This is a whitepaper providing a Linux kernel hacking introduction. Written in Korean.
e109d30f2e576fb027a951ee8c8e6962
x90c article.
+----------------------------------------------+
| ,(r)'a1/2o A?3I Ae3/4aA! AI1/2oCA*IAOAEA (exploiting) |
| ?$?,(r)AE(r) x90c (leader) |
| [email protected] |
| x90c research AEA. |
+----------------------------------------------/
[,n A/]
1. deg3?a (Intro)
1.1 ,(r)'a1/2o A?3I
2. degodegU deg!'ECN o$?AI 1/4Odeg3
3. A?3I Eu ,Th,d,(r) degodegU
4. ,(r)'a1/2o A?3I ,(r),dAE(r) degodegUdegu *IAA degodegU
5. AO+-U degodegU AUuadeg! degoA-uC'A *1AEU*+-1/2o >>cAIAE(r)
6. ,(r)'a1/2o A?3I AI1/2oCA*IAOAC ASSCe
7. ,(r)'a1/2o A?3I degodegU ?a>>c
7.1 ,(r)'a1/2o A?3I degodegU ?!+-, ?a>>c
7.2 CoAc degodegU +-a1y ?1Ao
8. dega*D
*1AEU*+-1/2o
----------
[1. deg3?a]:
----------
AIAE(r)*I:
,(r)'a1/2o A?3I Ae3/4aA! AIPodegi CO PSS NULL Pointer dereference?I ,Th,d,(r) ,-, *1AI1/2oAAud1/4C 1o+-x,UAF
(use-after-free) uiA>> Pdeg?A,deg'U. +-x Ass?!1/4 ,1AI o,degiuE NULL Pointer dereference Ae3/4aA!AI AO?aCN
COA?ueAC degu1/2E 'e>>o Ass CI3adeg! uE'U. AIA-'A AICOCI+-a 1/2!?i Ae3/4aA! degodegUAIdegi 1/2+-degO u?AUCI+-a PSS1(r)AI'U.
mmap_min_addr A?3I AEAPo,ThA, degu*A 1/43A$??! uuPo degodegUAI deg!'ECN 1/2A1/2oAU 1eAE/AECAI AOdegi 3/4AE'N degae?i*I
3a'u3/4i Ao'U.
o>> CD1/2A o,degi1/4,| AeCO1/4 COA?'A ,(r)'a1/2o A?3I Ae3/4aA! degodegU?! 'eCN +-ao>>AuAI >>cCxA>> CD1/2ACN'U.
------------------
[1.1 ,(r)'a1/2o A?3I]:
------------------
,(r)'a1/2o A?3IAo ,(r)'a1/2o OS 1/2A1/2oAUAC CU1/2E AUua,| AC1ICI'AuY= ?i?uA1/4A|deg! oIAEAAI uC3/4i1/4 u?AUCIdegi
3>>oIAuA,*I ?UoIAuAI 1/4OCAAE(r)?th3/4i,| ?i?uCO 1/4o AOdegU+-U Ao?oCI'A 1/4OCAAE(r)?th3/4i,| OS A?3IAIPodegi CN'U.
uuPo1/4 ,(r)'a1/2o A?3IAIPodegi CI,e ,(r)'a1/2o OSAC AU3/4i 1/2A1/2oAU AUua,| ,>>CI'A degIAI'U.
[1] *1AEU*+-1/2o:
https://ko.wikipedia.org/wiki/,(r)'a1/2o_A?3I
(Audegi*I ,(r)'a1/2o'A A-'D1/2o dege? OS AI'U.)
---------------------------
[2. degodegU deg!'ECN o$?AI 1/4Odeg3]:
---------------------------
degiAu do_brk Ae3/4aA!degu degdegAo 1oAEU ?A1oCA*I?i 1/4oCa(,Th,d,(r) A?*'1/4C)AC ,Th,d,(r) ASS1u Ae3/4aA!Ao A?3I ,Th,d,(r),|
?A?deg1/2AAdeg'A 1ae1yA,*I degodegU CI'A +-a1yAI3/4udegi CoAcuu AEDA!deg! uCAo 3/4EAo 1/2A1/2oAU?!1/4'A ,(r)'a1/2o +-CCNA>> >>o1/2A
1/2AAdeg'A EoP degodegUAI deg!'ECI'U. (do_brk degiAu Ae3/4aA! Ao+-Uuu degodegUAo deg!'ECO)
CIAo,, ,1Ao 1/4oAC 1/2A1/2oAUAI AEDA!uE Ao+-UAo EA1U?! 3a?A NULL Pointer dererence AI1/2oCA*IAOAI3a
*1AI1/2o AAud1/4C PC'A COW (Copy on write) 1(r)A|,| 'U*e Dirty COW AI1/2oCA*IAOA>> >>c?eCO degodegU
CI'A degIAI 'o AuCOCI'Udegi CO 1/4ouu AO'U. (?aAo degodegU AUuadeg! >>c?euC'A Ass1/41/4)
AUua,| 1Th3/4AE degodegUCI'A degae?i vs >>o*I?i Ae3/4aA!A>> AUua oD1/4(r)CI'A degae?i (1/2!?odegu 3/4i*A?o)
,(r)'a1/2o A?3I degodegUAo AI1I o,degiuE degodegU AUua,| 3>>*A1Th3/4AE1/4 degodegUCI'A 1ae1ydegu Ae3/4aCN A?3I 1oAuAC 1/4O1/2o AUua,|
A/AC/ 3>>*A 1Th3/4AE oD1/4(r)CO1/4 degodegU AUuaAI A|*IuY=AI AUua,| +-,CoCO degodegUCI'A 1ae1yAI AOAo,, A|*IuY=AI AUua
+-,CoAo 1/2!?i AEiAI 3/4AE'I'U.
uuPo1/4 degodegU?! 1/4odegoCI'A degIAI ,nAuAIPo,e Ai ,dAC COA* ,nAu?!1/4'A degodegU AUua,| 3>>*A1Th3/4AE1/4 Edeg?eCI'A degIuu
+-|AuAo 1aeCaAIPodegi CO 1/4o AO'U. (1/2!?i degae?i'A degodeg3uE degodegU AUua,| >>c?eCI'A degI)
-------------------------
[3. A?3I Eu ,Th,d,(r) degodegU]:
-------------------------
AIAC/ ,Th,d,(r) ?A?deg(adjacent memory) degodegUAo ,(r)'a1/2o A?3I Eu ,Th,d,(r) degodegU +-a1yAIuY= AIdegI ?a1/2A COA?ueAC
Ei1I 'e>>oA,*I CD1/2ACO ,,CN AOA|deg! uE'U. AIdegIAo ,(r)'a1/2o A?3I Eu degodegUAIPodegi oI,Y='U. x90cuu AI 3/4AEAE1/4A!AI
degodeg3 uC3/4uA>> PSS ,A?i degu1/2EA>> deg!A3degi AE-E/ A?3I 3/4AEAdegAOA3AuAI AICO,| AE/COCN'U'A A!AI Ei1I*I?i 'e>>oAI
uC3/4u'U. CD1/2A 'e>>oA,*I1/2a Ei1IAoAoCss+-a PSS1(r)AI'U. 1deg*D AI Ae3/4aA! degodegUAo Eu degodegUAC CI3aAI'U.
AI oIoD?! 'eCO1/4'A phrack.org >>cAIAE(r)AC 3/4AEAE1/4A!A>> APS3/4AE1/4 *1AEU*+-1/2oCO1/4 CD1/2ACI'A degIA>> AssAuCN'U.
+-,+-U,uA>> COuu AU*a'A AOAo,, CA*C/ AU*adeg! A>> 'o Ass AU1/4ouE AEiAIdegi uu?oAI uE degI degdeg'U.
-----------------------------------------
[4. ,(r)'a1/2o A?3I ,(r),dAE(r) degodegUdegu *IAA degodegU]:
-----------------------------------------
'eoIoDAo ,(r)'a1/2o *IAA +-CCN >>o1/2A AI1/2oCA*IAOAIdegi sgrakkyuAC sctp_houdini3a JullienAC madwifi PCCN
interrupt context degu*A AI1/2',, ,(r),dAE(r) AI1/2oCA*IAO degu*AAI'U. 'UPo1/4 *IAA onAssAI 3/4AEAO A(c)'Udegi CO 1/4o AO'U.
[5. AO+-U degodegU AUuadeg! degoA-uC'A *1AEU*+-1/2o >>cAIAE(r)]:
AO+-U degodegU AUuadeg! degodeg3 uE >>cAIAE(r)'A 3/4AE*! ,n*I >>cAIAE(r)deg! AO'U.
https://github.com/SecWiki/linux-kernel-exploits
'e'U1/4oAC degodegU AUua,| 1/4o*ICIdegi AO'U.
Audegi CI+-ae 1UPo'U.
-----------------------------------
[6. ,(r)'a1/2o A?3I AI1/2oCA*IAOAC ASSCe]:
-----------------------------------
,(r)'a1/2o A?3I degodegUAo 'eA1/4*I ,1Ao 1eAE/AEC?!1/4 u?AUCI'A degodegU AUuaueAI ,1AI degodeg3uC3/4i AO3/4i1/4
?(c)*- 1eAE/AECAC Ae3/4aCN 1/41oueAI degodegU 'e>>oAI uE 1/4o AO'U'A A!AI'U. PCCN A?3I Ae3/4aA!AI AE-E/
ASSCeCN degIAo o,3/4E AEDA!deg! A|degouC'A +-adegPSAI 'E3/4iAu 1/4o AO'U'A A!A>> 2AA>> 1/4o AO'U.
PCCN Ae3/4aA! AE-1/4o >>o 1/2A1/2oAU Ae3/4aA!?! AE/COuC+-a PSS1(r)?! 1/2A1/2oAU AuA1/4deg! Aa3/4CuE'U'A A!AI
ASSCeAIPodegi CO 1/4o AO'U.
AI*,degO 3deg!Ao ASSCe A$?uu,| ue 1/4o AOA>> degIAI'U. 1deg*D AP+-U 'o +-iAo AICO?!1/4'A 'U,Y= deguA!ueuu
1ss>>yCO 1/4o AO'U.
---------------------------
[7. ,(r)'a1/2o A?3I degodegU ?a>>c]:
---------------------------
,(r)'a1/2o A?3I degodegU ?a>>c?! 'eCO1/4 degPS*<<E/ 3/4E3/4AE o,AU.
---------------------------------
[7.1 ,(r)'a1/2o A?3I degodegU ?!+-, ?a>>c]:
---------------------------------
,(r)'a1/2o A?3I degodegUAo 20043auuoIAI COA?ue?! ACCO ?!+-, uC'Udeg! ,(r)'a1/2o A?3IA>> Ass 'U*c'A A, ?A1oCIAIua?I degdegAo
A-,iCN ?!+-,?o?! ACCO 'U*iAo+-a 1/2AAU Css'U. Ao+-UAo 'e oIoDAC degodegU +-a1ydegu ,PAIAE1/4degOAI1/4C?! 'eCN AI1/2oCA*IAOAI
1/4Odeg3uCdegi 'U*iAo AEiAI'U.
...
-------------------------------
[7.2 CoAc degodegU +-a1y degaeCa ?1Ao]:
-------------------------------
...
uuPo1/4 >>o*I?i degodegU +-a1yAI 1/4Odeg3 uE 1/4ouu AOdegi +-aA,AC degodegU AUuadeg! Edeg?euE 1/4ouu AO'A 1/2AA!AIPo'A PaeAI'U.
o,3/4E AEDA!deg! uCAo 3/4EAo 1/41o'A ,1+-a PSS1(r)?! ?i?u degu,(r)AC AE-1/4o >>o ,(r)'a1/2o degodegU AUua'A ,1AI >>c?euE 1/4o AO'U.
,(r)'a1/2o A?3I degodegU?! 'eCN >>o*I?i AICO,| 1UAAA,*I >>o*I?i degodegUAI AaCoCO 1/4o AO+-a PSS1(r)?! ,(r)'a1/2o A?3I degodegU
?u?aAo COA?ue?!degO AO3/4i1/4 degaeAI*I?i 'e>>oAI uC+-auu CN'Udegi o1/4 1/4o AO'U.
UAF?! 'eCO1/4'A Assdeg! AuAI CD1/2AAI CE?aCN degI degdeg'U.
----------
[8. dega*D]:
----------
,(r)'a1/2o A?3I degodegU?! 'eCO1/4 3/4E3/4AE o,3/4O'U.
AaeoDCIAo 3/4EAo,, 3/4i'AA$?uu 3>>?eAC on+-a1/4uAuAI AI3/4ss+-a?!1/4oIAI +-a1/4uAuAI 3/4e+-a,| 3/4i'A A$?uu AE/COCO 3/4AEAE1/4A!A>>
AU1/4o Css'U. +-ao>>AuAI AICO,| CI'AuY= uu?oAI uC3/4u+-ae 1UPo'U.
AI>>o.
----------
*1AEU*+-1/2o
----------
- main reference:
https://jon.oberheide.org/files/source10-linuxkernel-jonoberheide.pdf
remote exploit ways:
- sctp_houdini: http://sgrakkyu.antifork.org/sctp_houdini.c
- madwifi: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6332
- interrupt context: ( skip )
aeb reference:
https://www.win.tue.nl/~aeb/linux/hh/hh-12.html ( introduce linux kernel exploit )
to become a hacker:
https://wiki.kldp.org/wiki.php/Hacker-HOWTO
20000.
x90c
?$?,(r)AE(r) COA?.