Linux-Kernel-Exploit NULL dereference



Bug

Consider a simple kernel module.
It creates a file /proc/bug1.
It defines what happens when someone writes to that file. It call a Null address.
As the code below:

We we call the bug_write function in our shell:

We try to write something in /proc/bug1 that trigger my_funcptr which points to an uninitialized address NULL.
I try to debug it with gdb, but i can’t make breakpoint on 0x0 address , I don’t konw why others successfully debug and watch the how it goes ….it’s a pity.

Kernel crash message:

It prints BUG: unable to handle kernel NULL pointer dereference at (null)

Poc

We try to inject our payload to address 0x0,so look at our poc.c,it mapped 0x0 address and copy our payload :jmp 0xdeadbeef

Kernel panic message show a bad EIP value:0xdeadbeef

Our payload is executed by kernel.
In x86 memory address space lays out below:

We we call write,kenel jumps 0x0 address try to call my_funptr() that’s execve our payload jmp 0xdeadbeef to a invaild address,so it creat an error msg.
We control the instruction pointer… excellent.

Exp

What we really want is a root shell.
Kernel can’t just call system("/bin/sh").
But it can give root privileges to the current process:

And then we execve system("/bin/sh") we can get a root shell.

So frist we determin it’s address ,Beause our kernel it’s hardcode values,it’s invariant for every start .So we can easily find the function address by

We’ll write this simple payload in assembly.
Kernel uses %eax for first argument and return value.

通过shellcode编写exp如下:

Before we test our exp,we su to user account,and execve exp,result below:

We show a segmention fault beause a kernel exploit mitigate patch mmap_min_addr add in current kernel.

Mitigate

mmap_min_addr forbids users from mapping low addresses

  1. First available in July 2007 2.
  2. Several circumventions were found 3.
  3. Still disabled on many machines

In our system,mmap_min_addr=0x1000,For execving our exploit,we set it and test our exploit again:

We success get a ROOT SHELL.

References

Linux内核漏洞利用(二)NULL Pointer Dereference
Linux 内核漏洞利用教程(二):两个Demo
mmap_min_addr
write-kernel-exploits

发表评论