Add kernel module

kmcallister · Nov 13, 2012 · 5534520 · 5534520
1 parent fec895c
commit 5534520
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 0 deletions.
diff --git a/ko/.gitignore b/ko/.gitignore
@@ -0,0 +1,7 @@
+*.o
+*.ko
+*.mod.*
+.*.cmd
+/modules.order
+/Module.symvers
+/.tmp_versions
diff --git a/ko/Makefile b/ko/Makefile
@@ -0,0 +1,6 @@
+obj-m = jump.o
+
+M=$(shell pwd)
+
+all:
+	make -C /lib/modules/$(shell uname -r)/build/ M=$(M) modules
diff --git a/ko/jump.c b/ko/jump.c
@@ -0,0 +1,41 @@
+#include <linux/module.h>
+#include <linux/proc_fs.h>
+#include <linux/uaccess.h>
+
+// When userspace writes a pointer to /proc/jump, jump to that address in
+// kernel mode.
+int jump_write(struct file *file, const char *buf,
+               unsigned long len, void *data) {
+    void (*fun)(void);
+
+    if (len < sizeof(fun))
+        return -EINVAL;
+
+    if (copy_from_user(&fun, buf, sizeof(fun)))
+        return -EFAULT;
+
+    printk("jump.ko: Jumping to %p\n", fun);
+    fun();
+
+    return len;
+}
+
+// Create a file /proc/jump, with writes handled by jump_write.
+int init_jump(void) {
+    struct proc_dir_entry *ent = create_proc_entry("jump", 0666, NULL);
+    ent->write_proc = jump_write;
+
+    printk("jump.ko: Loaded incredibly insecure kernel module\n");
+    return 0;
+}
+
+void exit_jump(void) {
+    remove_proc_entry("jump", NULL);
+}
+
+module_init(init_jump);
+module_exit(exit_jump);
+
+MODULE_AUTHOR("Keegan McAllister");
+MODULE_DESCRIPTION("Incredibly insecure kernel module for testing exploitation techniques");
+MODULE_LICENSE("Dual BSD/GPL");