Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
29 lines (24 sloc) 1.46 KB
As with any exploit, this is a work in progress. The areas that I think could
use improvement are as follows:
* Minimize hard-coded addresses:
-Currently, if targeting a PAE kernel, six ROP gadget addresses and the
addresses of the inet_protos array and modules list head must be
hard-coded. Hard-coding the ROP gadgets is somewhat unavoidable with
an NX softirq stack, but it would be nice if I found inet_protos and
modules at runtime.
-If this were possible, in theory the exploit could work on non-PAE
kernels with a single hard-coded instruction (e.g. JMP ESP). In some
cases, it might be possible leverage a partial overflow and avoid
hard-coding anything at all, but I think the final result of this
would be significantly worse reliability in practice.
* Test and improve robustness of fingerprinting:
-At several points, including identifying the ROSE spinlocks, unwinding
the softirq stack, and identifiying the saved userland ESP and EIP
registers on the process context kernel stack, I use fingerprints. It
would be worthwhile to do some additional testing on other kernel
builds to make sure these fingerprints are consistent across different
versions, and improve them if this isn't the case.
* Avoid hard-coding EIP offset for stack overflow:
-This may change based on kernel and compiler version, but it's
somewhat tricky to make something generic with the annoying constraint
that every 7th byte must be consistently greater or less than 0x80.