Vulnerability

CVE-2017-11176: A step-by-step Linux Kernel exploitation (part 3/4)

Tue 02 October 2018

The third article covers use-after-free exploitation. Starting from the PoC, it will explain what is needed to exploit UAF in ring-0, how to do a reallocation and gain an arbitrary call primitive. The core concept section focuses on the memory management subsystem (SLAB allocator).

Read more
Vulnerability

CVE-2017-11176: A step-by-step Linux Kernel exploitation (part 4/4)

Tue 02 October 2018

In the last article, the arbitrary call primitive is used to gain arbitrary code execution in ring-0 while bypassing SMEP. It covers an extensive study of page fault exception trace, how to find gadgets in kernel image, designing a ROP-chain to finally call the payload. In the end, it shows how to repair the kernel and gain root privileges. The core concept section focuses on the thread_info structure, virtual memory layout and netlink's hash tables.

Read more