Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Add kernel module

  • Loading branch information...
commit 5534520620d68538ddd3fe4cfd2b6f80cb37d687 1 parent fec895c
@kmcallister authored
Showing with 54 additions and 0 deletions.
  1. +7 −0 ko/.gitignore
  2. +6 −0 ko/Makefile
  3. +41 −0 ko/jump.c
View
7 ko/.gitignore
@@ -0,0 +1,7 @@
+*.o
+*.ko
+*.mod.*
+.*.cmd
+/modules.order
+/Module.symvers
+/.tmp_versions
View
6 ko/Makefile
@@ -0,0 +1,6 @@
+obj-m = jump.o
+
+M=$(shell pwd)
+
+all:
+ make -C /lib/modules/$(shell uname -r)/build/ M=$(M) modules
View
41 ko/jump.c
@@ -0,0 +1,41 @@
+#include <linux/module.h>
+#include <linux/proc_fs.h>
+#include <linux/uaccess.h>
+
+// When userspace writes a pointer to /proc/jump, jump to that address in
+// kernel mode.
+int jump_write(struct file *file, const char *buf,
+ unsigned long len, void *data) {
+ void (*fun)(void);
+
+ if (len < sizeof(fun))
+ return -EINVAL;
+
+ if (copy_from_user(&fun, buf, sizeof(fun)))
+ return -EFAULT;
+
+ printk("jump.ko: Jumping to %p\n", fun);
+ fun();
+
+ return len;
+}
+
+// Create a file /proc/jump, with writes handled by jump_write.
+int init_jump(void) {
+ struct proc_dir_entry *ent = create_proc_entry("jump", 0666, NULL);
+ ent->write_proc = jump_write;
+
+ printk("jump.ko: Loaded incredibly insecure kernel module\n");
+ return 0;
+}
+
+void exit_jump(void) {
+ remove_proc_entry("jump", NULL);
+}
+
+module_init(init_jump);
+module_exit(exit_jump);
+
+MODULE_AUTHOR("Keegan McAllister");
+MODULE_DESCRIPTION("Incredibly insecure kernel module for testing exploitation techniques");
+MODULE_LICENSE("Dual BSD/GPL");
Please sign in to comment.
Something went wrong with that request. Please try again.