1

I'd like to build a C application that I can then exploit to get some confidential information from the kernel memory.

The issue is that I don't really understand where to start... I've found that the use of copy_to_user() without appropriate checks on the return value could lead to this sort of issue, but I don't understand how it can be then exploitable. If you could give me some pointers so I can progress, it would be great.

Edit : What I'd like to have, is a kind of exploit like this : http://inj3ct0r.com/exploits/7837 , where there is X bytes of kernel memory that are finally dumped.

The fact is I don't want any SCTP socket or anything, but "only" the easiest way to recreate this dump of confidential information.

To make a parallel with a buffer overflow, I 'd like to create the file vuln.c which would be using the gets() function, and then build the special string that will do the job... In the case of disclosure, I think that it will be another C file.

I hope this makes sense...

Best.

Toopiboum
  • 43
  • 1
  • 7
  • You're not trying to commit a Trojan to the Linux kernel, are you? – L̲̳o̲̳̳n̲̳̳g̲̳̳p̲̳o̲̳̳k̲̳̳e̲̳̳ Jul 02 '10 at 14:48
  • 1
    Forgive me if I'm mistaken, but from your question it sounds like you think writing a vulnerable userspace application will magically create a kernel vulnerability for you. This is simply wrong. If a kernel vulnerability exists, you don't need to "exploit" your own application to access it. Just write code to exploit the kernel vuln directly. If no kernel vulnerability exists (or at least you don't know of any) then no userspace code you can create will change that. – R.. GitHub STOP HELPING ICE Jul 04 '10 at 12:16
  • Well, I'd like to do this to prove that such vulnerabilities can exist on my targeted system, and to understand better how they work. I thought that I could develop a vulnerable kernel module, and then a user space exploit, since I have all permissions on the system. If that is possible, the question is still : how can I create such a vulnerability ??? Best. – Toopiboum Jul 05 '10 at 07:34

2 Answers2

1

The reality is that there are a number of ways to proceed depending on what sort of exploit you are trying to learn.

  1. Do you want to inject code through a buffer overflow and change of return pointer?
  2. Is there already a call to copy_to_user that you want to exploit using an off by one error?
  3. Do you want to use return oriented programming instead of code injection
  4. Many others, some of which are listed here
Wilfred Hughes
  • 29,846
  • 15
  • 139
  • 192
torak
  • 5,684
  • 21
  • 25
0

Assuming you're not after kernel internals, take a look at this question.

Community
  • 1
  • 1
Matt Joiner
  • 112,946
  • 110
  • 377
  • 526