The provided exploit bypasses SMEP, but doesn't bypass SMAP (though it might be possible to do). It has about 50% success rate (the kernel crashes on failure), but this can probably be improved. Check out the demo video.

### Infomation :&#x20;

> CVE-2016-2384: <https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2384>
>
> Source Code : [https://github.com/xairy/CVE-2016-2384﻿](https://github.com/xairy/CVE-2016-2384)

{% embed url="<https://youtu.be/lfl1NJn1nvo>" %}
시연 영상    &#x20;
{% endembed %}

{% hint style="info" %}
**2022년 NHN Cloud&#x20;**<mark style="color:red;">**무료**</mark>**&#x20;교육일정** : <https://doc.skill.or.kr/2022-NHN-Cloud-Education>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sec.skill.or.kr/hacking/exploit-cve-2016-2384.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.