-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
fec895c
commit 5534520
Showing
3 changed files
with
54 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
*.o | ||
*.ko | ||
*.mod.* | ||
.*.cmd | ||
/modules.order | ||
/Module.symvers | ||
/.tmp_versions |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
obj-m = jump.o | ||
|
||
M=$(shell pwd) | ||
|
||
all: | ||
make -C /lib/modules/$(shell uname -r)/build/ M=$(M) modules |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
#include <linux/module.h> | ||
#include <linux/proc_fs.h> | ||
#include <linux/uaccess.h> | ||
|
||
// When userspace writes a pointer to /proc/jump, jump to that address in | ||
// kernel mode. | ||
int jump_write(struct file *file, const char *buf, | ||
unsigned long len, void *data) { | ||
void (*fun)(void); | ||
|
||
if (len < sizeof(fun)) | ||
return -EINVAL; | ||
|
||
if (copy_from_user(&fun, buf, sizeof(fun))) | ||
return -EFAULT; | ||
|
||
printk("jump.ko: Jumping to %p\n", fun); | ||
fun(); | ||
|
||
return len; | ||
} | ||
|
||
// Create a file /proc/jump, with writes handled by jump_write. | ||
int init_jump(void) { | ||
struct proc_dir_entry *ent = create_proc_entry("jump", 0666, NULL); | ||
ent->write_proc = jump_write; | ||
|
||
printk("jump.ko: Loaded incredibly insecure kernel module\n"); | ||
return 0; | ||
} | ||
|
||
void exit_jump(void) { | ||
remove_proc_entry("jump", NULL); | ||
} | ||
|
||
module_init(init_jump); | ||
module_exit(exit_jump); | ||
|
||
MODULE_AUTHOR("Keegan McAllister"); | ||
MODULE_DESCRIPTION("Incredibly insecure kernel module for testing exploitation techniques"); | ||
MODULE_LICENSE("Dual BSD/GPL"); |