redstack

Well, it has been a while since my last technical post … More than 1 year ?!? Wow, time runs so fast

So let’s go for a post about Linux kernel exploitation (yeah, I know, sounds cool). We will exploit a quite recent bug in kernel 2.6.31 (still unpatched while writing this) in the perf_counter_open syscall (CVE 2009-3234) to gain root privileges. As real hackers say, f34R.

But, let’s start by the begining: the bug.

perf_copy_attr and the dual fail
The perf_copy_attr method is meant to copy a data structure (of type perf_count_attr) from user space to kernel space. Its definition is:

1
2

static int perf_copy_attr(struct perf_counter_attr __user *uattr,  
                          struct perf_counter_attr *attr)

With uattr being a pointer to the (source) user space structure, and attr being a pointer to the (destination) kernel space structure.
(more…)