Dobin 0x73_KernelExploitation.pdf
Dobin 0x73_KernelExploitation.pdf
Dobin 0x73_KernelExploitation.pdf
17
0.0 (0)
Kartei Details
Karten | 17 |
---|---|
Sprache | English |
Kategorie | Religion/Ethik |
Stufe | Universität |
Erstellt / Aktualisiert | 25.06.2019 / 04.07.2019 |
Lizenzierung | Keine Angabe |
Weblink |
https://card2brain.ch/box/20190625_dobin_0x73kernelexploitation_pdf
|
Einbinden |
<iframe src="https://card2brain.ch/box/20190625_dobin_0x73kernelexploitation_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
What kernel modes are there?
Kernel Mose / Supervisor Mode / Unrestricted Mode / System Mode
- Access to all memory
- Access to special CPU registers
User Mode / Non-Privleged Mode / Restricted Mode
How can you get Kernel execution - the dev way?
Linux:
- Write LKM (Linux Kernel Module)
- Load as Root
- Redhat 7 -> when secure boot is active all kernel modules must be signed with a private key.
Windows:
- Reboot in unsafe / development mode
- Or: Sign code with Driver Certificate ($$$ to Microsoft)
- -> No Untrusted (unsigned) Code in Windows Kernel!
What are the difficulties in exploiting the kernel?
Difficulies in Exploiting:
- If exploit crash -> Crash the system
- No simpel system() shellcode
- Spawning new processes is hard
- Travers memory to find prcess handle, set uid=0
- No brute force
- E.g ASLR
Easier Exploiting:
- Information disclosure is easier (local)
- Kernal ASLR (kASLR) is hard to implement
- Attack surface is gigantic (local)
What are some of the use cases of Kernel Exploiting?
Use cases:
- Mobile (Android, iOS) exploiting / jailbreaking (App -> Root)
- Local privilege escalation (www-data Apache, non-localadmin)
- Pwning the cloud (containerization)
- Rootkits (post breach persistence / hiding)
- Backdoors (gain access again on compromiesed host)
- Cheats (PC, Console)
Name some attack surfaces for Kernel Exploits.
Attack surface examples:
- Drivers
- File Systems
- Sockets
- Syscalls
- /proc, /sys
How is kernal memory maped into physical memory?