I have been learned some knowledge about kernel pwn during my xman days, it’s definitely a awesome experience! There you can get many skills and tricks about binary and meet a brunch of guys who are interest in binary. Any way, come back today theme.
It’s a easy challenge which hasn’t kaslr, smep and smap. Why is that easy? Just that non protection for binary? No, logic does. So, put the baby.ko in ida, let’s check it out.
like stack buffer overflow, but in the kernal mode. What is the function called **”copy_from_user” **? let’s figure it out.
This function has 3 arguments: first is void *to , destination address, which is pointer of kernal space, second is *from, source address, which is pointer of user space, another is n, number of bytes to copy. It can copy data from user space to kernal space and return number of bytes that could not be copied. On success, this will be zero. If some data could not be copied, this function will pad the copied data to the requested size using zero bytes.
A kernal pwn generally has some files like below.
bzImage: kernal binary
initramfs.cpio: file system image
baby.ko: vulnerable drive
startvm.sh: a boot script with qemu arguments to start a vm
When you boot your vm and lunch a shell, you can use two command to check out whether we can get a kernal address, we can’t get this if echo 1.
So, how can we do this? Find the /home/parallels/Desktop/level1/root0/etc/init.d/rcS and set the 1000 to 0000, after that we can get root shell. By the way, first you should unzip the initramfs.cpio and find the rcS then pack it again.
setsid cttyhack setuidgid 0000 sh
When we get a root shell use the command “lsmod” to get the base kernal address of baby.ko. If we use commit_creds(prepare_kernel_cred(0)) reach a root access, prepare_kernel_cred and commit_creds address are also indispensable.
Now, use the base kernal address of 0xFFFFFFFFC0002000 and set the breakpoint at retn. Use the cyclic make padding then we know that after 136 bytes is the rip.
If a binary protection not has smep, we can execute user space pages like execl(“/bin/sh”,”sh”,NULL). Think of smep as kind of a DEP/NX for the kernel. So, we can control the rip, no smep, just executing commit_creds(prepare_kernel_cred(0)) and back to user space call the function of execl, after that we get root.