Kernel on Arzedlab 🪵https://arzedlab.github.io/tags/kernel/Recent content in Kernel on Arzedlab 🪵Hugoen-us© RavshanThu, 05 Jun 2025 00:00:00 +0000Linux Kernel Exploitation Part 1: ret2usrhttps://arzedlab.github.io/posts/kernel-exploitation-ret2usr-part-1-2063648c0bf4802299a9f392ff3c809b/Thu, 05 Jun 2025 00:00:00 +0000https://arzedlab.github.io/posts/kernel-exploitation-ret2usr-part-1-2063648c0bf4802299a9f392ff3c809b/<h1 id="kernel-exploitation-ret2usr-part-1">Kernel Exploitation ret2usr Part 1</h1> <p><strong><code>compress.sh</code> - To extract compressed image from linux</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#ff79c6">#!/bin/sh </span></span></span><span style="display:flex;"><span><span style="color:#ff79c6"></span>gcc -o exploit -static <span style="color:#8be9fd;font-style:italic">$1</span> </span></span><span style="display:flex;"><span>mv ./exploit ./initramfs </span></span><span style="display:flex;"><span><span style="color:#8be9fd;font-style:italic">cd</span> initramfs </span></span><span style="display:flex;"><span>find . -print0 <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span>| cpio --null -ov --format<span style="color:#ff79c6">=</span>newc <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span>| gzip -9 &gt; initramfs.cpio.gz </span></span><span style="display:flex;"><span>mv ./initramfs.cpio.gz ../ </span></span></code></pre></div><p><strong><code>run.sh</code> - Run qemu configuration</strong></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#ff79c6">#!/bin/sh </span></span></span><span style="display:flex;"><span><span style="color:#ff79c6"></span>qemu-system-x86_64 <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -s <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -m 128M <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -cpu kvm64,+smep,+smap <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -kernel vmlinuz <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -initrd initramfs.cpio.gz <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -hdb flag.txt <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -snapshot <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -nographic <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -monitor /dev/null <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -no-reboot <span style="color:#f1fa8c">\ </span></span></span><span style="display:flex;"><span><span style="color:#f1fa8c"></span> -append <span style="color:#f1fa8c">&#34;console=ttyS0 quiet panic=1 nosmep nosmap nopti nokaslr&#34;</span> </span></span></code></pre></div><p>As you can see all security mitigations are turned off. <code>-s</code> flag set for debugging the linux kernel.</p>Linux Kernel Exploitation Part 2: Adding Mitigitionshttps://arzedlab.github.io/posts/kernel-2-adding-mitigitions-2063648c0bf4808c81cec3f938783649/Thu, 05 Jun 2025 00:00:00 +0000https://arzedlab.github.io/posts/kernel-2-adding-mitigitions-2063648c0bf4808c81cec3f938783649/<h1 id="kernel-2-adding-mitigitions">Kernel 2: Adding Mitigitions</h1> <h2 id="adding-smep"><strong>Adding SMEP</strong></h2> <p><code>SMEP</code>, abbreviated for <a href="https://web.archive.org/web/20160803075007/https://www.ncsi.com/nsatc11/presentations/wednesday/emerging_technologies/fischer.pdf">Supervisor mode execution protection (SMEP)</a>, is a feature that marks all the userland pages in the page table as non-executable when the process is exectuting in <code>kernel-mode</code>. In the kernel, this is enabled by setting the <code>20th bit</code> of Control Register <code>CR4</code>.</p> <p><img src="image.png" alt="image.png"></p> <p><img src="image%201.png" alt="image.png"></p> <h3 id="check-its-in-gdb">Check it&rsquo;s in gdb</h3> <p>Run the qemu with <code>-s</code> and on qemu boot, it can be enabled by adding <code>+smep</code> to <code>-cpu</code>, and disabled by adding <code>nosmep</code> to <code>-append</code>.</p>