Linux kernel exploit development

Inspired by Midas's series on Linux kernel exploit development, this series follows the same pattern of exploit mitigations using pwn.college's kernel and includes all of my code and examples here

Topics include: * Setup * Interacting with kernel modules (ioctl, character devices) * Stack cookies * KASLR * SMEP * SMAP * KPTI * modprobe_path * cred_struct overwritting

Protections TLDR:

KASLR - Requires a leak to exploit

SMEP - Can't execute shellcode in userspace while in kernelmode (Kind of like DEP/NX)

SMAP - No reading or writing from userspace pages while in kernelmode (Stack pivots harder)

KPTI - Separate kernel space from user space. Need to swap between pages

PreviousRecreating CVE-2015-1187 in the DIR-820L NextSetup

Last updated 3 years ago

Was this helpful?

Linux kernel exploit development

Inspired by Midas's series on Linux kernel exploit development, this series follows the same pattern of exploit mitigations using pwn.college's kernel and includes all of my code and examples here

Topics include: * Setup * Interacting with kernel modules (ioctl, character devices) * Stack cookies * KASLR * SMEP * SMAP * KPTI * modprobe_path * cred_struct overwritting

Protections TLDR:

KASLR - Requires a leak to exploit

SMEP - Can't execute shellcode in userspace while in kernelmode (Kind of like DEP/NX)

SMAP - No reading or writing from userspace pages while in kernelmode (Stack pivots harder)

KPTI - Separate kernel space from user space. Need to swap between pages

PreviousRecreating CVE-2015-1187 in the DIR-820L NextSetup

Last updated 3 years ago

Was this helpful?