Kernel Exploitation
FreeBSD
We have investigated in depth the exploitation of kernel vulnerabilities on the FreeBSD operating system. Our research on this subject is divided into three parts. The first part covers the exploitation of kernel stack overflow vulnerabilities. The second part focuses on a detailed security analysis of the Universal Memory Allocator (UMA), the FreeBSD kernel's memory allocator. We demonstrate how UMA overflows can lead to arbitrary code execution in the context of the FreeBSD kernel, and we develop an exploitation methodology for privilege escalation and kernel continuation. The third part consists of vulnerabilities we have discovered in the FreeBSD kernel and the reliable exploits we have developed for them.- Binding the Daemon: FreeBSD Kernel Stack and Heap Exploitation, Black Hat Europe 2010 Briefings [slides] [white paper] [source code]
- FreeBSD Kernel Stack Overflows, University of Piraeus Software Libre Society, Event #16: Computer Security [slides (in Greek)]
- FreeBSD kernel nfsclient vulnerabilities (CVE-2010-2020) [official advisory] [census advisory] [nfs_mount() exploit] [mountnfs() exploit]
- FreeBSD kernel stack overflow exploit development
- cve-2008-3531-kernelcode.s: Kernel shellcode for vulnerability CVE-2008-3531
- cve-2008-3531.c: Exploit for vulnerability CVE-2008-3531
- Debugging the FreeBSD kernel on VMware with remote gdb
Linux
- Linux kernel SUNRPC off-by-two buffer overflow [official report] [census advisory]
OpenSolaris
- cve-2010-0453.c: Exploit for vulnerability CVE-2010-0453