CSAW CTF 2011 Kernel Exploitation Challenge
November 27th, 2011My challenge for this year’s NYU Poly CSAW CTF finals was a Linux kernel exploitation challenge disguised as a crypto challenge. The challenge and solution are described below.
Blog Entries - Technical
Tool releases: ksymhunter and kstructhunter
September 8th, 2011I’m releasing a couple tools I use internally for Linux kernel exploit development: ksymhunter and kstructhunter. They’re probably only useful for like ten people on the planet, but oh well, enjoy!
Stackjackin’ 2: Electric Boogaloo
July 6th, 2011Last month at SummerCon, Dan Rosenberg and I talked about our stackjacking technique for exploiting kernel vulnerabilities on grsecurity/PaX-hardened Linux kernels, in a presentation titled “Stackjacking and Other Kernel Nonsense.”
When Angry Birds Attack: Android Edition
May 28th, 2011It’s been about six months since I reported a vulnerability in the Android mobile platform that allowed the unprompted installation of arbitrary applications with arbitrary permissions on a victim’s device. While the vulnerability has long been fixed on Android handsets around the world, I’ve yet to write up any technical details about it, and it’s unlikely you’ve heard of it unless you were present at our ShmooCon presentation earlier this year. So without further ado, let’s dive into “When Angry Birds attack: Android edition.”
Stackjacking Your Way to grsec/PaX Bypass
April 20th, 2011This April at Hackito Ergo Sum in Paris and Immunity’s Infiltrate in Miami, Dan Rosenberg and I presented on a technique to exploit grsecurity/PaX-hardened Linux kernels. Read on for a brief overview of our presentation and a link to the full slides and PoC code.
How I Almost Won Pwn2Own via XSS
March 7th, 2011No, seriously.
Exploiting Stack Overflows in the Linux Kernel
November 29th, 2010In this post, I’ll introduce an exploitation technique for kernel stack overflows in the Linux kernel. Keep in mind this does not refer to buffer overflows on the kernel stack (whose exploitability is well understood), but rather the improper expansion of the kernel stack causing it to overlap with critical structures which may be subsequently corrupted. This is a vulnerability class in the Linux kernel that I do not believe have been exploited publicly in the past, but is relevant due to a recent vulnerability in the Econet packet family.
CSAW CTF 2010 Kernel Exploitation Challenge
November 2nd, 2010The finals for NYU Poly’s CSAW CTF was this past weekend in New York City. I thought I would post the kernel exploitation challenge I developed for the final round. Feel free to try your hand at solving it!
Linux Kernel pktcdvd Memory Disclosure
October 23rd, 2010A vulnerability in the pktcdvd driver in the Linux kernel allows for the disclosure of 4 bytes of kernel memory. In this post, I’ll describe the tad bit of magic that’s necessary to exploit the vulnerability on both 32-bit and 64-bit hosts to disclosure an arbitrary amount of kernel memory.
Linux Kernel CAN SLUB Overflow
September 10th, 2010Ben Hawkes discovered a vulnerability in the Controller Area Network (CAN) packet family in the Linux kernel that results in a controllable overflow of a SLUB-allocated structure. As there’s not a whole lot of modern, public examples of SLUB overflow exploits, I’ll describe my exploit of the CAN vulnerability in detail.
