Chapter 26. Exploiting Unix Kernel Vulnerabilities
We discussed two major kernel vulnerabilities in great detail in Chapter 25; in this chapter, we move on to the exploitation of these vulnerabilities. A primary concern with exploiting vulnerabilities, especially kernel vulnerabilities, is reachability. Let's examine some creative methods of doing so with the OpenBSD vulnerability described in Chapter 25.
The exec_ibcs2_coff_prep_zmagic() Vulnerability
In order to reach the vulnerability in exec_ibcs2_coff_prep_zmagic(), we need to construct the smallest possible fake COFF binary. This section discusses how to create this fake executable.
Several COFF-related structures will be introduced, filled in with appropriate values, and saved into the fake COFF file. In order to reach the vulnerable code, we must have certain headers, such as the file header, aout header, and the section headers appended from the beginning of the executable. If we do not have any of these sections, the prior COFF executable handler functions will return an error and we will never reach the vulnerable function, vn_rdwr().
Pseudo code for the minimal layout for the fake COFF executable is as follows:
--------------- File Header --------------- Aout Header --------------- Section Header (.text) --------------- Section Header (.data) --------------- Section Header (.shlib) ---------------
The following exploit code will create the fake COFF executable that will be sufficient enough to change the execution of code ...
Get The Shellcoder's Handbook: Discovering and Exploiting Security Holes, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
