Hi everyone, I hope you're all well, today we meet again for the second part of the series of kernel exploitation articles specialized in buffer overfow on the stack, in this part we're going to see more advanced techniques in order to bypass protection as well as initiate the rop in kernel land
Now that you are at the top in the exploitation of a basic buffer overflow in kernel land I'm going to go more into the basics we will directly come to the concrete
without further ado we will start with a small reminder of the rop technique and the differences in kernel land
Small reminder of the technique
The returned oriented programming is a technique of exploitation which allows to redirect the flow of the program "several times" in order to bypass protection, when I say redirected the flow "several times" I speak about the ropchain which is the chaining of gadget (executable instruction contained in the binary ending by ret, jmp, call in the case of a rop one aims at the instruction ret from where its name) the chaining of it is gadget is going to allow to be able to interact with the pile in order to change completely the flow of execution of program
It is necessary to know that in kernel land the concept is exactly the same except that some subtlety will come to bother us but we will return to it later
First of all a question that you may have asked yourself is where to get your gadgets back?
In part 1 we had explained the different files provided during a kernel exploitation in a challenge
We will come back to one
This file is simply the kernel itself but compressed into a single file.
It can be extracted into an ELF executable file "vmlinux" Useful to look for gadgets when doing a rop.
But yes, here we are going to be able to extract the gadgets from the image quite simply
There is a tool that allows to extract this image in ELF executable