Vulnerability
CVE-2017-11176: A step-by-step Linux Kernel exploitation (part 3/4)
Tue 02 October 2018
The third article covers use-after-free exploitation. Starting from the PoC, it will explain what is needed to exploit UAF in ring-0, how to do a reallocation and gain an arbitrary call primitive. The core concept section focuses on the memory management subsystem (SLAB allocator).
Read moreVulnerability
CVE-2017-11176: A step-by-step Linux Kernel exploitation (part 4/4)
Tue 02 October 2018
In the last article, the arbitrary call primitive is used to gain arbitrary code execution in ring-0 while bypassing SMEP. It covers an extensive study of page fault exception trace, how to find gadgets in kernel image, designing a ROP-chain to finally call the payload. In the end, it shows how to repair the kernel and gain root privileges. The core concept section focuses on the thread_info structure, virtual memory layout and netlink's hash tables.
Read more