Linux kernel exploit tutorial

linux kernel exploit tutorial

Fire up your favorite code crawling tool and let’s start! DriverObject will get populated with necesarry structures and function pointers.That is, change the following lines in the exploit:.If we can’t even reach the vulnerable code path because of security checks there is no reason to continue.Follow abatchy.Add this topic Linux kernel exploit tutorial your repo To associate your repository with the kernel-exploit topic, visit your repo’s landing page and select “manage topics.The exploit developed here we will use “hardcoded” addresses.Just take your time.The module is absolutely simple.Do not try to run the exploit as isthis will just crash your system! The reason I chose this Linux kernel exploit tutorial challenge is because:.In order to avoid the same kind of bug in the future, we will wrap every syscall.We will get in deeper details with scheduling later cf.A userland process is composed of at least one task.Tutorial for writing kernel exploits.In particular, we look for the following line in one of the files usually it will be rcS or inittab and then modify it:.We don’t want this behavior, we want to get into the “retry” path returns 1.From there, there is three possible outcomes:.If not, then you will need to recompile the kernel.You will understand this change by reading part 3.
FuzzySecurity | Tutorials

CVE-2017-11176: A step-by-step Linux Kernel exploitation (part 1/4) – We recommend you to read those books they are great! The important thing to note here is that different from userland programs, this kernel function actually pops 3 registers from the stack, namely rbxr12rbp instead of just rbp this can clearly be seen in the disassembly of the functions.The mapping which translates a file descriptor into a struct file pointer is called the file descriptor table fdt.It does not necessarily match any image on the disk.This is actually the main benefit of ” everything is a file ” motto.

It starts with the patch analysis to understand the bug and trigger it from kernel land part 1 , then it gradually builds a working proof-of-concept code part 2.The PoC is then turned into an arbitrary call primitive part 3 which is finally used to execute arbitrary code in ring-0 part 4.The targeted audience is the Linux kernel newcomers nothing too fancy for the veterans.Since most kernel exploit articles imply that the reader is already familiar with the kernel code, we will try to fill the gap by exposing core data structure and important code paths.

In the end, every single line of the exploit should be understood, as well as their impact on the kernel.While it is impossible to cover everything in a single article, we will try to unroll every kernel path needed to develop the exploit.

Think of it as a guided Linux kernel tour supported by a practical example.Exploit writing is actually a good way to understand the Linux kernel.In addition, we will show some debugging techniques, tools, common pitfalls and how to fix them.

Most distributions patched it during the mid At the time of writing, there is no known public exploit.The kernel code exposed here matches a specific version v2.

One might think that this version is too old, yet it is still actually used in a lot of places and some paths might be easier to understand.It shouldn’t be too hard to find the equivalent paths on a more recent kernel.The exploit built here is not targetless.Do not try to run the exploit as is , this will just crash your system! You can find the final exploit here.It is recommended grabbing the source code of a vulnerable kernel and try to follow the code on the go or even better, implement the exploit.

Fire up your favorite code crawling tool and let’s start! Warning : Please do not get scared by the size of this series, there are tons of code.Anyway, if you really want to get into kernel hacking, you must be ready to read a lot of codes and documentation.Just take your time.Note : we do not deserve any credit for this CVE discovery, it is basically a 1-day implementation.This article only covers a small subset of the whole kernel.

We recommend you to read those books they are great! The code exposed here comes from a specific target 2.However, you can try to implement the exploit on the following target.

There might be slight variations in the code that shouldn’t be blocking.Debian 8.The previous ISO runs a 3.We only confirmed that the bug is reachable and makes the kernel crash.Most of the changes will appear during the last stages of exploitation cf.Otherwise, reallocation may need additional steps cf.The “default” configuration on the previous ISO satisfies all of those requirements.

If you want to develop the exploit on another target, please see the next section.However, we discourage using virtualbox as it didn’t support SMEP not sure if it does right now.You can use the free version of vmware for instance or any other virtualization tool as long as it supports SMEP we will bypass it.Once the system has been installed don’t develop on a LiveCD , we need to check that the system configuration is as expected.

In order to know if SMEP is enabled or not, run the following command.The “smep” string MUST be present:.Then run update-grub and reboot your system.For SMAP, you will need to do the exact opposite.If it does not appear, everything is okay.Otherwise, add “nosmap” in your grub configuration file then update-grub and reboot.

The exploit developed here we will use “hardcoded” addresses.For this reason, kASLR must be disabled.In order to disable it, you can add the nokaslr option in the cmdline just like nosmap.In the end, the grub cmdline should be something like:.

Finally, your target must use the SLAB allocator.You can validate the kernel is using it with:.If not, then you will need to recompile the kernel.Please read your distribution documentation.Again, the suggested ISO satisfies all those requirements, so you only need to check that everything is okay.

As mentioned before, the ISO runs a v3.Because of this, we will need to grab the.We will need:.You can download them from this link , or type:.In addition to system tap, the target kernel will be used to compile and run the exploit, so run this:.Now, download the exploit with:.Due to code differences between the suggested and the article targets, the “used-after-freed” object here lies in the “kmalloc” cache instead of kmalloc That is, change the following lines in the exploit:.

This is the kind of problems that arises with non-targetless exploit.You will understand this change by reading part 3.Now, build and run the exploit:.The exploit failed and does not give root shell because it has not been built for this target.

As you will see, it requires modifications cf.However, it validates that we can reach the bug.The reason being, the kernel does not automatically crash on certain error just like above but simply hang or kill the exploit.However, it is in a unstable state and can crash at any time.It is recommended to read the code and understand those differences.Once the system has been installed and ready, the next step is to grab the kernel source code.

Again, since we are using an outdated kernel, we will need to grab it with:.Since the target kernel will crash a lot , you must analyse the kernel code and develop the exploit from your host system.That is, get those source back to your host system.

From here, you can use any code crawling tool.It is required that you can cross-reference symbols efficiently.Linux has multiple millions lines of code, you will get lost without it.

A lot of kernel developers seems to use cscope.You can generate the cross-references by doing like this or just:.Note the – k modifier which excludes your system library headers as the kernel runs in freestanding.The cscope database generation takes a couple of minutes, then use an editor which has a plugin for it e.In order not to get lost at the very first line of the CVE analysis, it is necessary to introduce some core concepts of the Linux kernel.

Please note that most structures exposed here are incomplete in order to keep it simple.A userland process is composed of at least one task.

Accessing the current running task is such a common operation that a macro exists to get a pointer on it: current.Everybody knows that ” everything is a file “, but what does it actually mean? In the Linux kernel, there are basically seven kinds of files: regular, directory, link, character device, block device, fifo and socket.Each of them can be represented by a file descriptor.A file descriptor is basically an integer that is only meaningful for a given process.

For each file descriptor, there is an associated structure: struct file.A struct file or file object represents a file that has been opened.It does not necessarily match any image on the disk.While reading a file, the system may need to keep track of the cursor.This is the kind of information stored in a struct file.

Pointers to struct file are often named filp for file pointer.The mapping which translates a file descriptor into a struct file pointer is called the file descriptor table fdt.

Note that this is not a mapping, there could be several file descriptors pointing to the same file object.In that case, the pointed file object has its reference counter increased by one cf.Reference Counters.

The FDT is stored in a structure called: struct fdtable.This is really just an array of struct file pointers that can be indexed with a file descriptor.One way to achieve some genericity is to use a virtual function table vft.A virtual function table is a structure which is mostly composed of function pointers.Doing so allows the kernel code to handle file independently of their type and code factorization.It leads to such kind of code:.A struct socket lives at the top-layer of the network stack.

From a file perspective, this is the first level of specialization.Since every file is represented with a file descriptor, you can use any syscall that takes a file descriptor as argument e.This is actually the main benefit of ” everything is a file ” motto.Independently of the socket’s type, the kernel will invoke the generic socket file operation:.

Every type of socket e.Because some protocol operations e.In the end, a struct socket is a kind of glue between a struct file and a struct sock.The struct sock is a complex data structure.One might see it as a middle-ish thing between the lower layer network card driver and higher level socket.

When a packet is received over the network card, the driver “enqueued” the network packet into the sock receive buffer.It will stay there until a program decides to receive it recvmsg syscall.The other way around, when a program wants to send data sendmsg syscall , a network packet is “enqueued” onto the sock sending buffer.Once notified, the network card will then “dequeue” that packet and send it.This “2-way mechanism” allows data to go up-and-down through the network stack.

NOTE : Do not get confused! The struct sock objects are often called sk , while struct socket objects are often called sock.Since struct sock and struct socket are generic data structure supporting all kinds of sockets, it is necessary to somehow “specialize them” at some point.

It gets a little bit more complicated, from the sock perspective.One might see a struct sock as an abstract class.Hence, a sock needs to be specialized.The top-level comment is of utter importance.It allows the kernel to manipulate a generic struct sock without knowing its precise type.

From a language theory perspective, this is how the kernel does type polymorphism whilst the C language does not have any feature for it.Now that core data structures have been introduced, it is time to put them all in a diagram to visualize their relationships:.No line “crosses” each other.In order to conclude this introduction of the kernel core concepts, it is necessary to understand how the Linux kernel handles reference counters.

To reduce memory leaks in the kernel and to prevent use-after-free , most Linux data structures embed a “ref counter”.Learn more.Skip to content.Here are 15 public repositories matching this topic Language: All Filter by language.Sort options.Star Tutorial for writing kernel exploits.Updated Dec 2, C.Updated Feb 25, C.Updated Oct 15, C.Star 2.Code execution for CVE Updated Apr 10, C.

Updated Jun 18, C.Updated Jun 26, C.Linux Kernel exploitation Tutorial.Updated Jun 30, C.

Categories

The Linux Privilege Escalation Using Kernel Exploit Walkthrough · What You Need · Get The Kernel Version · Get Kernel Vision Using Metasploit.Part Kernel Exploitation -> Null Pointer Dereference Linux Exploit Development Tutorial Series Part 2: Linux Format String Exploitation.This N-part tutorial will walk you through the kernel exploit development cycle.It’s important to notice that we will be dealing with known.

How to use:

  1. Part 7: Return Oriented Programming.
  2. We will see how to do it in the next section.
  3. Please read your distribution documentation.
  4. One is okay, you will understand why soon enough.
  5. From a file perspective, this is the first level of specialization.
Common Linux Privilege Escalation: Using Kernel Exploits, time: 7:23

Linux Kernel exploitation Tutorial.

Star 2.Code execution for CVE Updated Apr 10, C.Updated Jun 18, C.Updated Jun 26, C.Linux Kernel exploitation Tutorial.Updated Jun 30, C.Updated Oct 15, Objective-C.Exploit MsIo vulnerable driver.Star 6.

Updated Sep 16, Shell.Updated Jan 4, C.Improve this page Add a description, image, and links to the kernel-exploit topic page so that developers can more easily learn about it.Add this topic to your repo To associate your repository with the kernel-exploit topic, visit your repo’s landing page and select “manage topics.

You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Part 7: Return Oriented Programming.What’s Going On Here b33f? Heap Overflows For Humans Part 1: Introduction to Linux Exploit Development.Part 2: Linux Format String Exploitation.Part 3: Buffer Overflow [Pwnable.

Part 4: Use-After-Free [Pwnable.Windows Privilege Escalation Fundamentals.I’ll Get Your Credentials Windows Userland Persistence Fundamentals.Capcom Rootkit Proof-Of-Concept.

Part 2: RFID locksmith.Appendix A: Mifare Classic Intel Syntax Reference Guide.Inconspicuous Windows Backdoor.

It gets a little bit more complicated, from the sock perspective.

kernel-exploit – properties

  • Back to the main site Home Categories Tags Archives.
  • To answer this question, let’s ask ourselves: what will happen if it is not NULL?
  • Part 7: Return Oriented Programming.
  • We hope you enjoyed the journey in kernel land exploitation and see you soon in part 2!
  • Table of Contents.
  • Let’s figure it out!
  • Think of it as a guided Linux kernel tour supported by a practical example.
  • Updated Feb 25, C.

Improve this page

: In this section, we will use System Tap Guru Mode to modify kernel data structures and force a particular kernel path.

To do that, follow this.It starts with the patch analysis to understand the bug and trigger it from kernel land part 1then it gradually builds a working proof-of-concept code part 2.

  • Otherwise, add “nosmap” in your grub configuration file then update-grub and reboot.
  • Keep in mind that unlike a simple userland program, the kernel image is HUGE.
  • The purpose of this instruction is to also swap the GS register between kernel-mode and user-mode.
  • Please enable JavaScript to view the comments powered by Disqus.
  • It is time to unleash the true power of System Tap and enter: the Guru Mode!

Again, since we are using an outdated kernel, we will need to grab it with:.Since the target kernel will crash a lot , you must analyse the kernel code and develop the exploit from your host system.That is, get those source back to your host system.From here, you can use any code crawling tool.

It is required that you can cross-reference symbols efficiently.Linux has multiple millions lines of code, you will get lost without it.A lot of kernel developers seems to use cscope.You can generate the cross-references by doing like this or just:.Note the – k modifier which excludes your system library headers as the kernel runs in freestanding.The cscope database generation takes a couple of minutes, then use an editor which has a plugin for it e.In order not to get lost at the very first line of the CVE analysis, it is necessary to introduce some core concepts of the Linux kernel.

Please note that most structures exposed here are incomplete in order to keep it simple.A userland process is composed of at least one task.Accessing the current running task is such a common operation that a macro exists to get a pointer on it: current.Everybody knows that ” everything is a file “, but what does it actually mean?

In the Linux kernel, there are basically seven kinds of files: regular, directory, link, character device, block device, fifo and socket.Each of them can be represented by a file descriptor.A file descriptor is basically an integer that is only meaningful for a given process.For each file descriptor, there is an associated structure: struct file.A struct file or file object represents a file that has been opened.It does not necessarily match any image on the disk.

While reading a file, the system may need to keep track of the cursor.This is the kind of information stored in a struct file.Pointers to struct file are often named filp for file pointer.

The mapping which translates a file descriptor into a struct file pointer is called the file descriptor table fdt.Note that this is not a mapping, there could be several file descriptors pointing to the same file object.

In that case, the pointed file object has its reference counter increased by one cf.Reference Counters.The FDT is stored in a structure called: struct fdtable.This is really just an array of struct file pointers that can be indexed with a file descriptor.One way to achieve some genericity is to use a virtual function table vft.

A virtual function table is a structure which is mostly composed of function pointers.Doing so allows the kernel code to handle file independently of their type and code factorization.It leads to such kind of code:.A struct socket lives at the top-layer of the network stack.From a file perspective, this is the first level of specialization.Since every file is represented with a file descriptor, you can use any syscall that takes a file descriptor as argument e.This is actually the main benefit of ” everything is a file ” motto.

Independently of the socket’s type, the kernel will invoke the generic socket file operation:.Every type of socket e.Because some protocol operations e.In the end, a struct socket is a kind of glue between a struct file and a struct sock.The struct sock is a complex data structure.One might see it as a middle-ish thing between the lower layer network card driver and higher level socket.

When a packet is received over the network card, the driver “enqueued” the network packet into the sock receive buffer.It will stay there until a program decides to receive it recvmsg syscall.The other way around, when a program wants to send data sendmsg syscall , a network packet is “enqueued” onto the sock sending buffer.Once notified, the network card will then “dequeue” that packet and send it.

This “2-way mechanism” allows data to go up-and-down through the network stack.NOTE : Do not get confused! The struct sock objects are often called sk , while struct socket objects are often called sock.Since struct sock and struct socket are generic data structure supporting all kinds of sockets, it is necessary to somehow “specialize them” at some point.

It gets a little bit more complicated, from the sock perspective.One might see a struct sock as an abstract class.Hence, a sock needs to be specialized.The top-level comment is of utter importance.It allows the kernel to manipulate a generic struct sock without knowing its precise type.

From a language theory perspective, this is how the kernel does type polymorphism whilst the C language does not have any feature for it.Now that core data structures have been introduced, it is time to put them all in a diagram to visualize their relationships:.No line “crosses” each other.In order to conclude this introduction of the kernel core concepts, it is necessary to understand how the Linux kernel handles reference counters.

To reduce memory leaks in the kernel and to prevent use-after-free , most Linux data structures embed a “ref counter”.The refcounter is only manipulated through atomic operations like:.Because there is no “smart pointer” or operator overload stuff , the reference counter handling is done manually by the developers.It means that when an object becomes referenced by another object, its refcounter must be explicitly increased.

When this reference is dropped, the refcounter must be explicitly decreased.The object is generally freed when its refcounter reaches zero.However, if at any time, there is an imbalance e.The Linux Kernel has several facilities to handle refcounters kref, kobject with a common interface.However, it is not systematically used and the objects we will manipulate here have their own reference counter helpers.

Do not assume anything about what a function does based on its name, check it.Now that every data structure required to understand the bug has been introduced, let’s move on and analyze the CVE.When studying a CVE, it is always good to start with the description and the patch that corrects it.During a user-space close of a Netlink socket , it allows attackers to cause a denial of service use-after-free or possibly have unspecified other impact ring-0 take over?

The patch is available here :.There is only a single mistake in the patch description: during this small window.Albeit the bug as a “racy” aspect, we will see that the window can actually be extended indefinitely in a deterministic way cf.The previous code begins by taking a reference on a struct file object based on a user provided file descriptor [0].If such fd does not exist in the current process file descriptor table fdt , a NULL pointer is returned and the code goes into the exit path [1].

Otherwise, a reference is taken on the struct sock object associated to that file [2a].If there is no valid struct sock object associated not existent or bad type , the pointer to sock is reset to NULL and the code goes into the exit path [3].

In both cases, the previous struct file reference is dropped [2b].From there, there is three possible outcomes:.To answer this question, let’s ask ourselves: what will happen if it is not NULL? The response is:.As the patch stated, there is an issue with the refcounting on the sock object.But where is this refcounting initially incremented? As the top-commentary says: The caller must hold a reference to the destination socket.

On error, the reference is dropped.This is achieved by setting sock to NULL! So far, we now know what is wrong with the sock variable refcounting it is released a second time under certain conditions , as well as, the retry logic it does not reset sock to NULL.

The patch mentioned something about a “small window” i.This error handling path might look innocent during the first loop.But, remember, during the second loop i.So, it directly jumps to “out”, and hits the first condition One might wonder why we would hit this condition fget returns NULL during the second loop since it was not true during the first loop.

This is the race condition aspect of that bug.We will see how to do it in the next section.Assuming a file descriptor table can be shared between two threads, consider the following sequence:.Since the struct file is freed, it drops the reference to its associated struct sock i.Again, since the sock refcounter also hits zero, it is freed.At this time, the sock pointer is a dangling pointer which has not been reset to NULL.

The second call to fget will fail the fd does not point to any valid struct file in the FDT and directly jump to “out” label.This is why the patch mentioned a “closed fd” thing.It is a necessary condition to actually trigger the bug.And because the close happens at a very specific time in another thread, it is a “race”.So far, we’ve got everything needed to understand the bug and how to trigger it.

We need to satisfy two conditions:.In the previous section, we analyzed the bug and designed an attack scenario to trigger it.In this section, we will see how we can reach the vulnerable code that is the retry label and start coding the exploit.In fact, before implementing anything, one must check that the bug is a priori exploitable.If we can’t even reach the vulnerable code path because of security checks there is no reason to continue.Next, we see a series of sanity checks based on the userland-provided struct sigevent :.

It is recommended to use a Makefile to ease the exploit development build-and-run scripts are always handy.In addition, it is recommenced to use the – O0 option to prevent gcc from re-ordering our code it can lead to hard-to-debug bugs.

There are three places where this error is emitted.Let’s figure it out! During early stage of exploit development, it is highly recommended to run the exploit in a kernel with debug symbols, it allows to use SystemTap!

SystemTap is a great tool to live probe the kernel without going into gdb.It makes sequence visualization easy.The previous script installs two probes that will be respectively called before and after the syscall invocation.

Dumping both the pid and tid helps a lot while debugging multiple threads.Alright, the probes seem to work.Let’s add some more probes.For instance “inlined” might or might not be hookable it depends if the inlining actually occurred.In addition, some functions e.In any case, System Tap will notify you and refuses to launch the script.Read the code and modify your probes accordingly.We did not provide any file descriptor in notification.

Nevertheless, the first call to fget didn’t fail.So, what’s wrong? Let’s pull back and print our sigevent pointer, and compare it with the value passed to the syscall:.It means that either system tap is bugged that is possible or Want to learn more ethical hacking? Check the price on Amazon.Additionally we can use another flag with the same uname command.The – r will show the kernel release.But the exploit returns a meterpreter session! Once I have that meterpreter session I can use the sysinfo command to get the Linux kernel version.

There can be difficulties in compiling exploit believe me, but this is not the case luckily here.I compiled the exploit, but now how do I get it to the remote target for execution so that I can escalate my low level privileges to root?

Installing SystemTap

You have Successfully Subscribed!.Then run update-grub and reboot your system.

Linux Kernel Exploits – Kioptrix Level 2 – VulnHub, time: 11:58
Rate article
Roblox Exploits & Scripts
Add a comment