Immunity Canvas: NTFS3G_MODPROBE

Tested and working on:

Debian 8.8 jessie 64 bits
Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u2 (2017-06-26) x86_64 GNU/Linux
ntfs-3g: 1:2014.2.15AR.2-1+deb8u2

Debian 9.0 stretch 64 bits
Linux 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) x86_64
ntfs-3g: 1:2014.2.15AR.2-1+deb8u2

Ubuntu 16.10 Yakkety 64 bits
Linux ubuntu 4.8.0-22-generic #24-Ubuntu SMP Sat Oct 8 09:15:00 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
ntfs-3g: 1:2016.2.22AR.1-3
Note: It is not fully realiable, so it has to be ran several times

-— should work but didn’t test ------

Ubuntu 16.04.2 Xenial LTS 64 bits
Linux ubuntu 4.8.0-36-generic #36~16.04.1-Ubuntu SMP Sun Feb 5 09:39:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
ntfs-3g: 1:2015.3.14AR.1-1build1

------

Doesn’t work on:

Debian 9.0 stretch 32 bits
Linux 4.9.0-3-686-pae #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) i686 GNU/Linux
ntfs-3g: 1:2016.2.22AR.1-3:
Note: Even when modprobe is called, it is not taking the fakemodule as the fuse

Debian 7.11 wheezy 64 bits
Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.89-2 x86_64 GNU/Linux
ntfs-3g: 1:2012.1.15AR.5-2.1+deb7u2
Note: The modprobe is not being called at anytime, tried the exploit of Google Project Zero and didn’t work neither

Repeatability: Infinite
References: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
CVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0358