Skip to content
/ Blunder-Kernel-Driver Public

An exploit for a Linux Kernel IPC Driver whose VM_MAYWRITE flag is not checked during its mmap implementation triggering an AAW and a Heap Overflow for LPE.

static.bluefrostsecurity.de/files/lab/module.tar.gz
2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mutur4/Blunder-Kernel-Driver

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
Makefile
Makefile
 
 
README.md
README.md
 
 
blunder.c
blunder.c
 
 
blunder.h
blunder.h
 
 
exploit.c
exploit.c
 
 

Repository files navigation

Introduction

The source code and Makefile are provided for compilation. The exploit was written for Linux 5.4.0 with the following mitigations enabled when compiling the Kernel:

  1. USER_HARDENED_COPY
  2. SLUB_FREELIST_RANDOMIZATION
  3. SMAP, KASLR (FG-KASLR), SMEP, KPTI

The exploit triggered and used a Heap Overflow to leak kernel addresses and used a kernel AAW to overwrite core_pattern. The following is the expected result when the exploit is run.

exploit

A core file can simply be dumped by triggering a segmentation fault with ulimit set to ulimit -c unlimited, for example, using the following C code.

#include <stdio.h>
#include <stdlib.h>

int main(){
	__asm(".intel_syntax noprefix; xor rax, rax; call rax; .att_syntax");
	return 0;
}

When the segmentation fault is triggered /tmp/bash is created and where executed this returns a root shell.

exploit

About

An exploit for a Linux Kernel IPC Driver whose VM_MAYWRITE flag is not checked during its mmap implementation triggering an AAW and a Heap Overflow for LPE.

static.bluefrostsecurity.de/files/lab/module.tar.gz

Topics

kernel explot

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages