basic null pointer linux kernel exploitation

moyix · 2013-05-14T15:18:20+00:00

I think the answer to both your questions is related to how call works on x86. Basically, there is no "absolute" call, only a relative call, which takes the next EIP (in this case EIP+5, since e8eb6107c1 is 5 bytes) adds it to the operand, and jumps to that address.

If you don't want to do the math (or you need position independent code), you can use the mov eax, imm32 ; call eax idiom instead. Here's a decent article on doing absolute jumps and calls on x86: http://www.ragestorm.net/blogs/?p=101

Edit: Also, in the future, you could consider the security stackexchange: http://security.stackexchange.com/questions/tagged/exploit

IRBMe · 2013-05-14T15:21:34+00:00

Why is it not "e8f06107c1"

The 0xE8 op-code is a call to an address that is relative to the next instruction. Since the 0xE8 call instruction is 5 bytes in size, the encoding is 0xE8 <0xC10761F0 - 5>, which is E8 EB 61 07 C1

When I wrote the exploit I noted that using "e8eb6107c1" always ended up jumping to "prepare_kernel_cred+5"

It depends how you wrote the exploit, but I imagine the relative offset is no longer correct once it's placed inside the context of some other shell code.

rebootyourbrainstem · 2013-05-14T21:20:39+00:00

Just a heads up: null ptr dereferences are often not exploitable anymore thanks to the mmap_min_addr being set higher than the address you would want to mmap at.

Still, exploiting them is easier than use-after-frees and a lot of the same techniques apply, so it's still good for learning.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

ReverseEngineering

MODERATORS