# Setup ## Overview The kernel module used for these exercises is based off `hxpCTF 2020` `kernel-rop` . It didn't come with source, so I rewrote it and have it uploaded [here](https://github.com/ChrisTheCoolHut/Linux_kernel_exploitation/blob/master/src/kernel-overflow.c). You can [build the kernel yourself ](https://github.com/pwncollege/pwnkernel)or use my prebuilt one [here](https://github.com/ChrisTheCoolHut/Linux_kernel_exploitation). You will need `qemu`,`gcc`, and `gdb` to follow along with these problems. The `launch.sh` script will rebuild the file system and launch qemu ```bash #!/bin/bash # build root fs pushd fs find . -print0 | cpio --null -ov --format=newc | gzip -9 > ../initramfs.cpio.gz popd # launch /usr/bin/qemu-system-x86_64 \ -m 128M \ -cpu kvm64,+smep,+smap \ -no-reboot \ -kernel linux-5.4/arch/x86/boot/bzImage \ -initrd $PWD/initramfs.cpio.gz \ -fsdev local,security_model=passthrough,id=fsdev0,path=$HOME \ -device virtio-9p-pci,id=fs0,fsdev=fsdev0,mount_tag=hostshare \ -nographic \ -monitor none \ -s \ -append "console=ttyS0 nokaslr nopti nosmep nosmap panic=1" ``` The `-s` flag will start qemu with gdb debugging enabled on localhost port `1234` . Most gdb extensions like `gef` and `pwndbg` have trouble debugging kernels and you can disable them with the command: `gdb -nx ./bzImage` ## Kernel-Overflow module The module we will be exploiting for most of this series is named `kernel-overflow` and is located here \[TODO github link]. The module creates a character device named `kernel-overflow` which is accessible at `/dev/kernel-overflow` . It supports read and write operations, which ultimately lead to a leak and overflow. ## Leak The leak happens when `read` is called on the character device with a length greater than `256` bytes. Our stack buffer `tmp` is only `256` bytes long and the length check below it is not sufficient to prevent an overread from happening. As long as our read is less than `0x1000` bytes, we can read past `tmp` and leak out the `stack cookie` and `stack saved registers` ```c static ssize_t device_read(struct file *filp, char *buf, size_t len, loff_t *offset) { int tmp[32] = {0}; tmp[0] = 0xDEADBEEF; tmp[31] = 0xCAFEBABE; memcpy(hackme_buf, tmp, len); if ( len > 0x1000 ) { printk("Buffer overflow detected (%d < %lu)!\n", 4096LL, len); BUG(); } if ( copy_to_user(buf, hackme_buf, len) ) return -14LL; return len; } ``` ## Overflow The overflow happens when `write` is called on the character device with a length greater than `256` bytes. Our stack buffer `tmp` is only `256` bytes long and just like the leak, the length check is not sufficient to prevent a stack overflow. ```c static ssize_t device_write(struct file *filp, const char *buf, size_t len, loff_t *off) { int tmp[32] = {0}; tmp[0] = 0xDEADBEEF; tmp[31] = 0xCAFEBABE; if ( len > 0x1000 ) { printk("Buffer overflow detected (%d < %lu)!\n", 4096LL, len); BUG(); } check_object_size(hackme_buf, len, 0LL); if ( copy_from_user(hackme_buf, buf, len) ) return -14LL; memcpy(tmp, hackme_buf, len); // my gcc is optimizing out the memcpy // having tmp used after the copy ensures // that it stays in printk(KERN_ALERT "After %s",tmp); return len; } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development/setup.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.