/kernel-exploitation

Modern Kernel Stack Buffer Exploitation (4.3.5). Few code snippets and my BlueBorne exploitation experience.

Primary LanguageC

Modern Kernel Stack Overflow Exploitation

Tested on modern (quite modern) kernel

System Setup

Used 32 bit for simplicity with addressing.

Kernel 4.3.5

Compiled vulnerable module

Vulnerable Module

Wrote exploit to take advantage of the vulnerability

Vulnerable Module Exploit

Disabled Kernel Protection NX and Stack Canaries

Local Root Exploit (chage privs of the current process to root)

Was hard to find working example with commit_creds for modern Kernel (not 2.6.x :))

Used two threads, one with shell, the other one calling commit_creds and called after overwriting EIP (root privs)

Wanted to exploit BlueBorne - Bluetooth Stack Overflow (CVE-2017-1000251)

Challenges:

Technical description:

http://go.armis.com/blueborne-technical-paper

Get a second Bluetooth Adapter (USB dongle)

https://www.speedlink.com/Computer-Office/Notebook-Zubehoer/VIAS-NANO-USB-BLUETOOTH-4-0-ADAPTER-BLACK.html

Read Bluetooth Documentation (very long)

https://www.bluetooth.org/docman/handlers/downloaddoc.ashx?doc_id=229737

Understand L2CAP Protocol and Messages exchanges.

Compile Kernel with Debug capabilities (via Virtual Serial Device in Virtual Box)

Debug Kernel :)

Read Kernel Source - it's all there

Trigger BlueBorne

Disable Kernel Protection NX and Stack Canaries

Prepare Shellcode (Trick out the Bluetooth Protocol to pack shellcode in)

Tested with 32 bit Kernel without Protections

Tricking out L2CAP messages

Finding Gadgets

Packing up shellcode

printk() shellcode

Executing

Stabilizing Kernel after shellcode execute

Questions

E-mail me: marcinguy@gmail.com