Practical SMEP bypass techniques on Linux
RUXCON15-Vitaly RUXCON15-Vitaly
et2usr Option #1 - corrupted function ptr High mem addr Function ptr Kernel space ((1UL
et2usr Option #1 - corrupted function ptr • What function pointer to overwrite? • ptmx_fops • int fd = open("/dev/ptmx", O_RDWR); • fsync(fd); • perf_fops • int fd = sys_perf_event_open(…); • fsync(fd); • grep -E ‘_ops$|_fops$’ /boot/System.map*
- Page 1 and 2: Practical
- Page 3 and 4: Agenda • Introduction (ret2usr)
- Page 5 and 6: et2usr High mem addr • Memory spl
- Page 7: et2usr Privilege escalation • str
- Page 11 and 12: et2usr Option #2 - corrupted data s
- Page 13 and 14: SMEP
- Page 15 and 16: SMEP OOPS
- Page 17 and 18: SMEP • If CR4.<s
- Page 19 and 20: AWS SMEP instance
- Page 21 and 22: ROPing • vmlinux vs vmlinuz? •
- Page 23 and 24: ROPing IA32 language density • Al
- Page 25 and 26: Stack pivot - NX address Exploit at
- Page 27 and 28: SMEP Bypass High m
- Page 29 and 30: SMEP Bypass High m
- Page 31 and 32: SMEP Bypass Option
- Page 33 and 34: Fake stack • xchg %eax, %esp; ret
- Page 35 and 36: Fake stack Spraying 0x10000 ROP INS
- Page 37 and 38: Fake stack Spraying • May land in
- Page 39 and 40: PART 2 - CVE-2013-1763
- Page 41 and 42: CVE-2013-1763 SOCK_DIAG • Affecte
- Page 43 and 44: CVE-2013-1763 SOCK_DIAG
- Page 45 and 46: CVE-2013-1763 SOCK_DIAG High mem ad
- Page 47 and 48: CVE-2013-1763 SOCK_DIAG High mem ad
- Page 49 and 50: CVE-2013-1763 SOCK_DIAG ptr = (unsi
- Page 51: Questions? @vnik5287
et2usr<br />
Opti<strong>on</strong> #1 - corrupted functi<strong>on</strong> ptr<br />
• What functi<strong>on</strong> pointer to overwrite?<br />
• ptmx_fops<br />
• int fd = open("/dev/ptmx", O_RDWR);<br />
• fsync(fd);<br />
• perf_fops<br />
• int fd = sys_perf_event_open(…);<br />
• fsync(fd);<br />
• grep -E ‘_ops$|_fops$’ /boot/System.map*