k3170

Hi folks, in this post I'm going to walk through how to setup the linux kernel for debugging. I will also demonstrate that the setup works by setting a break-point to a test driver I wrote myself. All the code will be available from my gitlab, all the links to my gitlab will be re-posted at the end. The setup I describe here re-uses some parts of the syzkaller setup, and for good reason later on in the post series I will break into a tutorial for the syzkaller tool as well. So lets get on with it. Screenshot of a successful debug session with full debug symbols for the kernel! We can even see the call to start_kernel and a frame before that as well! The Process Okay so we want to study kernel exploitation but given that the kernel isn't something totally accessible in userspace, its not as convenient to debug as userpace stuff, we need a bit of a run up before we can actually poke and prod the kernel to figure out how to write our exploits. So there's a number of importa

Introduction to the ELF Format (Part VI) : The Symbol Table and Relocations (Part 1)

This post is part of a series on the ELF format, if you haven't checked out the other parts of the series here they are: (Part I) : ELF Header https://blog.k3170makan.com/2018/09/introduction-to-elf-format-elf-header.html (Part II) : Program Headers https://blog.k3170makan.com/2018/09/introduction-to-elf-format-part-ii.html (Part III) : Section Header Table https://blog.k3170makan.com/2018/09/introduction-to-elf-file-format-part.html (Part IV) : Section Types and Special Sections https://blog.k3170makan.com/2018/10/introduction-to-elf-format-part-iv.html (Part V) : C Start up https://blog.k3170makan.com/2018/10/introduction-to-elf-format-part-v.html this In this and the next post I'm going to explore how Elf files manage to pull off the magic of symbol resolution as well as the format, offsets and records in the Elf that represent this information. There are many facets to this mechanism in the format, and before I get into each of them I'd like to

Introduction to the ELF Format : The ELF Header (Part I)

ELF Files are charged with using their magic to perform two holy tasks in the linux universe. The first being to tell the kernel where to place stuff in memory from the ELF file on disk as well as providing ways to invoke the dynamic loaders functions and maybe even help out with some debugging information. Essentially speaking its telling the kernel where to put it in memory and also the plethora of tools that interpret the file where all the data structures are that hold useful information for making sense of the file. Anyway that's as far as I've figured it out - the actual break down is a little less simple. I'll demonstrate why this is so here and over the next series of posts in the classic "Learn things by breaking them" style. ELF Header and Identification fields The first thing that appears in an ELF file is of course the header, which is like most things in file formats just a list of offsets in the file. Its purpose is to indicate essentially wha

Introduction to the ELF Format Part II : Understanding Program Headers

Welcome back folks! In the previous post I covered pretty much the most trivial parts of the ELF file format. In this post we are actually going to work with one of the most interesting mechanisms in the file - the program headers! I skipped some parts of the ELF header in the previous post and decided to cover them here specifically because they inform on the Program Headers anyway. Lets get started! Introduction : What are Program Headers? I mentioned in part 1 that the ELF format performs two tasks. A recipe for how to sublimate dead files into living processes and adds the bells and whistles needed to make the file look pretty to gdb, the dynamic loader and a bunch of other tools. Program Headers ( among other functions ) are more often for telling the memory loader where to put stuff. It also has some house keeping functions. We'll get into how these memory loading powers and formats work a little later for now its just important to keep in mind a good idea of what

Introduction to the ELF Format (Part V) : Understanding C start up .init_array and .fini_array sections

This post is part of a series on the ELF format, if you haven't checked out the other parts of the series here they are: (Part I) : ELF Header https://blog.k3170makan.com/2018/09/introduction-to-elf-format-elf-header.html (Part II) : Program Headers https://blog.k3170makan.com/2018/09/introduction-to-elf-format-part-ii.html (Part III) : Section Header Table https://blog.k3170makan.com/2018/09/introduction-to-elf-file-format-part.html (Part IV) : Section Types and Special Sections https://blog.k3170makan.com/2018/10/introduction-to-elf-format-part-iv.html this In this post I'm going to cover how some of the aspects of C start up and mess around with the .init_array and .fini_array sections to show how they work. C Start Up So something must happen to get your code in the main function running. This process is called the C start up and it essentially involves running all the initialize code, setting up pointers to some important arrays and then branc

[Reverse Engineering Primer] Unpacking cramfs firmware file systems

Reverse engineering firmware from the point of view of an attacker involves levering as much as possible what is accessible from the physical board. Of course the classic question this strives to answer is, if someone gets hold of my board what could go wrong? Reverse engineering some devices in the wild often exposes security keys, default passwords and other forms of security failures that can expose an unfair escalation of privilege or perhaps also allow a complete take over of the device right down to boot loader level - all of this sometimes also possibly learned by analyzing the firmware. I'm going to talk about some of the more basic skill in getting toward exposing the code and other sensitive artifacts used by the device. Before you can find remote code execs and admin auth by pass vulns you need to get to grips with firmware image formats and embedded file systems. Setting up the environment Before getting super in depth and writing our own file format parsers,

[Linux Kernel Exploitation 0x1] Smashing Stack Overflows in the Kernel

Previous Post in Series : [Linux Kernel Exploitation 0x0] Debugging the Kernel with QEMU https://blog.k3170makan.com/2020/11/linux-kernel-exploitation-0x0-debugging.html Hi folks this blog post is part of a series in which I'm running through some of the basics when it comes to kernel exploit development for Linux. I've started off the series with a walk through of how to setup your kernel for debugging and included a simple debug driver to target. The post here carries on from this point and explores some stack security paradigms in the kernel. We're gonna add some stuff to that driver to make it do a dangerous memcpy and then look at whether we can manipulate memory structures with our input. I initially intended to cover full exploit to a root shell with this post but that proved a bit more challenging than I anticipated so I'm splitting this up into two posts. This one will cover almost everything right up to actually controlling the instruction pointer in the ker

Labels

About.me
addJavascriptInterface
Adult Swim
AI.
Alan Turing
Altcoin
Androguard
Android
Android Application Hacking
Android Application Security

Android Hacking
Android Secure Random vulnerability
Android Security
Angr
Anonymity
Application Vulnerabilities
ARM
Binary Analysis
Bit Substring-ing
Bitcoin
Blind MySQL injection
Blind SQL injection
Blind SQLi
Blind-Error Based Injection
Block Chain
Block Ciphers
Blockchain
Blogger.com
Blogger.com vulnerability
Browsers
Cartoons
Cascading Style Sheets
Chrome
Chrome 19
Chrome 19 XSS bypass
Compiler Internals
Compilers
Computation
Computer Science
conciousness
Content Providers
Cookie Precedence
Cramfs
Critical Theory
Cross Site Request Forgery
Cross Site scripting
Cryptanalysis
Cryptocurrency
Cryptography
CSRF
CSS
CSS Cross Origin
CTF
Debate
Debugging
Dialectic
Dynamic Linking
Dynamic Loading
Egyptian Magic
ELF
ELF Format
Embedded
Embedded ARM
Embedded Linux
Encryption
Error Based MySQLi
Ethics
Executable Formats
Executable Linkable Format
Existentialism
Exploit Development
Fast Blind SQL injection
Field Programmable Gate Arrays
File Explorer (FX)
Filter Evasion
Firefox
Firmware
FPGA
GDB
George Cantor
Global Offset Table
GooDork
Google
Google Dorking
Google Hacking
Google Web Cache
Hacking
Hardware
Hardware Engineering
Hardware Reverse Engineering
Hash Length Extension Attacks
Hashing
HDL
Heap
Heap Exploitation
Hegel
Homomorphic Encryption
HTML5
HTTP Response Splitting
ICEStick40
infomration gathering
information gathering techniques
Information Security
InfoSec
Internet
IO File Manager
Java
Javascript
k3170makan
Kernel
Keygen
Kurt Godel
Lacan
LangSec.
Lattice FPGA
LFI
Linux
Linux Exploit Development
Linux Kernel
LLVM
LLVM Framework
LLVM Pass Framework
MACS
Magic
Man in the Middle Attack
Masked Bit Shifting
MD5
Memory Corruption
Merkle-Trees
Message Authentication Codes
Meta-analysis
Mirror Phase
MITM
Mixed Display
Mixed Scripting
Mixed Scripting Vulnerability
Morty
MySQL
MySQLi
Mysticism
Next Browser
NoScript
NoScript Bypass
Occult
Ontology
Open Source
Opera
Padding Oracle
Path Traversal Vulnerability
penetration testing
Phenomenology
Philosophy
Philosophy of Hacking
Philosophy of Software
PHP
Physics
Privacy
PRNG
Procedure Linkage Table
Pseudo Random number security
Psychology
ptmalloc
ptmalloc2
Python
RE
Relocation
Reverse Engineering
Reverse Engineering ARM
Reverse Engineering Black Lists
Reviews
RFI
Rick
Rick 'n Morty
Rights
Robots
Safari
Same Origin Policy
Sartre
Sci-Fi
Scroll of Ani
Security
Security Testing
Set Theory
SHA-1
SHA-2
Shared libraries
SharedPreferences
Simulation Theory
Smart File Manager
Software
SQL Exploitation
SQL injection
SQLi_XSS
Stackoverflows
Structured Exception Handler
Symbolic Execution
Taint Analysis
Theoretical Physics
Theory of Computation
Threat Modelling Android Applications
Time based SQLi
Trident
TV Review
TV Reviews
Tv Show
UART
Understanding ELF Format
Vaudenay
Verilog
Video Formats
W3 Total Cache
Web Attacks
Web Hacking
Web Security
WebKit
WebView
WebViewClient
WebVTT
whitehats
WinDBG
Windows
Windows Exploit Development
Word Press
Word Press CSRF
Word Press Exploit
Word Press Photo Album Plus
Word Press Plugin
Word Press Vulnerability
Word Press W3 Total Cache Vulnerability
Word Press XSS
Wppa
XSS
XSS Filter by pass
XSS Filters
XSSAuditor
XSSSQLi

Show more Show less

Report abuse

Keith Makan