Linux Kernel

Overwriting modprobe_path technique
Conditions:
Known address of modprobe\_path (unaffected by FG-KASLR)
Known address of kpti\_trampoline (unaffected by FG-KASLR)
Arbitrary Write
We can write to modprobe_path the path of our own shellscript and then execute a file with unknown signature to trigger it. This technique bypasses SMEP/SMAP.
References:
​https://lkmidas.github.io/posts/20210223-linux-kernel-pwn-modprobe/​
Bypass CONFIG_SLAB_FREELIST_HARDENED
 (void *)((unsigned long)ptr ^ s->random ^ ptr_addr);
Target pointer is xored with the address of the pointer and a random value. This random value is unique per slab.
​https://blog.infosectcbr.com.au/2020/03/weaknesses-in-linux-kernel-heap.html​

Linux Heap

Format String

Last modified 6mo ago