Exploiting an Uninitialised Stack Variable – Linux Kernel

This post demonstrates how to exploit a simple uninitialised stack variable in the Linux Kernel. I’ll start by examining the vulnerability (again this is part of the intentionally vulnerable driver I’ve been writing), and then explore how we can go about exploiting it.

The Vulnerable Code

The code I added to include this vulnerability exposes 2 new IOCTL’s to the driver:

case UNINITIALISED_STACK_ALLOC:
 {
   ret = copy_to_stack((char *)p_arg);
   break;
 }
 case UNINITIALISED_STACK_USE:
 {
   use_obj_args use_obj_arg;
 
   if(copy_from_user(&use_obj_arg, p_arg, sizeof(use_obj_args)))
     return -EINVAL;
 
   use_stack_obj(&use_obj_arg);
 
   break;
}

Continue reading “Exploiting an Uninitialised Stack Variable – Linux Kernel”

Exploiting Arbitrary Read/Write Linux Kernel

Continuing with my research into Linux kernel exploit dev, I decided to try an exploit that doesn’t involve gaining code execution. The following is a short demonstration of escalating a processes privileges due to an arbitrary read/write vulnerability in the kernel.

As always the code can be found on my github page.

The Vulnerable Code

I started by adding an arbitrary read/write vulnerability to my driver. It’s a pretty obvious vulnerability, as we can see here:

Continue reading “Exploiting Arbitrary Read/Write Linux Kernel”

Use After Free Part2 – The Exploit

To exploit this vulnerability there are a few protection mechanisms we need to bypass. To begin, it should be noted that for this exploit I am using Ubuntu 16.04.01, Linux kernel 4.8.0. This system is being run as a virtual machine through VMWare, with hardware.version set to 12. What all of this means is that in order to get root, we need to bypass SMEP (available in VMWare when hardware.version is set to 12) and KASLR.

The full code for this exploit can be found here.

Continue reading “Use After Free Part2 – The Exploit”

Linux Kernel Heap Spraying / UaF

Using sendmsg and msgsend syscalls to spray the kernel heap

Recently I’ve become increasingly interested in kernel exploit development. One of my main barriers in this field is that fact I have very little development experience in kernel space. I therefore decided to go back to how I started in exploit dev, learn how to build it so I can learn how to break it.

To that end, I started writing an intentionally vulnerable Linux driver (based off the same idea as theĀ HackSys Windows driver). The logic is simple, write a vulnerability into the module of a specific class (ie buffer overflow, UaF etc), and then learn how to exploit it. I decided to start with a use after free vulnerability, I chose this because it would force me to learn about kernel space heap spraying, memory management and so on.

Continue reading “Linux Kernel Heap Spraying / UaF”