This document discusses vulnerability design patterns for kernel exploitation. It outlines several common vulnerability classes for the kernel including out of boundary errors, buffer overflows, and null pointer writes. It provides examples of how these vulnerabilities could be used to achieve kernel code execution or privilege escalation. It also notes how kernel exploitation techniques have evolved over time to bypass defenses like KASLR and discusses developing exploitation tools instead of just shellcode.
5. KERNEL ESCAPE
few lines of code, simple, effective – for that time
Modified sample from : https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/sock_sendpage.rb
9. Present (+-) & Future : Step by step
User
Elevated user
(admin / root)
Supervisor
• DEP, ASLR, SEHOP, ProtectedFree, Isolated Heap, CFG,
Virtual Table Guards, EMET...
• sandbox, SELinux and alikes
• KASLR, SMEP, SMAP, ..
10. Why kernel escape
• Going to be more and more difficult, but ...
• still .. sometimes easier .. shortcut
• Natural bypass of SELinux
• Full control (cpl0 > cpl3)
• for now do not considering cpl-1, ...
11. exploitation ==> developing
• In past was very easy elevate privileges
• Now everything is fast moving
• You need to adapt to all changes & diversity
• Things are getting more complex
• Your exploitation code is expanding dramatically
• Every change can broke your black-box
• + Process of exploitation need more than ioctl
• Race conditions, complex mechanism break (ttf), sandbox
escapes ...
18. Stack overview
• Local vars
• canaries
• Protect ret & args
• ... sometimes ... missing
• UNprotected inner calls ?
• Arg in main func preserved in register
• Inner call invoked, register may be putted onto stack
• Rewrite arg (or directly ret) on stack in inner call
• Return to main func with altered arg (in register)
• Can help more than it seems ;)
• Controlled copy, overwrite save your day
20. Buffer overview
• Windows kernel pool, SLUB
• not so predictable anymore
• but still far from not-predictable at some level
• kmalloc
• targeted kmalloc from user mode ?
• not so hard as can seems
• help with predictability
• Pool spray
• thread, process, pipe, socket ...
• caches (linux)
• can be problem for precise pool layout, but can be solved
27. Elevation of Privilages
USER
• Find nt!_eprocess /
thread_info
• Patch credentials
• Bypass ACL policy
• Reverse engineer per policy
• Implement
• Keep up to date
• Good if not change
frequently .. Not that case
KERNEL
• Elevate process
• Grant access important
operations (callbacks)
• File access
• Process access
• Registry access
• Network
• How effective without
framework ?
28. Kernel part of cake
• Boosting privs
• Why patching ?
• Recognize and grant access instead
• No LKM ? Are you sure ?
• Kernel exploitation may be equals to enable LKM
29. CC-shellcoding framework
• developing instead of shellcoding ?
• C++, boost, std ?
• Loading your own kernel modules ?
https://github.com/k33nteam/cc-shellcoding
more info : http://www.k33nteam.org/blog.htm -
CC-SHELLCODING
@KEENTEAM