xct's notes
Search…
Introduction
Red Team
Active Directory
Host Enum
Payloads
Passwords
Privilege Escalation
Evasion & Bypasses
Concepts & Research
Binary Exploitation
Blog Posts & Research
Windows ASLR
Windows ROP
Windows SEH
Windows Stack
Windows Kernel
Windows Shellcode
Windbg
Linux Heap
Linux Kernel
Format String
GDB
Path Hijacking
Templates
Misc
Web
Cloud
Mobile
Hardware
Crypto
Templates
Misc
Blue Team
Active Directory
Malware Analysis
SIEM
Misc
Labs
Keys & Signing
Language & Framwork Specifics
Misc
HackTheBox
Crossfit
Luanne
APT
Attended
Delivery
Cereal
Powered By GitBook
Linux Kernel

Overwriting modprobe_path technique

Conditions:
  • Known address of modprobe\_path (unaffected by FG-KASLR)
  • Known address of kpti\_trampoline (unaffected by FG-KASLR)
  • Arbitrary Write
We can write to modprobe_path the path of our own shellscript and then execute a file with unknown signature to trigger it. This technique bypasses SMEP/SMAP.
References:

Bypass CONFIG_SLAB_FREELIST_HARDENED

1
(void *)((unsigned long)ptr ^ s->random ^ ptr_addr);
Copied!
Target pointer is xored with the address of the pointer and a random value. This random value is unique per slab.
Previous
Linux Heap
Next
Format String
Last modified 1yr ago
Copy link
Contents
Overwriting modprobe_path technique
Bypass CONFIG_SLAB_FREELIST_HARDENED