Skip to content

ameetsaahu/Kernel-exploitation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits

0ctf2018-babykernel

0ctf2018-babykernel

 
 

0ctffinal2021-kernote

0ctffinal2021-kernote

 
 

CISCN2017-babydriver

CISCN2017-babydriver

 
 

CVE-2019-2215

CVE-2019-2215

 
 

QWB2021-notebook

QWB2021-notebook

 
 

asisctf2020-sharedhouse

asisctf2020-sharedhouse

 
 

babyKernel

babyKernel

 
 

corctf2021-fire_of_salvation

corctf2021-fire_of_salvation

 
 

corctf2021-wall_of_perdition

corctf2021-wall_of_perdition

 
 

corctf2022-cache_of_castaways

corctf2022-cache_of_castaways

 
 

easy-kernel

easy-kernel

 
 

hack_me

hack_me

 
 

hfsipc

hfsipc

 
 

ips

ips

 
 

midnightsunCTF2018-flitbip

midnightsunCTF2018-flitbip

 
 

seccon2020-kstack

seccon2020-kstack

 
 

zer0pts2020-meowmeow

zer0pts2020-meowmeow

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

Repository files navigation

Kernel-exploitation

decompress.sh

Extract file from CPIO archive

#!/bin/sh
mkdir fs
cd fs
cp ../initramfs.cpio.gz ./initramfs.cpio.gz
gunzip ./initramfs.cpio.gz
cpio -idm < ./initramfs.cpio
rm initramfs.cpio
cd ..

compress.sh

Compile the exploit, add it to fs, and run.

#!/bin/sh
gcc -w -o exploit -static exploit.c -pthread -lrt &&\
# musl-gcc -w -s -static -o3 exploit.c -o exploit -masm=intel &&\
mv exploit ./fs/ &&\
cd fs &&\
find . -print0 | cpio --owner root --null -ov --format=newc | gzip -9 > ../initramfs.cpio.gz &&\
cd .. &&\
# gunzip -f initramfs.cpio.gz &&\
./run.sh

In case ext4 filesystem archive

mount ./initramfs.cpio.gz ./fs/

extract-image.sh

Useful strcutures

ldt_struct - modify_ldt syscall

0x20 size struct, contains no checks for copy_to_user call

msg_msg

struct msg_msg {
    struct list_head m_list;
    long m_type;
    size_t m_ts;        /* message text size */
    struct msg_msgseg *next;
    void *security;
    /* the actual message follows immediately */
};

User msg stored right after msg_msg structure uptil 0x1000 - 0x30 after that singly linked list of chunks stored in struct msg_msgseg *next with size of each allocation upto 0x1000, is and should be NULL terminated. For arbitrary read: overwrite next and m_ts to be such that, it has to read from overwritten next pointer.

For arbitrary write:

msgsnd()        // Userland
    do_msgsnd() // Kernel land
        load_msg()  
            alloc_msg()         // Allocate all the necessary chunks
            copy_from_user()    // Race here to replace `struct msg_msgseg *next` before its used to copy userdata. Maybe use userfaultfd ;)

msg_msg do_msgsnd load_msg copy_msg

Misc

To restrict the process to run on specific CPU

cpu_set_t cpu_set;
CPU_ZERO(&cpu_set);
CPU_SET(0,&cpu_set);
ret=sched_setaffinity(0,sizeof(cpu_set),&cpu_set);

References

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

27 stars

Watchers

2 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages