Awesome
Kernel-exploitation
decompress.sh
Extract file from CPIO archive
#!/bin/sh
mkdir fs
cd fs
cp ../initramfs.cpio.gz ./initramfs.cpio.gz
gunzip ./initramfs.cpio.gz
cpio -idm < ./initramfs.cpio
rm initramfs.cpio
cd ..
compress.sh
Compile the exploit, add it to fs, and run.
#!/bin/sh
gcc -w -o exploit -static exploit.c -pthread -lrt &&\
# musl-gcc -w -s -static -o3 exploit.c -o exploit -masm=intel &&\
mv exploit ./fs/ &&\
cd fs &&\
find . -print0 | cpio --owner root --null -ov --format=newc | gzip -9 > ../initramfs.cpio.gz &&\
cd .. &&\
# gunzip -f initramfs.cpio.gz &&\
./run.sh
In case ext4 filesystem archive
mount ./initramfs.cpio.gz ./fs/
extract-image.sh
Useful strcutures
ldt_struct - modify_ldt syscall
0x20 size struct, contains no checks for copy_to_user call
- https://elixir.bootlin.com/linux/v4.19.98/source/arch/x86/kernel/ldt.c#L553
- https://github.com/ameetsaahu/Kernel-exploitation/tree/main/0ctffinal2021-kernote
msg_msg
struct msg_msg {
struct list_head m_list;
long m_type;
size_t m_ts; /* message text size */
struct msg_msgseg *next;
void *security;
/* the actual message follows immediately */
};
User msg stored right after msg_msg
structure uptil 0x1000 - 0x30
after that singly linked list of chunks stored in struct msg_msgseg *next
with size of each allocation upto 0x1000
, is and should be NULL
terminated.
For arbitrary read:
overwrite next
and m_ts
to be such that, it has to read from overwritten next
pointer.
For arbitrary write:
msgsnd() // Userland
do_msgsnd() // Kernel land
load_msg()
alloc_msg() // Allocate all the necessary chunks
copy_from_user() // Race here to replace `struct msg_msgseg *next` before its used to copy userdata. Maybe use userfaultfd ;)
msg_msg do_msgsnd load_msg copy_msg
- https://github.com/ameetsaahu/Kernel-exploitation/tree/main/corctf2021-fire_of_salvation
- https://syst3mfailure.io/wall-of-perdition
Misc
To restrict the process to run on specific CPU
cpu_set_t cpu_set;
CPU_ZERO(&cpu_set);
CPU_SET(0,&cpu_set);
ret=sched_setaffinity(0,sizeof(cpu_set),&cpu_set);
References
- https://github.com/xairy/linux-kernel-exploitation by @andreyknvl
- Structures collection useful for kernel-exp by @ptr-yudai
- https://blog.hacktivesecurity.com/index.php/2022/06/13/linux-kernel-exploit-development-1day-case-study
- https://duasynt.com/blog/linux-kernel-heap-feng-shui-2022
- https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html
- https://cloudfuzz.github.io/android-kernel-exploitation